| Line 1... |
Line 1... |
| 1 |
#!/bin/sh
|
1 |
#!/bin/sh
|
| 2 |
# $Id: alcasar-iptables.sh 675 2011-07-18 21:24:19Z richard $
|
2 |
# $Id: alcasar-iptables.sh 688 2011-07-28 22:20:18Z richard $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script write the netfilter rules for ALCASAR
|
4 |
# This script write the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 102... |
Line 102... |
| 102 |
# If DNS filter is activate #
|
102 |
# If DNS filter is activate #
|
| 103 |
###############################
|
103 |
###############################
|
| 104 |
# Redirection des flux DNS vers le port 54 (dns+blackhole) sauf pour les IP en exceptions
|
104 |
# Redirection des flux DNS vers le port 54 (dns+blackhole) sauf pour les IP en exceptions
|
| 105 |
if [ $DNS_FILTERING = on ]; then
|
105 |
if [ $DNS_FILTERING = on ]; then
|
| 106 |
# Compute exception IP
|
106 |
# Compute exception IP
|
| 107 |
nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
|
107 |
nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
|
| 108 |
if [ $nb_exceptions != "0" ]
|
108 |
if [ $nb_exceptions != "0" ]
|
| 109 |
then
|
109 |
then
|
| 110 |
while read ip_exception
|
110 |
while read ip_exception
|
| 111 |
do
|
111 |
do
|
| 112 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -s $ip_exception -d $PRIVATE_IP --dport domain -j ACCEPT
|
112 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -s $ip_exception -d $PRIVATE_IP --dport domain -j ACCEPT
|
| Line 115... |
Line 115... |
| 115 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -d $PRIVATE_IP --dport domain -j REDIRECT --to-port 54
|
115 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -d $PRIVATE_IP --dport domain -j REDIRECT --to-port 54
|
| 116 |
fi
|
116 |
fi
|
| 117 |
#####################################
|
117 |
#####################################
|
| 118 |
# If protocols filter is activate #
|
118 |
# If protocols filter is activate #
|
| 119 |
#####################################
|
119 |
#####################################
|
| 120 |
# filtrage de protocoles sauf pour les IP en exceptions
|
- |
|
| 121 |
if [ $PROTOCOLS_FILTERING = on ]; then
|
120 |
if [ $PROTOCOLS_FILTERING = on ]; then
|
| 122 |
# Compute exception IP
|
121 |
# Compute exception IP (IP addresses that shouldn't be filtered)
|
| 123 |
nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
|
122 |
nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
|
| 124 |
if [ $nb_exceptions != "0" ]
|
123 |
if [ $nb_exceptions != "0" ]
|
| 125 |
then
|
124 |
then
|
| 126 |
while read ip_exception
|
125 |
while read ip_exception
|
| 127 |
do
|
126 |
do
|
| 128 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
|
127 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
|
| 129 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
|
128 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
|
| 130 |
done < /usr/local/etc/alcasar-filter-exceptions
|
129 |
done < /usr/local/etc/alcasar-filter-exceptions
|
| 131 |
fi
|
130 |
fi
|
| - |
|
131 |
# Compute uamallowed IP (IP address of equipments connect between ALCASAR and Internet (DMZ, own servers, ...)
|
| - |
|
132 |
nb_exceptions=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1`
|
| - |
|
133 |
if [ $nb_exceptions != "0" ]
|
| - |
|
134 |
then
|
| - |
|
135 |
while read ip_allowed_line
|
| - |
|
136 |
do
|
| - |
|
137 |
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
|
| - |
|
138 |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
|
| - |
|
139 |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
|
| - |
|
140 |
done < /usr/local/etc/alcasar-uamallowed
|
| - |
|
141 |
fi
|
| 132 |
# Autorisation des protocoles non commentés
|
142 |
# Autorisation des protocoles non commentés
|
| 133 |
# Allow non comment protocols
|
143 |
# Allow non comment protocols
|
| 134 |
while read svc_line
|
144 |
while read svc_line
|
| 135 |
do
|
145 |
do
|
| 136 |
svc_on=`echo $svc_line|cut -b1`
|
146 |
svc_on=`echo $svc_line|cut -b1`
|