Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar-iptables.sh 1867 2016-05-04 12:22:08Z raphael.pion $
|
2 |
# $Id: alcasar-iptables.sh 1872 2016-05-05 08:45:44Z richard $
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
6 |
#
|
6 |
#
|
7 |
# Reminders
|
7 |
# Reminders
|
Line 56... |
Line 56... |
56 |
# Saving SET of connected users if it exists
|
56 |
# Saving SET of connected users if it exists
|
57 |
ipset list not_filtered 1>/dev/null 2>&1
|
57 |
ipset list not_filtered 1>/dev/null 2>&1
|
58 |
if [ $? -eq 0 ];
|
58 |
if [ $? -eq 0 ];
|
59 |
then
|
59 |
then
|
60 |
ipset save not_filtered > $TMP_users_set_save
|
60 |
ipset save not_filtered > $TMP_users_set_save
|
61 |
ipset save havp_set >> $TMP_users_set_save
|
61 |
ipset save havp >> $TMP_users_set_save
|
62 |
ipset save havp_bl_set >> $TMP_users_set_save
|
62 |
ipset save havp_bl >> $TMP_users_set_save
|
63 |
ipset save havp_wl_set >> $TMP_users_set_save
|
63 |
ipset save havp_wl >> $TMP_users_set_save
|
64 |
ipset save not_auth_yet >> $TMP_users_set_save
|
64 |
ipset save not_auth_yet >> $TMP_users_set_save
|
65 |
ipset save users_list >> $TMP_users_set_save
|
65 |
ipset save users_list >> $TMP_users_set_save
|
66 |
fi
|
66 |
fi
|
67 |
|
67 |
|
68 |
# loading of NetFlow probe (ipt_NETFLOW kernel module)
|
68 |
# loading of NetFlow probe (ipt_NETFLOW kernel module)
|
Line 141... |
Line 141... |
141 |
then
|
141 |
then
|
142 |
ipset -! restore < $TMP_users_set_save
|
142 |
ipset -! restore < $TMP_users_set_save
|
143 |
rm -f $TMP_users_set_save
|
143 |
rm -f $TMP_users_set_save
|
144 |
else
|
144 |
else
|
145 |
ipset create not_filtered hash:net hashsize 1024
|
145 |
ipset create not_filtered hash:net hashsize 1024
|
146 |
ipset create havp_set hash:net hashsize 1024
|
146 |
ipset create havp hash:net hashsize 1024
|
147 |
ipset create havp_bl_set hash:net hashsize 1024
|
147 |
ipset create havp_bl hash:net hashsize 1024
|
148 |
ipset create havp_wl_set hash:net hashsize 1024
|
148 |
ipset create havp_wl hash:net hashsize 1024
|
149 |
#utilisé pour l'interception des utilisateurs non authentifiés au réseau
|
149 |
#utilisé pour l'interception des utilisateurs non authentifiés au réseau
|
150 |
#used for intercepting users not connected to the network
|
150 |
#used for intercepting users not connected to the network
|
151 |
ipset create not_auth_yet hash:net hashsize 1024
|
151 |
ipset create not_auth_yet hash:net hashsize 1024
|
152 |
ipset create users_list list:set
|
152 |
ipset create users_list list:set
|
153 |
ipset add users_list havp_set
|
153 |
ipset add users_list havp
|
154 |
ipset add users_list havp_wl_set
|
154 |
ipset add users_list havp_wl
|
155 |
ipset add users_list havp_bl_set
|
155 |
ipset add users_list havp_bl
|
156 |
ipset add users_list not_filtered
|
156 |
ipset add users_list not_filtered
|
157 |
ipset add users_list not_auth_yet
|
157 |
ipset add users_list not_auth_yet
|
158 |
fi
|
158 |
fi
|
159 |
|
159 |
|
160 |
#############################
|
160 |
#############################
|
Line 193... |
Line 193... |
193 |
# Mark the udp 56 direct attempts (DNS-blackhole) to REJECT them in INPUT rules
|
193 |
# Mark the udp 56 direct attempts (DNS-blackhole) to REJECT them in INPUT rules
|
194 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 56 -j MARK --set-mark 5
|
194 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 56 -j MARK --set-mark 5
|
195 |
|
195 |
|
196 |
# redirection DNS des usagers 'havp_bl' vers le port 54
|
196 |
# redirection DNS des usagers 'havp_bl' vers le port 54
|
197 |
# redirect DNS of 'havp_bl' users to port 54
|
197 |
# redirect DNS of 'havp_bl' users to port 54
|
198 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
|
198 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
|
199 |
|
199 |
|
200 |
# redirection DNS des usagers 'havp_wl' vers le port 55
|
200 |
# redirection DNS des usagers 'havp_wl' vers le port 55
|
201 |
# redirect DNS of 'havp_bl' users to port 55
|
201 |
# redirect DNS of 'havp_wl' users to port 55
|
202 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55
|
202 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55
|
203 |
|
203 |
|
204 |
# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.
|
204 |
# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.
|
205 |
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
|
205 |
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
|
206 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT "
|
206 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT "
|
207 |
|
207 |
|
208 |
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
|
208 |
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
|
209 |
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)
|
209 |
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)
|
210 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
|
210 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
|
211 |
|
211 |
|
212 |
# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
|
212 |
# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
|
213 |
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
|
213 |
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
|
214 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
|
214 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
|
215 |
|
215 |
|
216 |
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers DansGuardian
|
216 |
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers DansGuardian
|
217 |
# Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy)
|
217 |
# Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy)
|
218 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
|
218 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
|
219 |
|
219 |
|
220 |
# Redirection des requêtes HTTP sortantes des usager 'havp_wl' et 'havp' vers Tinyproxy
|
220 |
# Redirection des requêtes HTTP sortantes des usager 'havp_wl' et 'havp' vers Tinyproxy
|
221 |
# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy
|
221 |
# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy
|
222 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
|
222 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
|
223 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
|
223 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
|
224 |
|
224 |
|
225 |
# Redirection des requêtes NTP vers le serveur NTP local
|
225 |
# Redirection des requêtes NTP vers le serveur NTP local
|
226 |
# Redirect NTP request in local NTP server
|
226 |
# Redirect NTP request in local NTP server
|
227 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
|
227 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
|
228 |
|
228 |
|
Line 341... |
Line 341... |
341 |
|
341 |
|
342 |
#############################
|
342 |
#############################
|
343 |
# FORWARD #
|
343 |
# FORWARD #
|
344 |
#############################
|
344 |
#############################
|
345 |
|
345 |
|
346 |
# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl_set
|
346 |
# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl
|
347 |
# Deny IPs of the SET bl_ip_blocked for the set havp_bl_set
|
347 |
# Deny IPs of the SET bl_ip_blocked for the set havp_bl
|
348 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
|
348 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
|
349 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
|
349 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
|
350 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
|
350 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
|
351 |
|
351 |
|
352 |
# Rejet des requêtes DNS vers Internet
|
352 |
# Rejet des requêtes DNS vers Internet
|
353 |
# Deny forward DNS
|
353 |
# Deny forward DNS
|
354 |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
|
354 |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
|
355 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
|
355 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
|