WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables.sh



#!/bin/bash
# $Id: alcasar-iptables.sh 3043 2022-07-22 17:10:23Z rexy $
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
# This script writes the netfilter rules for ALCASAR
# Rexy - 3abtux - CPN
#
# Reminders

private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1`			# ALCASAR LAN IP address
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2`		# LAN IP address (ie.: 192.168.182.0)
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2`		# LAN prefix (ie. 24)
PRIVATE_NETWORK_MASK=$private_network/$private_prefix			# LAN IP address + prefix (192.168.182.0/24)
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2`		# ALCASAR WAN IP address
if [[ "$public_ip_mask" == "dhcp" ]]
then
	PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
	public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN`

TMP_users_set_save="/tmp/users_set_save"				# tmp file for backup users set
TMP_set_save="/tmp/ipset_save"						# tmp file for blacklist and whitelist creation
TMP_ip_gw_save="/tmp/ipset_ip_gw_save"				# tmp file for already connected ips
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2`			# SSH LAN port
SSH_LAN=${SSH_LAN:=0}
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2`		# SSH WAN port
SSH_WAN=${SSH_WAN:=0}
SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f2`
SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"}
SSH_WAN_ADMIN_FROM=$([ "$SSH_WAN_ADMIN_FROM" == "0.0.0.0" ] && echo "0.0.0.0/0" || echo "$SSH_WAN_ADMIN_FROM" )
SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" )
IPTABLES="/sbin/iptables"
REHABILITED_IP="/etc/e2guardian/lists/exceptioniplist"
ALLOWED_SITES="/usr/local/etc/alcasar-site-direct"			# WEB Sites allowed for all (no av and no filtering for av_bl users)
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
HOST=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2`

	for ((i=1 ; i<=$nb_gw ; i++)); do
		gw_list="${gw_list} gw$i"
	done
fi
 
 
# Sauvegarde des SET des utilisateurs connectés si ils existent
# Saving SET of connected users if it exists
ipset list not_filtered 1>/dev/null 2>&1
if [ $? -eq 0 ];
then

$IPTABLES -P OUTPUT DROP
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
 
 
#############################
#          IPSET            #
#############################
 
# destruction de tous les SET
# destroy all SET
ipset flush
ipset destroy
 

	cat $BL_IP_CAT/$category >> $TMP_set_save
done
ipset -! restore < $TMP_set_save
rm -f $TMP_set_save
# Suppression des ip réhabilitées / Removing of rehabilitated ip
for ip in $(cat $REHABILITED_IP)
do
	ipset -q del bl_ip_blocked $ip
done
 
# ipset for exception web sites (usefull for filtered users = av_bl)
ipset create site_direct hash:net hashsize 1024
for site in $(cat $ALLOWED_SITES)
do
    ipset add site_direct $site
done
 
###### WL set  ###########

	done
	ipset add $gw_min $ip
done
rm -f $TMP_ip_gw_save
 
 
 
#############################
#       PREROUTING          #
#############################
 
 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules
# 8080 = ipset av_bl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1

		$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set $i src -j MARK --set-mark $temp_index
		temp_index=$(($temp_index+1))
	done
fi
 
 
#############################
#         INPUT             #
#############################
 
# Tout passe sur loopback
# accept all on loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
 

	$IPTABLES -A INPUT -i $TUNIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -j ACCEPT
fi
if [ $SSH_WAN -gt 0 ]
	then
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
	$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -j ACCEPT
fi
 
# Insertion de règles locales
# Here, we add local rules (i.e. VPN from Internet)
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then

$IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"
 
#############################
#        FORWARD            #
#############################
 
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl
# Deny IPs of the SET bl_ip_blocked for the set av_bl
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset

Rev 3042	Rev 3043
Line 1...	Line 1...
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar-iptables.sh 3042 2022-07-22 12:35:45Z rexy $`	2	`# $Id: alcasar-iptables.sh 3043 2022-07-22 17:10:23Z rexy $`
3	`# Script de mise en place des regles du parefeu d'Alcasar (mode normal)`	3	`# Script de mise en place des regles du parefeu d'Alcasar (mode normal)`
4	`# This script writes the netfilter rules for ALCASAR`	4	`# This script writes the netfilter rules for ALCASAR`
5	`# Rexy - 3abtux - CPN`	5	`# Rexy - 3abtux - CPN`
6	`#`	6	`#`
7	`# Reminders`	7	`# Reminders`
Line 18...	Line 18...
18	private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE\|cut -d"=" -f2`	18	private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE\|cut -d"=" -f2`
19	`private_ip_mask=${private_ip_mask:=192.168.182.1/24}`	19	`private_ip_mask=${private_ip_mask:=192.168.182.1/24}`
20	PRIVATE_IP=`echo $private_ip_mask \| cut -d"/" -f1` # ALCASAR LAN IP address	20	PRIVATE_IP=`echo $private_ip_mask \| cut -d"/" -f1` # ALCASAR LAN IP address
21	private_network=`/bin/ipcalc -n $private_ip_mask\|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)	21	private_network=`/bin/ipcalc -n $private_ip_mask\|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
22	private_prefix=`/bin/ipcalc -p $private_ip_mask\|cut -d"=" -f2` # LAN prefix (ie. 24)	22	private_prefix=`/bin/ipcalc -p $private_ip_mask\|cut -d"=" -f2` # LAN prefix (ie. 24)
23	`PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)`	23	`PRIVATE_NETWORK_MASK=$private_network/$private_prefix # LAN IP address + prefix (192.168.182.0/24)`
24	public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE\|cut -d"=" -f2` # ALCASAR WAN IP address	24	public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE\|cut -d"=" -f2` # ALCASAR WAN IP address
25	`if [[ "$public_ip_mask" == "dhcp" ]]`	25	`if [[ "$public_ip_mask" == "dhcp" ]]`
26	`then`	26	`then`
27	`PTN="\b(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\/([012]?[0-9]\|3[0-2])\b"`	27	`PTN="\b(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\.(25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?)\/([012]?[0-9]\|3[0-2])\b"`
28	public_ip_mask=`ip addr show $EXTIF \| egrep -o $PTN`	28	public_ip_mask=`ip addr show $EXTIF \| egrep -o $PTN`
Line 40...	Line 40...
40	`TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set`	40	`TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set`
41	`TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation`	41	`TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation`
42	`TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips`	42	`TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips`
43	SSH_LAN=`grep ^SSH_LAN= $CONF_FILE\|cut -d"=" -f2` # SSH LAN port	43	SSH_LAN=`grep ^SSH_LAN= $CONF_FILE\|cut -d"=" -f2` # SSH LAN port
44	`SSH_LAN=${SSH_LAN:=0}`	44	`SSH_LAN=${SSH_LAN:=0}`
45	SSH_WAN=`grep ^SSH_WAN= $CONF_FILE\|cut -d"=" -f2` #ssh WAN port	45	SSH_WAN=`grep ^SSH_WAN= $CONF_FILE\|cut -d"=" -f2` # SSH WAN port
46	`SSH_WAN=${SSH_WAN:=0}`	46	`SSH_WAN=${SSH_WAN:=0}`
47	SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE\|cut -d"=" -f2\|cut -d"/" -f2`	47	SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE\|cut -d"=" -f2\|cut -d"/" -f2`
48	`SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"}`	48	`SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"}`
49	`SSH_WAN_ADMIN_FROM=$([ "$SSH_WAN_ADMIN_FROM" == "0.0.0.0" ] && echo "0.0.0.0/0" \|\| echo "$SSH_WAN_ADMIN_FROM" )`	49	`SSH_WAN_ADMIN_FROM=$([ "$SSH_WAN_ADMIN_FROM" == "0.0.0.0" ] && echo "0.0.0.0/0" \|\| echo "$SSH_WAN_ADMIN_FROM" )`
50	SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE\|cut -d"=" -f2\|cut -d"/" -f1`	50	SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE\|cut -d"=" -f2\|cut -d"/" -f1`
51	`SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}`	51	`SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}`
52	`SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" \|\| echo "$SSH_LAN_ADMIN_FROM" )`	52	`SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" \|\| echo "$SSH_LAN_ADMIN_FROM" )`
53	`IPTABLES="/sbin/iptables"`	53	`IPTABLES="/sbin/iptables"`
54	`IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP`	54	`REHABILITED_IP="/etc/e2guardian/lists/exceptioniplist"`
55	`SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)`	55	`ALLOWED_SITES="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)`
56	MULTIWAN=`grep ^MULTIWAN $CONF_FILE\|cut -d"=" -f2`	56	MULTIWAN=`grep ^MULTIWAN $CONF_FILE\|cut -d"=" -f2`
57	PROXY=`grep ^PROXY= $CONF_FILE\|cut -d"=" -f2`	57	PROXY=`grep ^PROXY= $CONF_FILE\|cut -d"=" -f2`
58	PROXY_IP=`grep ^PROXY_IP= $CONF_FILE\|cut -d"=" -f2`	58	PROXY_IP=`grep ^PROXY_IP= $CONF_FILE\|cut -d"=" -f2`
59	nb_gw=`grep ^WAN $CONF_FILE\|wc -l`	59	nb_gw=`grep ^WAN $CONF_FILE\|wc -l`
60	HOST=`grep ^HOSTNAME= $CONF_FILE\|cut -d"=" -f2`	60	HOST=`grep ^HOSTNAME= $CONF_FILE\|cut -d"=" -f2`
Line 73...	Line 73...
73	`for ((i=1 ; i<=$nb_gw ; i++)); do`	73	`for ((i=1 ; i<=$nb_gw ; i++)); do`
74	`gw_list="${gw_list} gw$i"`	74	`gw_list="${gw_list} gw$i"`
75	`done`	75	`done`
76	`fi`	76	`fi`
77		77
78		-
79	`# Sauvegarde des SET des utilisateurs connectés si ils existent`	78	`# Sauvegarde des SET des utilisateurs connectés si ils existent`
80	`# Saving SET of connected users if it exists`	79	`# Saving SET of connected users if it exists`
81	`ipset list not_filtered 1>/dev/null 2>&1`	80	`ipset list not_filtered 1>/dev/null 2>&1`
82	`if [ $? -eq 0 ];`	81	`if [ $? -eq 0 ];`
83	`then`	82	`then`
Line 130...	Line 129...
130	`$IPTABLES -P OUTPUT DROP`	129	`$IPTABLES -P OUTPUT DROP`
131	`$IPTABLES -t nat -P PREROUTING ACCEPT`	130	`$IPTABLES -t nat -P PREROUTING ACCEPT`
132	`$IPTABLES -t nat -P POSTROUTING ACCEPT`	131	`$IPTABLES -t nat -P POSTROUTING ACCEPT`
133	`$IPTABLES -t nat -P OUTPUT ACCEPT`	132	`$IPTABLES -t nat -P OUTPUT ACCEPT`
134		133
135		-
136	`#############################`	134	`#############################`
137	`# IPSET #`	135	`# IPSET #`
138	`#############################`	136	`#############################`
139		-
140	`# destruction de tous les SET`	137	`# destruction de tous les SET`
141	`# destroy all SET`	138	`# destroy all SET`
142	`ipset flush`	139	`ipset flush`
143	`ipset destroy`	140	`ipset destroy`
144		141
Line 152...	Line 149...
152	`cat $BL_IP_CAT/$category >> $TMP_set_save`	149	`cat $BL_IP_CAT/$category >> $TMP_set_save`
153	`done`	150	`done`
154	`ipset -! restore < $TMP_set_save`	151	`ipset -! restore < $TMP_set_save`
155	`rm -f $TMP_set_save`	152	`rm -f $TMP_set_save`
156	`# Suppression des ip réhabilitées / Removing of rehabilitated ip`	153	`# Suppression des ip réhabilitées / Removing of rehabilitated ip`
157	`for ip in $(cat $IP_REHABILITEES)`	154	`for ip in $(cat $REHABILITED_IP)`
158	`do`	155	`do`
159	`ipset -q del bl_ip_blocked $ip`	156	`ipset -q del bl_ip_blocked $ip`
160	`done`	157	`done`
161		158
162	`# ipset for exception web sites (usefull for filtered users = av_bl)`	159	`# ipset for exception web sites (usefull for filtered users = av_bl)`
163	`ipset create site_direct hash:net hashsize 1024`	160	`ipset create site_direct hash:net hashsize 1024`
164	`for site in $(cat $SITE_DIRECT)`	161	`for site in $(cat $ALLOWED_SITES)`
165	`do`	162	`do`
166	`ipset add site_direct $site`	163	`ipset add site_direct $site`
167	`done`	164	`done`
168		165
169	`###### WL set ###########`	166	`###### WL set ###########`
Line 223...	Line 220...
223	`done`	220	`done`
224	`ipset add $gw_min $ip`	221	`ipset add $gw_min $ip`
225	`done`	222	`done`
226	`rm -f $TMP_ip_gw_save`	223	`rm -f $TMP_ip_gw_save`
227		224
228		-
229		-
230	`#############################`	225	`#############################`
231	`# PREROUTING #`	226	`# PREROUTING #`
232	`#############################`	227	`#############################`
233		-
234		-
235	`# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT`	228	`# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT`
236	`# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules`	229	`# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules`
237	`# 8080 = ipset av_bl`	230	`# 8080 = ipset av_bl`
238	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "`	231	`$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nflog-group 1 --nflog-prefix "RULE direct-proxy -- DENY "`
239	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1`	232	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1`
Line 315...	Line 308...
315	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set $i src -j MARK --set-mark $temp_index`	308	`$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set $i src -j MARK --set-mark $temp_index`
316	`temp_index=$(($temp_index+1))`	309	`temp_index=$(($temp_index+1))`
317	`done`	310	`done`
318	`fi`	311	`fi`
319		312
320		-
321	`#############################`	313	`#############################`
322	`# INPUT #`	314	`# INPUT #`
323	`#############################`	315	`#############################`
324		-
325	`# Tout passe sur loopback`	316	`# Tout passe sur loopback`
326	`# accept all on loopback`	317	`# accept all on loopback`
327	`$IPTABLES -A INPUT -i lo -j ACCEPT`	318	`$IPTABLES -A INPUT -i lo -j ACCEPT`
328	`$IPTABLES -A OUTPUT -o lo -j ACCEPT`	319	`$IPTABLES -A OUTPUT -o lo -j ACCEPT`
329		320
Line 403...	Line 394...
403	`$IPTABLES -A INPUT -i $TUNIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -j ACCEPT`	394	`$IPTABLES -A INPUT -i $TUNIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -j ACCEPT`
404	`fi`	395	`fi`
405	`if [ $SSH_WAN -gt 0 ]`	396	`if [ $SSH_WAN -gt 0 ]`
406	`then`	397	`then`
407	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"`	398	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"`
408	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW -j ACCEPT`	399	`$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -j ACCEPT`
409	`fi`	400	`fi`
410		401
411	`# Insertion de règles locales`	402	`# Insertion de règles locales`
412	`# Here, we add local rules (i.e. VPN from Internet)`	403	`# Here, we add local rules (i.e. VPN from Internet)`
413	`if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then`	404	`if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then`
Line 430...	Line 421...
430	`$IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"`	421	`$IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"`
431		422
432	`#############################`	423	`#############################`
433	`# FORWARD #`	424	`# FORWARD #`
434	`#############################`	425	`#############################`
435		-
436	`# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl`	426	`# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl`
437	`# Deny IPs of the SET bl_ip_blocked for the set av_bl`	427	`# Deny IPs of the SET bl_ip_blocked for the set av_bl`
438	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited`	428	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited`
439	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited`	429	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited`
440	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset`	430	`$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset`

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh – Rev 3042 → 3043