| Line 1... |
Line 1... |
| 1 |
#!/bin/sh
|
1 |
#!/bin/sh
|
| 2 |
# $Id: alcasar-iptables.sh 498 2011-02-24 20:56:27Z richard $
|
2 |
# $Id: alcasar-iptables.sh 503 2011-03-11 22:12:32Z richard $
|
| 3 |
# script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# Rexy - 3abtux - CPN
|
4 |
# Rexy - 3abtux - CPN
|
| 5 |
# there are three channels for log :
|
5 |
# there are three channels for log :
|
| 6 |
# 1 (default) for tracability;
|
6 |
# 1 (default) for tracability;
|
| 7 |
# 2 for secure admin (ssh);
|
7 |
# 2 for secure admin (ssh);
|
| Line 226... |
Line 226... |
| 226 |
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"
|
226 |
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"
|
| 227 |
|
227 |
|
| 228 |
#############################
|
228 |
#############################
|
| 229 |
# filtering outside OUTPUT. #
|
229 |
# filtering outside OUTPUT. #
|
| 230 |
#############################
|
230 |
#############################
|
| 231 |
|
- |
|
| 232 |
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur
|
231 |
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur
|
| 233 |
# Everything is allowed but traffic through outside network interface
|
232 |
# Everything is allowed but traffic through outside network interface
|
| 234 |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
|
233 |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
|
| 235 |
|
- |
|
| 236 |
# On autorise le parefeu à requêter les DNS externes
|
234 |
# On autorise les requêtes DNS vers les serveurs DNS identifiés
|
| 237 |
# Allow DNS requests to identified DNS servers
|
235 |
# Allow DNS requests to identified DNS servers
|
| 238 |
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
|
236 |
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT
|
| 239 |
|
- |
|
| 240 |
# On autorise les requêtes http sortantes
|
237 |
# On autorise les requêtes http sortantes
|
| 241 |
# HTTP requests are allowed
|
238 |
# HTTP requests are allowed
|
| 242 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
|
239 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
|
| 243 |
|
- |
|
| 244 |
# On autorise les requêtes ntp
|
240 |
# On autorise les requêtes ntp
|
| 245 |
# NTP requests are allowed
|
241 |
# NTP requests are allowed
|
| 246 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
|
242 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT
|
| - |
|
243 |
# On autorise les requêtes ICMP (ping)
|
| - |
|
244 |
# ICMP (ping) requests are allowed
|
| - |
|
245 |
$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT
|
| 247 |
|
246 |
|
| 248 |
# Traduction dynamique d'adresse en sortie
|
247 |
# Traduction dynamique d'adresse en sortie
|
| 249 |
# Dynamic NAT on EXTIF
|
248 |
# Dynamic NAT on EXTIF
|
| 250 |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
|
249 |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
|
| 251 |
|
250 |
|