WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables.sh

 #!/bin/bash
-# $Id: alcasar-iptables.sh 2010 2016-07-26 14:08:50Z raphael.pion $
+# $Id: alcasar-iptables.sh 2184 2017-04-26 17:15:13Z richard $
 # Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 # This script writes the netfilter rules for ALCASAR
 # Rexy - 3abtux - CPN
+#
 # Reminders
 #        FORWARD            #
 #############################
 # Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl
 # Deny IPs of the SET bl_ip_blocked for the set havp_bl
-$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
+$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-proto-unreachable
 $IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
 $IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
 # Rejet des requêtes DNS vers Internet
 # Deny forward DNS
 $IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
 $IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
-# Autorisation des retours de connexions légitimes
+# Active le suivi de session
+# Allow Conntrack
 $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 # Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
 nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" "  -f1`
 if [ $nb_uamallowed != "0" ]
 then
 	while read ip_allowed_line
 	do
 		ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
-		$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NFLOG --nflog-prefix "RULE IP-allowed -- ACCEPT "
 		$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
 		$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
 	done < /usr/local/etc/alcasar-uamallowed
 fi
+# filtrage protocole par utilisateur (profile 1 : http, https)
+# protocols filtering for users (profil 1 : http, https)
+	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https -m state --state NEW -j REJECT --reject-with tcp-reset
+	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
+# filtrage protocole par utilisateur (profile 2 : http https pop3 pop3s imap imaps ftp sftp ssh)
+# protocols filtering for users (profil 2 : http https pop3 pop3s imap imaps ftp sftp ssh)
-#filtrage protocole par utilisateur (on autorise le HTTP pour tous)
-#profile 1 : HTTP/S only
-for proto in $(echo http https)
-do
-	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-P1$proto -- ACCEPT "
-	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j NETFLOW
-	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j ACCEPT
-	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-P1$proto -- ACCEPT "
-	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j NETFLOW
-	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j ACCEPT
-done
-#profile 2 : HTTP/S, POP3S, IMAP/S, FTP, SSH/SFTP
-for proto in $(echo http https pop3 pop3s imap imaps ftp sftp ssh)
-do
-	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-P2$proto -- ACCEPT "
+	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m state --state NEW -j REJECT --reject-with tcp-reset
-	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j NETFLOW
-	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j ACCEPT
-	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-P2$proto -- ACCEPT "
+	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ssh -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
-	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j NETFLOW
-	$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j ACCEPT
-done
+# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)
+# protocols filtering for users (profil 3 : customized with ACC)
 #profile 3 personalisables via l'ACC
-$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-P3http -- ACCEPT "
-$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NETFLOW
-$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ACCEPT
+custom_tcp_protocols_list='';custom_udp_protocols_list=''
 while read svc_line
 do
 	svc_on=`echo $svc_line|cut -b1`
 	if [ $svc_on != "#" ]
 	then
 		svc_name=`echo $svc_line|cut -d" " -f1`
 		svc_port=`echo $svc_line|cut -d" " -f2`
 		if [ $svc_name = "icmp" ]
 		then
-			$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
-			$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
+			svc_icmp="on"
 		else
+			if [ "$custom_tcp_protocols_list" == "" ]
+			then
+				custom_tcp_protocols_list=$svc_port
+			else
-			$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-P3$svc_name -- ACCEPT "
+				custom_tcp_protocols_list=`echo $custom_tcp_protocols_list","$svc_port`
+			fi
-			$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
+			udp_svc=`egrep "[[:space:]]$svc_port/udp" /etc/services|wc -l`
-			$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
+			if [ $udp_svc = "1" ] # udp service exist
+			then
-			$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-P3$svc_name -- ACCEPT "
+				if [ "$custom_udp_protocols_list" == "" ]
+				then
-			$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
+					custom_udp_protocols_list=$svc_port
+				else
-			$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
+					custom_udp_protocols_list=`echo $custom_udp_protocols_list","$svc_port`
+				fi
+			fi
 		fi
 	fi
 done < /usr/local/etc/alcasar-services
+	if [ "$custom_tcp_protocols_list" == "" ]
+	then
+		$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -j REJECT
+	else
+		if [ "$svc_icmp" != "on" ]
+		then
+			$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p icmp -j REJECT --reject-with icmp-proto-unreachable
+		fi
+		$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports $custom_tcp_protocols_list -m state --state NEW -j REJECT --reject-with tcp-reset
+		$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports $custom_udp_protocols_list -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
+	fi
-# Rejet explicite des autres protocoles pour P1, P2, P3 et les autres
-# reject the others protocols for P1,P2, P3 and other
-$IPTABLES -A FORWARD -i $TUNIF -m set ! --match-set proto_0 src -j NFLOG --nflog-prefix "RULE F_filterP1 -- REJECT "
-$IPTABLES -A FORWARD -i $TUNIF -m set ! --match-set proto_0 src -p tcp -j REJECT --reject-with tcp-reset
-$IPTABLES -A FORWARD -i $TUNIF -m set ! --match-set proto_0 src -p udp -j REJECT --reject-with icmp-port-unreachable
-$IPTABLES -A FORWARD -i $TUNIF -m set ! --match-set proto_0 src -p icmp -j REJECT
-# Autorisation des connections sortant du LAN
+# journalisation et autorisation des connections sortant du LAN
 # Allow forward connections with log
-#$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
 $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW
 $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
 #############################
 #         OUTPUT            #
 #############################
 # On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur
 # Everything is allowed but traffic through outside network interface
-$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
+#$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
+$IPTABLES -A OUTPUT -j ACCEPT
 # Si configéré, on autorise les requêtes DHCP
 # Allow DHCP requests if configured
 public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2`		# ALCASAR WAN IP address
 if [[ "$public_ip_mask" == "dhcp" ]]

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh – Rev 2010 → 2184