WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables.sh



#!/bin/bash
# $Id: alcasar-iptables.sh 3245 2025-01-29 22:39:35Z rexy $
# This script writes the netfilter rules for ALCASAR (see 'alcasar-iptables-bypass.sh' for iptables rules in Bypass mode)
# Rexy - 3abtux - CPN
#
# Reminders
# There are four channels for log :

			svc_icmp="on"
		else
			ipset add custom_ports $svc_port
		fi
	fi
done < /usr/local/etc/alcasar-custom-allowed-ports
 
#############################
#       PREROUTING          #
#############################
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules

$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m conntrack --ctstate NEW -j ACCEPT
 
#############################
#         OUTPUT            #
#############################
# We let everything out on INTIF/TUNIF
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
 
# Allow DHCP requests on EXTIF if configured
if [[ "$dhcp_on_extif" == "on" ]]
then

Rev 3243	Rev 3245
Line 1...	Line 1...
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar-iptables.sh 3243 2025-01-19 17:33:09Z rexy $`	2	`# $Id: alcasar-iptables.sh 3245 2025-01-29 22:39:35Z rexy $`
3	`# This script writes the netfilter rules for ALCASAR (see 'alcasar-iptables-bypass.sh' for iptables rules in Bypass mode)`	3	`# This script writes the netfilter rules for ALCASAR (see 'alcasar-iptables-bypass.sh' for iptables rules in Bypass mode)`
4	`# Rexy - 3abtux - CPN`	4	`# Rexy - 3abtux - CPN`
5	`#`	5	`#`
6	`# Reminders`	6	`# Reminders`
7	`# There are four channels for log :`	7	`# There are four channels for log :`
Line 261...	Line 261...
261	`svc_icmp="on"`	261	`svc_icmp="on"`
262	`else`	262	`else`
263	`ipset add custom_ports $svc_port`	263	`ipset add custom_ports $svc_port`
264	`fi`	264	`fi`
265	`fi`	265	`fi`
266	`done < /usr/local/etc/alcasar-services`	266	`done < /usr/local/etc/alcasar-custom-allowed-ports`
267		267
268	`#############################`	268	`#############################`
269	`# PREROUTING #`	269	`# PREROUTING #`
270	`#############################`	270	`#############################`
271	`# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules`	271	`# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules`
Line 493...	Line 493...
493	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m conntrack --ctstate NEW -j ACCEPT`	493	`$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m conntrack --ctstate NEW -j ACCEPT`
494		494
495	`#############################`	495	`#############################`
496	`# OUTPUT #`	496	`# OUTPUT #`
497	`#############################`	497	`#############################`
498	`# We let everything out on INTIF (see following rules for the EXTIF)`	498	`# We let everything out on INTIF/TUNIF`
499	`$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT`	499	`$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT`
500		500
501	`# Allow DHCP requests on EXTIF if configured`	501	`# Allow DHCP requests on EXTIF if configured`
502	`if [[ "$dhcp_on_extif" == "on" ]]`	502	`if [[ "$dhcp_on_extif" == "on" ]]`
503	`then`	503	`then`

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh – Rev 3243 → 3245