| Line 1... |
Line 1... |
| 1 |
#!/bin/sh
|
1 |
#!/bin/sh
|
| 2 |
# $Id: alcasar-iptables.sh 786 2012-01-02 22:50:31Z richard $
|
2 |
# $Id: alcasar-iptables.sh 790 2012-01-12 23:23:59Z richard $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script write the netfilter rules for ALCASAR
|
4 |
# This script write the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 25... |
Line 25... |
| 25 |
dns2=`grep DNS2= $conf_file|cut -d"=" -f2` # second public DNS server
|
25 |
dns2=`grep DNS2= $conf_file|cut -d"=" -f2` # second public DNS server
|
| 26 |
dns2=${dns2:=208.67.222.222}
|
26 |
dns2=${dns2:=208.67.222.222}
|
| 27 |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
|
27 |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
|
| 28 |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2` # Network protocols filter (on/off)
|
28 |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING= $conf_file|cut -d"=" -f2` # Network protocols filter (on/off)
|
| 29 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
|
29 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
|
| - |
|
30 |
EXT_LAN_FILTERING=`grep EXT_LAN_FILTERING= $conf_file|cut -d"=" -f2` # filter acces to the lan on alcasar/eth0 (on/off)
|
| - |
|
31 |
EXT_LAN_FILTERING=${EXT_LAN_FILTERING:=off}
|
| 30 |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
|
32 |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
|
| 31 |
DNS_FILTERING=${DNS_FILTERING:=off}
|
33 |
DNS_FILTERING=${DNS_FILTERING:=off}
|
| 32 |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
|
34 |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
|
| 33 |
QOS=${QOS:=off}
|
35 |
QOS=${QOS:=off}
|
| 34 |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
|
36 |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
|
| Line 194... |
Line 196... |
| 194 |
# Rejet des requêtes DNS vers Internet
|
196 |
# Rejet des requêtes DNS vers Internet
|
| 195 |
# Deny forward DNS
|
197 |
# Deny forward DNS
|
| 196 |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
|
198 |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
|
| 197 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
|
199 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
|
| 198 |
|
200 |
|
| - |
|
201 |
# Filtrage de l'accès au LAN connecté sur EXTIF (eth0)
|
| - |
|
202 |
# EXTIF (eth0) connected LAN filtering
|
| - |
|
203 |
if [ $EXT_LAN_FILTERING = on ]; then
|
| - |
|
204 |
$IPTABLES -A FORWARD -i $TUNIF -p udp -d $public_ip_mask -j REJECT --reject-with icmp-port-unreachable
|
| - |
|
205 |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -d $public_ip_mask -j REJECT --reject-with icmp-port-unreachable
|
| - |
|
206 |
$IPTABLES -A FORWARD -i $TUNIF -p tcp -d $public_ip_mask -j REJECT --reject-with tcp-reset
|
| - |
|
207 |
fi
|
| - |
|
208 |
|
| 199 |
# If protocols filter is activate
|
209 |
# If protocols filter is activate
|
| 200 |
if [ $PROTOCOLS_FILTERING = on ]; then
|
210 |
if [ $PROTOCOLS_FILTERING = on ]; then
|
| 201 |
# Compute exception IP (IP addresses that shouldn't be filtered)
|
211 |
# Compute exception IP (IP addresses that shouldn't be filtered)
|
| 202 |
nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
|
212 |
nb_exceptions=`wc -l /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
|
| 203 |
if [ $nb_exceptions != "0" ]
|
213 |
if [ $nb_exceptions != "0" ]
|