| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 2223 2017-05-14 14:38:01Z tom.houdayer $
|
2 |
# $Id: alcasar-iptables.sh 2224 2017-05-14 14:42:05Z tom.houdayer $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 56... |
Line 56... |
| 56 |
then
|
56 |
then
|
| 57 |
ipset save not_filtered > $TMP_users_set_save
|
57 |
ipset save not_filtered > $TMP_users_set_save
|
| 58 |
ipset save havp >> $TMP_users_set_save
|
58 |
ipset save havp >> $TMP_users_set_save
|
| 59 |
ipset save havp_bl >> $TMP_users_set_save
|
59 |
ipset save havp_bl >> $TMP_users_set_save
|
| 60 |
ipset save havp_wl >> $TMP_users_set_save
|
60 |
ipset save havp_wl >> $TMP_users_set_save
|
| - |
|
61 |
ipset save not_auth_yet >> $TMP_users_set_save
|
| - |
|
62 |
ipset save users_list >> $TMP_users_set_save
|
| 61 |
ipset save proto_0 >> $TMP_users_set_save
|
63 |
ipset save proto_0 >> $TMP_users_set_save
|
| 62 |
ipset save proto_1 >> $TMP_users_set_save
|
64 |
ipset save proto_1 >> $TMP_users_set_save
|
| 63 |
ipset save proto_2 >> $TMP_users_set_save
|
65 |
ipset save proto_2 >> $TMP_users_set_save
|
| 64 |
ipset save proto_3 >> $TMP_users_set_save
|
66 |
ipset save proto_3 >> $TMP_users_set_save
|
| 65 |
fi
|
67 |
fi
|
| Line 139... |
Line 141... |
| 139 |
else
|
141 |
else
|
| 140 |
ipset create not_filtered hash:net hashsize 1024
|
142 |
ipset create not_filtered hash:net hashsize 1024
|
| 141 |
ipset create havp hash:net hashsize 1024
|
143 |
ipset create havp hash:net hashsize 1024
|
| 142 |
ipset create havp_bl hash:net hashsize 1024
|
144 |
ipset create havp_bl hash:net hashsize 1024
|
| 143 |
ipset create havp_wl hash:net hashsize 1024
|
145 |
ipset create havp_wl hash:net hashsize 1024
|
| - |
|
146 |
#utilisé pour l'interception des utilisateurs non authentifiés au réseau
|
| - |
|
147 |
#used for intercepting users not connected to the network
|
| - |
|
148 |
ipset create not_auth_yet hash:net hashsize 1024
|
| - |
|
149 |
ipset create users_list list:set
|
| - |
|
150 |
ipset add users_list havp
|
| - |
|
151 |
ipset add users_list havp_wl
|
| - |
|
152 |
ipset add users_list havp_bl
|
| - |
|
153 |
ipset add users_list not_filtered
|
| - |
|
154 |
ipset add users_list not_auth_yet
|
| 144 |
#pour les filtrages de protocole par utilisateur
|
155 |
#pour les filtrages de protocole par utilisateur
|
| 145 |
ipset create proto_0 hash:net hashsize 1024
|
156 |
ipset create proto_0 hash:net hashsize 1024
|
| 146 |
ipset create proto_1 hash:net hashsize 1024
|
157 |
ipset create proto_1 hash:net hashsize 1024
|
| 147 |
ipset create proto_2 hash:net hashsize 1024
|
158 |
ipset create proto_2 hash:net hashsize 1024
|
| 148 |
ipset create proto_3 hash:net hashsize 1024
|
159 |
ipset create proto_3 hash:net hashsize 1024
|
| Line 150... |
Line 161... |
| 150 |
|
161 |
|
| 151 |
#############################
|
162 |
#############################
|
| 152 |
# PREROUTING #
|
163 |
# PREROUTING #
|
| 153 |
#############################
|
164 |
#############################
|
| 154 |
|
165 |
|
| - |
|
166 |
# Redirection des requetes DNS des utilisateurs non connectés dans le DNS-Blackhole
|
| - |
|
167 |
# Redirect users not connected DNS requests in DNS-Blackhole
|
| - |
|
168 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56
|
| - |
|
169 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56
|
| - |
|
170 |
|
| 155 |
# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT
|
171 |
# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT
|
| 156 |
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
|
172 |
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
|
| 157 |
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
|
173 |
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
|
| 158 |
|
174 |
|
| 159 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (DansGuardian) pour pouvoir les rejeter en INPUT
|
175 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (DansGuardian) pour pouvoir les rejeter en INPUT
|