Subversion Repositories ALCASAR

Rev

Rev 604 | Rev 615 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 604 Rev 612
Line 1... Line 1...
1 
#!/bin/sh
 1 
#!/bin/sh
2 
# $Id: alcasar-iptables.sh 604 2011-05-15 21:23:10Z richard $
 2 
# $Id: alcasar-iptables.sh 612 2011-05-22 21:19:27Z richard $
3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4 
# This script write the netfilter rules for ALCASAR
 4 
# This script write the netfilter rules for ALCASAR
5 
# Rexy - 3abtux - CPN
 5 
# Rexy - 3abtux - CPN
6 
# There are three channels for log :
 6 
# There are three channels for log :
7 
#	1 (default) for tracability;
 7 
#	1 (default) for tracability;
8 
#	2 for secure admin (ssh);
 8 
#	2 for secure admin (ssh);
9 
#	3 for exterior access attempts.
 9 
#	3 for exterior access attempts.
10 
# The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script
 10 
# The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script
11 
 
 11 
 
- 
 
 12 
conf_file="/usr/local/etc/alcasar.conf"
12 
private_ip_mask=`grep PRIVATE_IP /usr/local/etc/alcasar-network|cut -d"=" -f2`
 13 
private_ip_mask=`grep PRIVATE_IP $conf_file|cut -d"=" -f2`
13 
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2`		# LAN IP address (ie.: 192.168.182.0)
 14 
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2`		# LAN IP address (ie.: 192.168.182.0)
14 
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2`		# LAN prefix (ie. 24)
 15 
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2`		# LAN prefix (ie. 24)
15 
dns1=`grep DNS1 /usr/local/etc/alcasar-network|cut -d"=" -f2`		# first public DNS server
 16 
dns1=`grep DNS1 $conf_file|cut -d"=" -f2`				# first public DNS server
16 
dns2=`grep DNS2 /usr/local/etc/alcasar-network|cut -d"=" -f2`		# second public DNS server
 17 
dns2=`grep DNS2 $conf_file|cut -d"=" -f2`				# second public DNS server
17 
 
 - 
 
18 
IPTABLES="/sbin/iptables"
 18 
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING $conf_file|cut -d"=" -f2`	# Network protocols filter (yes/no)
19 
PROTO_FILTERING="no"
 19 
DNS_FILTERING=`grep DNS_FILTERING $conf_file|cut -d"=" -f2`		# DNS and URLs filter (yes/no)
20 
DNS_FILTERING="no"
 20 
QOS=`grep QOS $conf_file|cut -d"=" -f2`					# QOS (yse/no)
21 
QOS="no"
 - 
 
22 
EXTIF="eth0"
- 
 
23 
INTIF="eth1"
 - 
 
24 
TUNIF="tun0"								# listen card for chilli daemon
 21 
SSH=`grep SSH $conf_file|cut -d"=" -f2`					# sshd active (yes/no)
25 
PRIVATE_NETWORK_MASK=$private_network/$private_prefix			# Lan IP address + prefix (192.168.182.0/24)
 22 
PRIVATE_NETWORK_MASK=$private_network/$private_prefix			# Lan IP address + prefix (192.168.182.0/24)
26 
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1`			# ALCASAR LAN IP address
 23 
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1`			# ALCASAR LAN IP address
27 
DNSSERVERS="$dns1,$dns2"						# first and second DNS IP servers addresses
 24 
DNSSERVERS="$dns1,$dns2"						# first and second DNS IP servers addresses
- 
 
 25 
EXTIF="eth0"
- 
 
 26 
INTIF="eth1"
- 
 
 27 
TUNIF="tun0"								# listen card for chilli daemon
- 
 
 28 
IPTABLES="/sbin/iptables"
28 
 
 29 
 
29 
# Effacement des règles existantes
 30 
# Effacement des règles existantes
30 
# Flush all existing rules
 31 
# Flush all existing rules
31 
$IPTABLES -F
 32 
$IPTABLES -F
32 
$IPTABLES -t nat -F
 33 
$IPTABLES -t nat -F
Line 94... Line 95...
94 
 
 95 
 
95 
###############################
 96 
###############################
96 
#  If DNS filter is activate  #
 97 
#  If DNS filter is activate  #
97 
###############################
 98 
###############################
98 
# Redirection des flux DNS vers le port 54 (dns+blackhole) sauf pour les IP en exceptions
99 
# Redirection des flux DNS vers le port 54 (dns+blackhole) sauf pour les IP en exceptions
99 
if [ $DNS_FILTERING = "yes" ]; then
 100 
if [ $DNS_FILTERING = on ]; then
100 
	# Compute exception IP
 101 
	# Compute exception IP
101 
	nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
 102 
	nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
102 
	if [ $nb_exceptions != "0" ]
 103 
	if [ $nb_exceptions != "0" ]
103 
	then
 104 
	then
104 
		while read ip_exception
105 
		while read ip_exception
Line 110... Line 111...
110 
fi
 111 
fi
111 
#####################################
 112 
#####################################
112 
#  If protocols filter is activate  #
 113 
#  If protocols filter is activate  #
113 
#####################################
 114 
#####################################
114 
# filtrage de protocoles sauf pour les IP en exceptions
115 
# filtrage de protocoles sauf pour les IP en exceptions
115 
if [ $PROTO_FILTERING = "yes" ]; then
 116 
if [ $PROTOCOLS_FILTERING = on ]; then
116 
	# Compute exception IP
 117 
	# Compute exception IP
117 
	nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
 118 
	nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
118 
	if [ $nb_exceptions != "0" ]
 119 
	if [ $nb_exceptions != "0" ]
119 
	then
 120 
	then
120 
		while read ip_exception
121 
		while read ip_exception
Line 150... Line 151...
150 
fi
 151 
fi
151 
 
 152 
 
152 
########################
 153 
########################
153 
#  If QOS is activate  #
 154 
#  If QOS is activate  #
154 
########################
 155 
########################
155 
if [ $QOS = "yes" ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
 156 
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
156 
	. /usr/local/etc/alcasar-iptables-qos.sh
157 
	. /usr/local/etc/alcasar-iptables-qos.sh
157 
fi
 158 
fi
158 
 
 159 
 
159 
# Autorisation des connections sortant du LAN
160 
# Autorisation des connections sortant du LAN
160 
# Allow forward connections with log
 161 
# Allow forward connections with log
Line 170... Line 171...
170 
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT # dnsmasq with blackhole
 171 
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT # dnsmasq with blackhole
171 
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT
 172 
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT
172 
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport https -j ACCEPT
 173 
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport https -j ACCEPT
173 
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT
 174 
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT
174 
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT
 175 
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT
175 
 
 - 
 
176 
# SSHD rules if activate
176 
# SSHD rules if activate
177 
ssh_active=`grep SSH /usr/local/etc/alcasar-network|cut -d"=" -f2`
 - 
 
178 
if [ $ssh_active = "on" ]
 177 
if [ $SSH = on ]
179 
	then
 178 
	then
180 
	Admin_from_IP="0.0.0.0/0.0.0.0"		# Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0  = de n'importe où ! )
 179 
	Admin_from_IP="0.0.0.0/0.0.0.0"		# Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0  = de n'importe où ! )
181 
	$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
 180 
	$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
182 
	$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
 181 
	$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
183 
	$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
 182 
	$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"