Subversion Repositories ALCASAR

Rev

Rev 815 | Rev 859 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 815 Rev 848
Line 1... Line 1...
1 
#!/bin/sh
 1 
#!/bin/sh
2 
# $Id: alcasar-iptables.sh 815 2012-02-08 20:49:07Z richard $
 2 
# $Id: alcasar-iptables.sh 848 2012-04-03 17:43:10Z franck $
3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
 3 
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
4 
# This script write the netfilter rules for ALCASAR
 4 
# This script write the netfilter rules for ALCASAR
5 
# Rexy - 3abtux - CPN
 5 
# Rexy - 3abtux - CPN
6 
#
 6 
#
7 
# Reminders
 7 
# Reminders
Line 116... Line 116...
116 
# accept all on loopback
 116 
# accept all on loopback
117 
$IPTABLES -A INPUT -i lo -j ACCEPT
 117 
$IPTABLES -A INPUT -i lo -j ACCEPT
118 
 
 118 
 
119 
# Insertion de règles de blocage (Devel)
 119 
# Insertion de règles de blocage (Devel)
120 
# Here, we add block rules (Devel)
 120 
# Here, we add block rules (Devel)
121 
if [ -f /usr/local/etc/alcasar-iptables-block.sh ]; then
 121 
if [ -s /usr/local/etc/alcasar-iptables-block ]; then
- 
 
 122 
    while read ip_blocked
- 
 
 123 
    do
- 
 
 124 
      echo "Network Address blocked : $ip_blocked"
- 
 
 125 
      $IPTABLES -A FORWARD -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
- 
 
 126 
      $IPTABLES -A FORWARD -d $ip_blocked -j REJECT
- 
 
 127 
      $IPTABLES -A FORWARD -s $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
- 
 
 128 
      $IPTABLES -A FORWARD -s $ip_blocked -j REJECT
122 
        . /usr/local/etc/alcasar-iptables-block.sh
 129 
    done < /usr/local/etc/alcasar-iptables-block
123 
fi
 130 
fi
124 
 
 131 
 
125 
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
 132 
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
126 
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
 133 
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
127 
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
 134 
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP