| Line 1... |
Line 1... |
| 1 |
#!/bin/sh
|
1 |
#!/bin/sh
|
| 2 |
# $Id: alcasar-iptables.sh 726 2011-10-04 20:36:38Z franck $
|
2 |
# $Id: alcasar-iptables.sh 766 2011-11-10 22:29:41Z richard $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script write the netfilter rules for ALCASAR
|
4 |
# This script write the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 11... |
Line 11... |
| 11 |
# 3 for exterior access attempts.
|
11 |
# 3 for exterior access attempts.
|
| 12 |
# The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script
|
12 |
# The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script
|
| 13 |
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova
|
13 |
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova
|
| 14 |
|
14 |
|
| 15 |
conf_file="/usr/local/etc/alcasar.conf"
|
15 |
conf_file="/usr/local/etc/alcasar.conf"
|
| 16 |
private_ip_mask=`grep PRIVATE_IP $conf_file|cut -d"=" -f2`
|
16 |
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
|
| 17 |
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
|
17 |
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
|
| 18 |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
|
18 |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
|
| 19 |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
|
19 |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
|
| 20 |
dns1=`grep DNS1 $conf_file|cut -d"=" -f2` # first public DNS server
|
20 |
dns1=`grep DNS1= $conf_file|cut -d"=" -f2` # first public DNS server
|
| 21 |
dns1=${dns1:=208.67.220.220}
|
21 |
dns1=${dns1:=208.67.220.220}
|
| 22 |
dns2=`grep DNS2 $conf_file|cut -d"=" -f2` # second public DNS server
|
22 |
dns2=`grep DNS2= $conf_file|cut -d"=" -f2` # second public DNS server
|
| 23 |
dns2=${dns2:=208.67.222.222}
|
23 |
dns2=${dns2:=208.67.222.222}
|
| 24 |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING $conf_file|cut -d"=" -f2` # Network protocols filter (on/off)
|
24 |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2` # Network protocols filter (on/off)
|
| 25 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
|
25 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
|
| 26 |
DNS_FILTERING=`grep DNS_FILTERING $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
|
26 |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
|
| 27 |
DNS_FILTERING=${DNS_FILTERING:=off}
|
27 |
DNS_FILTERING=${DNS_FILTERING:=off}
|
| 28 |
QOS=`grep QOS $conf_file|cut -d"=" -f2` # QOS (on/off)
|
28 |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
|
| 29 |
QOS=${QOS:=off}
|
29 |
QOS=${QOS:=off}
|
| 30 |
SSH=`grep SSH $conf_file|cut -d"=" -f2` # sshd active (on/off)
|
30 |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
|
| 31 |
SSH=${SSH:=off}
|
31 |
SSH=${SSH:=off}
|
| 32 |
Admin_from_IP=${Admin_from_IP:="0.0.0.0/0.0.0.0"} # Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0 = de n'importe où ! )
|
32 |
Admin_from_IP=${Admin_from_IP:="0.0.0.0/0.0.0.0"} # Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0 = de n'importe où ! )
|
| 33 |
LDAP=`grep LDAP $conf_file|cut -d"=" -f2` # ldap external server active (on/off)
|
33 |
LDAP=`grep LDAP= $conf_file|cut -d"=" -f2` # ldap external server active (on/off)
|
| 34 |
LDAP=${LDAP:=off}
|
34 |
LDAP=${LDAP:=off}
|
| - |
|
35 |
LDAP_IP=`grep LDAP_IP= $conf_file|cut -d"=" -f2` # ldap external server IP address
|
| 35 |
LDAP_IP=${LDAP_IP:="0.0.0.0"}
|
36 |
LDAP_IP=${LDAP_IP:="0.0.0.0"}
|
| 36 |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
|
37 |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
|
| 37 |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
|
38 |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
|
| 38 |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
|
39 |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
|
| 39 |
EXTIF="eth0"
|
40 |
EXTIF="eth0"
|