WebSVN – ALCASAR – Diff – /scripts/alcasar-iptables.sh



#!/bin/sh
# $Id: alcasar-iptables.sh 694 2011-08-03 04:38:09Z franck $
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
# This script write the netfilter rules for ALCASAR
# Rexy - 3abtux - CPN
#
# Reminders

DNS_FILTERING=${DNS_FILTERING:=off}
QOS=`grep QOS $conf_file|cut -d"=" -f2`					# QOS (on/off)
QOS=${QOS:=off}
SSH=`grep SSH $conf_file|cut -d"=" -f2`					# sshd active (on/off)
SSH=${SSH:=off}
Admin_from_IP=${Admin_from_IP:="0.0.0.0/0.0.0.0"}			# Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0  = de n'importe où ! )
LDAP=`grep LDAP $conf_file|cut -d"=" -f2`				# ldap external server active (on/off)
LDAP=${LDAP:=off}
LDAP_IP=${LDAP_IP:="0.0.0.0"}
PRIVATE_NETWORK_MASK=$private_network/$private_prefix			# Lan IP address + prefix (192.168.182.0/24)
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1`			# ALCASAR LAN IP address
DNSSERVERS="$dns1,$dns2"						# first and second DNS IP servers addresses
EXTIF="eth0"
INTIF="eth1"

$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT
# SSHD rules if activate 
if [ $SSH = on ]
	then
 
	$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
	$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
	$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
	$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
fi
 
# Insertion de règles locales
# Here, we add local rules (i.e. VPN from Internet)
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
        . /usr/local/etc/alcasar-iptables-local.sh
fi
 
# On autorise les retours de connexions légitimes par INPUT

$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT
# On autorise les requêtes LDAP si un serveur externe est configué
# LDAP requests are allowed if an external server is declared
if [ $LDAP = on ]
	then
	$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
	$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
#	$IPTABLES -A INPUT  -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
#	$IPTABLES -A INPUT  -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
fi
# Traduction dynamique d'adresse en sortie
# Dynamic NAT on EXTIF
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
 

Rev 688	Rev 694
Line 1...	Line 1...
1	`#!/bin/sh`	1	`#!/bin/sh`
2	`# $Id: alcasar-iptables.sh 688 2011-07-28 22:20:18Z richard $`	2	`# $Id: alcasar-iptables.sh 694 2011-08-03 04:38:09Z franck $`
3	`# Script de mise en place des regles du parefeu d'Alcasar (mode normal)`	3	`# Script de mise en place des regles du parefeu d'Alcasar (mode normal)`
4	`# This script write the netfilter rules for ALCASAR`	4	`# This script write the netfilter rules for ALCASAR`
5	`# Rexy - 3abtux - CPN`	5	`# Rexy - 3abtux - CPN`
6	`#`	6	`#`
7	`# Reminders`	7	`# Reminders`
Line 27...	Line 27...
27	`DNS_FILTERING=${DNS_FILTERING:=off}`	27	`DNS_FILTERING=${DNS_FILTERING:=off}`
28	QOS=`grep QOS $conf_file\|cut -d"=" -f2` # QOS (on/off)	28	QOS=`grep QOS $conf_file\|cut -d"=" -f2` # QOS (on/off)
29	`QOS=${QOS:=off}`	29	`QOS=${QOS:=off}`
30	SSH=`grep SSH $conf_file\|cut -d"=" -f2` # sshd active (on/off)	30	SSH=`grep SSH $conf_file\|cut -d"=" -f2` # sshd active (on/off)
31	`SSH=${SSH:=off}`	31	`SSH=${SSH:=off}`
-		32	`Admin_from_IP=${Admin_from_IP:="0.0.0.0/0.0.0.0"} # Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0 = de n'importe où ! )`
32	LDAP=`grep LDAP $conf_file\|cut -d"=" -f2` # ldap external server active (on/off)	33	LDAP=`grep LDAP $conf_file\|cut -d"=" -f2` # ldap external server active (on/off)
33	`LDAP=${LDAP:=off}`	34	`LDAP=${LDAP:=off}`
-		35	`LDAP_IP=${LDAP_IP:="0.0.0.0"}`
34	`PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)`	36	`PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)`
35	PRIVATE_IP=`echo $private_ip_mask \| cut -d"/" -f1` # ALCASAR LAN IP address	37	PRIVATE_IP=`echo $private_ip_mask \| cut -d"/" -f1` # ALCASAR LAN IP address
36	`DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses`	38	`DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses`
37	`EXTIF="eth0"`	39	`EXTIF="eth0"`
38	`INTIF="eth1"`	40	`INTIF="eth1"`
Line 189...	Line 191...
189	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT`	191	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT`
190	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT`	192	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT`
191	`# SSHD rules if activate`	193	`# SSHD rules if activate`
192	`if [ $SSH = on ]`	194	`if [ $SSH = on ]`
193	`then`	195	`then`
194	`Admin_from_IP="0.0.0.0/0.0.0.0" # Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0 = de n'importe où ! )`	-
195	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"`	196	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"`
196	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT`	197	`$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT`
197	`$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"`	198	`$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"`
198	`$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW,ESTABLISHED -j ACCEPT`	199	`$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW,ESTABLISHED -j ACCEPT`
199	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT`	200	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT`
200	`fi`	201	`fi`
201		202
202	`# Insertion de règles locales`	203	`# Insertion de règles locales`
203	`# Here, we add local rules (i.e. ssh from Internet)`	204	`# Here, we add local rules (i.e. VPN from Internet)`
204	`if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then`	205	`if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then`
205	`. /usr/local/etc/alcasar-iptables-local.sh`	206	`. /usr/local/etc/alcasar-iptables-local.sh`
206	`fi`	207	`fi`
207		208
208	`# On autorise les retours de connexions légitimes par INPUT`	209	`# On autorise les retours de connexions légitimes par INPUT`
Line 262...	Line 263...
262	`$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT`	263	`$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT`
263	`# On autorise les requêtes LDAP si un serveur externe est configué`	264	`# On autorise les requêtes LDAP si un serveur externe est configué`
264	`# LDAP requests are allowed if an external server is declared`	265	`# LDAP requests are allowed if an external server is declared`
265	`if [ $LDAP = on ]`	266	`if [ $LDAP = on ]`
266	`then`	267	`then`
267	`$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ldap -j ACCEPT`	268	`$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT`
268	`$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ldap -j ACCEPT`	269	`$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT`
-		270	`# $IPTABLES -A INPUT -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT`
-		271	`# $IPTABLES -A INPUT -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT`
269	`fi`	272	`fi`
270	`# Traduction dynamique d'adresse en sortie`	273	`# Traduction dynamique d'adresse en sortie`
271	`# Dynamic NAT on EXTIF`	274	`# Dynamic NAT on EXTIF`
272	`$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE`	275	`$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE`
273		276

Subversion Repositories ALCASAR

(root)/scripts/alcasar-iptables.sh – Rev 688 → 694