| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar-iptables.sh 3247 2025-02-02 23:22:02Z rexy $
|
2 |
# $Id: alcasar-iptables.sh 3258 2025-03-02 15:42:26Z rexy $
|
| 3 |
# This script writes the netfilter rules for ALCASAR (see 'alcasar-iptables-bypass.sh' for iptables rules in Bypass mode)
|
3 |
# This script writes the netfilter rules for ALCASAR (see 'alcasar-iptables-bypass.sh' for iptables rules in Bypass mode)
|
| 4 |
# Rexy - 3abtux - CPN
|
4 |
# Rexy - 3abtux - CPN
|
| 5 |
#
|
5 |
#
|
| 6 |
# Reminders
|
6 |
# Reminders
|
| 7 |
# There are four channels for log :
|
7 |
# There are four channels for log :
|
| Line 51... |
Line 51... |
| 51 |
SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
|
51 |
SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
|
| 52 |
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}
|
52 |
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}
|
| 53 |
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" )
|
53 |
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" )
|
| 54 |
IPTABLES="/sbin/iptables"
|
54 |
IPTABLES="/sbin/iptables"
|
| 55 |
REHABILITED_IP="/etc/e2guardian/lists/group1/exceptionsiteiplist"
|
55 |
REHABILITED_IP="/etc/e2guardian/lists/group1/exceptionsiteiplist"
|
| 56 |
ALLOWED_SITES="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)
|
56 |
ALLOWED_SITES="/usr/local/etc/alcasar-uamallowed" # @IP of external sites/networks allowed for all
|
| 57 |
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
|
57 |
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
|
| 58 |
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
|
58 |
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
|
| 59 |
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
|
59 |
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
|
| 60 |
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
|
60 |
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
|
| 61 |
interlan=`grep ^INTERLAN= $CONF_FILE|cut -d"=" -f2`
|
61 |
interlan=`grep ^INTERLAN= $CONF_FILE|cut -d"=" -f2`
|
| Line 134... |
Line 134... |
| 134 |
# 'proto_0' : @IP of users without protocol filtering #
|
134 |
# 'proto_0' : @IP of users without protocol filtering #
|
| 135 |
# 'proto_1 : @IP of users with web ports #
|
135 |
# 'proto_1 : @IP of users with web ports #
|
| 136 |
# 'proto_2 : @IP of users with web/ftp/mail/ssh ports #
|
136 |
# 'proto_2 : @IP of users with web/ftp/mail/ssh ports #
|
| 137 |
# 'proto_3 : @IP of users with custom ports #
|
137 |
# 'proto_3 : @IP of users with custom ports #
|
| 138 |
# IPSET dynamically loaded/unloaded by unbound #
|
138 |
# IPSET dynamically loaded/unloaded by unbound #
|
| 139 |
# 'wl_ip_allowed' : @IP of web sites allowed #
|
139 |
# 'wl_ip_allowed' : @IP of web sites allowed for WL users #
|
| 140 |
# IPSET statically loaded #
|
140 |
# IPSET statically loaded #
|
| 141 |
# 'bl_ip_blocked' : @IP of sites in selected blacklisted categories #
|
141 |
# 'bl_ip_blocked' : @IP of sites in selected blacklisted categories #
|
| 142 |
# 'site_direct' : @IP/@network of trusted system/network (without authentication) #
|
142 |
# 'ip_allowed' : @IP/@network of external allowed systems/networks for all #
|
| 143 |
# 'gwX' : @IP of Gws (to manage load balancing) #
|
143 |
# 'gwX' : @IP of Gws (to manage load balancing) #
|
| 144 |
# 'profil1_ports' : list of profil1 allowed ports #
|
144 |
# 'profil1_ports' : list of profil1 allowed ports #
|
| 145 |
# 'profil2_ports' : list of profil2 allowed ports #
|
145 |
# 'profil2_ports' : list of profil2 allowed ports #
|
| 146 |
# 'custom_ports' : list of custom allowed ports #
|
146 |
# 'custom_ports' : list of custom allowed ports #
|
| 147 |
######################################################################################
|
147 |
######################################################################################
|
| Line 164... |
Line 164... |
| 164 |
for ip in $(cat $REHABILITED_IP)
|
164 |
for ip in $(cat $REHABILITED_IP)
|
| 165 |
do
|
165 |
do
|
| 166 |
ipset -q del bl_ip_blocked $ip
|
166 |
ipset -q del bl_ip_blocked $ip
|
| 167 |
done
|
167 |
done
|
| 168 |
|
168 |
|
| 169 |
###### 'site_direct' (usefull only for authenticated and filtered users) ######
|
169 |
###### 'ip_allowed' (usefull only for authenticated and filtered users) ######
|
| 170 |
ipset create site_direct hash:net hashsize 1024
|
170 |
ipset create ip_allowed hash:net hashsize 1024
|
| 171 |
for site in $(cat $ALLOWED_SITES)
|
171 |
nb_uamallowed=`wc -l $ALLOWED_SITES | cut -d" " -f1`
|
| - |
|
172 |
if [ $nb_uamallowed != "0" ]
|
| - |
|
173 |
then
|
| - |
|
174 |
while read ip_allowed_line
|
| 172 |
do
|
175 |
do
|
| - |
|
176 |
site=`echo $ip_allowed_line|cut -d"\"" -f2`
|
| 173 |
ipset add site_direct $site
|
177 |
ipset add ip_allowed $site
|
| - |
|
178 |
done < $ALLOWED_SITES
|
| 174 |
done
|
179 |
fi
|
| 175 |
|
180 |
|
| 176 |
###### 'wl_ip_allowed' set ######
|
181 |
###### 'wl_ip_allowed' set ######
|
| 177 |
# Fixe size as it is dynamically populated by unbound
|
182 |
# Fixe size as it is dynamically populated by unbound
|
| 178 |
wl_set_length=65536
|
183 |
wl_set_length=65536
|
| 179 |
# Loading
|
184 |
# Loading
|
| Line 312... |
Line 317... |
| 312 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
|
317 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
|
| 313 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
|
318 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -m conntrack --ctstate NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE F_http -- ACCEPT "
|
| 314 |
|
319 |
|
| 315 |
# Redirect outbound "av_bl + av_wl +av" users HTTP requests to E2guardian
|
320 |
# Redirect outbound "av_bl + av_wl +av" users HTTP requests to E2guardian
|
| 316 |
# 8080 = ipset av_bl
|
321 |
# 8080 = ipset av_bl
|
| 317 |
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j MARK --set-mark 200
|
- |
|
| 318 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
|
322 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set ip_allowed dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
|
| 319 |
# 8081 = ipset av_wl & av
|
323 |
# 8081 = ipset av_wl & av
|
| 320 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8081
|
324 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8081
|
| 321 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8081
|
325 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8081
|
| 322 |
|
326 |
|
| 323 |
# Redirect outbound HTTPS requests of av_bl + av_wl + av users to E2Guardian
|
327 |
# Redirect outbound HTTPS requests of av_bl + av_wl + av users to E2Guardian
|
| 324 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
|
328 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set ip_allowed dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
|
| 325 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
|
329 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -m set ! --match-set ip_allowed dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
|
| 326 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
|
330 |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av src -m set ! --match-set ip_allowed dst ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port 8443
|
| 327 |
|
331 |
|
| 328 |
# Redirect NTP request in local NTP server
|
332 |
# Redirect NTP request in local NTP server
|
| 329 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
|
333 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
|
| 330 |
|
334 |
|
| 331 |
# Retrieving the mark associated with a gw for each connection
|
335 |
# Retrieving the mark associated with a gw for each connection
|
| Line 449... |
Line 453... |
| 449 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
|
453 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
|
| 450 |
|
454 |
|
| 451 |
# Allow Conntrack
|
455 |
# Allow Conntrack
|
| 452 |
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
456 |
$IPTABLES -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
| 453 |
|
457 |
|
| 454 |
# Compute uamallowed IP (ie : IP address of equipments connected between ALCASAR and router like DMZ, own servers, etc.)
|
458 |
# accept ip_allowed (ie : @IP/@network of external allowed systems/networks like DMZ, own servers, etc.)
|
| 455 |
nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1`
|
- |
|
| 456 |
if [ $nb_uamallowed != "0" ]
|
- |
|
| 457 |
then
|
- |
|
| 458 |
while read ip_allowed_line
|
- |
|
| 459 |
do
|
- |
|
| 460 |
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
|
- |
|
| 461 |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m conntrack --ctstate NEW -j NETFLOW
|
459 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set ip_allowed dst -m conntrack --ctstate NEW -j NETFLOW
|
| 462 |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m conntrack --ctstate NEW -j ACCEPT
|
460 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set ip_allowed dst -m conntrack --ctstate NEW -j ACCEPT
|
| 463 |
done < /usr/local/etc/alcasar-uamallowed
|
- |
|
| 464 |
fi
|
- |
|
| 465 |
|
461 |
|
| 466 |
# protocols filtering for users (profil1 = http, https)
|
462 |
# protocols filtering for users (profil1 = http, https)
|
| 467 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp -m set ! --match-set profil1_ports dst -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
463 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp -m set ! --match-set profil1_ports dst -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
|
| 468 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp -m set ! --match-set profil1_ports dst -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
|
464 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp -m set ! --match-set profil1_ports dst -m conntrack --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
|
| 469 |
|
465 |
|