WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables.sh

 #!/bin/sh
-# $Id: alcasar-iptables.sh 577 2011-04-18 18:30:38Z franck $
+# $Id: alcasar-iptables.sh 604 2011-05-15 21:23:10Z richard $
 # Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 # This script write the netfilter rules for ALCASAR
 # Rexy - 3abtux - CPN
 # There are three channels for log :
 #	1 (default) for tracability;
 #	2 for secure admin (ssh);
 #	3 for exterior access attempts.
 # The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script
+private_ip_mask=`grep PRIVATE_IP /usr/local/etc/alcasar-network|cut -d"=" -f2`
+private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2`		# LAN IP address (ie.: 192.168.182.0)
+private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2`		# LAN prefix (ie. 24)
+dns1=`grep DNS1 /usr/local/etc/alcasar-network|cut -d"=" -f2`		# first public DNS server
+dns2=`grep DNS2 /usr/local/etc/alcasar-network|cut -d"=" -f2`		# second public DNS server
 IPTABLES="/sbin/iptables"
 PROTO_FILTERING="no"
 DNS_FILTERING="no"
 QOS="no"
 EXTIF="eth0"
 INTIF="eth1"
-TUNIF="tun0"
+TUNIF="tun0"								# listen card for chilli daemon
-PRIVATE_NETWORK_MASK="192.168.182.0/24"
+PRIVATE_NETWORK_MASK=$private_network/$private_prefix			# Lan IP address + prefix (192.168.182.0/24)
-PRIVATE_IP="192.168.182.1"
+PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1`			# ALCASAR LAN IP address
-DNSSERVERS="208.67.220.220,208.67.222.222"
+DNSSERVERS="$dns1,$dns2"						# first and second DNS IP servers addresses
 # Effacement des règles existantes
 # Flush all existing rules
 $IPTABLES -F
 $IPTABLES -t nat -F
 # On stoppe les broadcasts et multicast
 # Drop broadcast & multicast
 $IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
-# On laisse passer les ICMP echo-request et echo-reply en provenance du LAN
-# Allow ping (icmp N°0 & 8) from LAN
-$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT
-$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT
-# Insertion de règles locales
-# Here, we add local rules (i.e. ssh from Internet)
-if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
-        . /usr/local/etc/alcasar-iptables-local.sh
-fi
 # Rejet des tentatives de création de tunnels DNS (même pour les utilisateurs authentifiés)
 # Deny forward DNS (even for authenticated users ...)
 $IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
 $IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
 # Autorisation des connections sortant du LAN
 # Allow forward connections with log
 $IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
 $IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ACCEPT
-###########################################################################################
+#################################################################################################
-#  Direct input from local network (dns, ntp, https, http, ssh and 3990 (user disconnect) #
+#  Direct input from local network (icmp, dns, ntp, https, http, ssh and 3990 (user disconnect) #
-###########################################################################################
+#################################################################################################
+$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT # ping reply
+$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT # ping request
 $IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # dnsmasq without forward
 $IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT # dnsmasq with blackhole
 $IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT
 $IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport https -j ACCEPT
 $IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT
-$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
-$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
 $IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT
+# SSHD rules if activate
+ssh_active=`grep SSH /usr/local/etc/alcasar-network|cut -d"=" -f2`
+if [ $ssh_active = "on" ]
+	then
+	Admin_from_IP="0.0.0.0/0.0.0.0"		# Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0  = de n'importe où ! )
+	$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
+	$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
+	$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
+	$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW,ESTABLISHED -j ACCEPT
+	$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
+fi
+# Insertion de règles locales
+# Here, we add local rules (i.e. ssh from Internet)
+if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
+        . /usr/local/etc/alcasar-iptables-local.sh
+fi
 # On autorise les retours de connexions légitimes par INPUT
 # Conntrack on INPUT
 $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 # On interdit les connexions directes au port utilisé par DansGuardian (8080)

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh – Rev 577 → 604