| Line 1... |
Line 1... |
| 1 |
#!/bin/sh
|
1 |
#!/bin/sh
|
| 2 |
# $Id: alcasar-iptables.sh 859 2012-04-19 22:21:31Z richard $
|
2 |
# $Id: alcasar-iptables.sh 871 2012-05-10 22:09:21Z richard $
|
| 3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
| 4 |
# This script write the netfilter rules for ALCASAR
|
4 |
# This script write the netfilter rules for ALCASAR
|
| 5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
| 6 |
#
|
6 |
#
|
| 7 |
# Reminders
|
7 |
# Reminders
|
| Line 108... |
Line 108... |
| 108 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
|
108 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
|
| 109 |
|
109 |
|
| 110 |
#############################
|
110 |
#############################
|
| 111 |
# INPUT #
|
111 |
# INPUT #
|
| 112 |
#############################
|
112 |
#############################
|
| - |
|
113 |
|
| 113 |
# Tout passe sur loopback
|
114 |
# Tout passe sur loopback
|
| 114 |
# accept all on loopback
|
115 |
# accept all on loopback
|
| 115 |
$IPTABLES -A INPUT -i lo -j ACCEPT
|
116 |
$IPTABLES -A INPUT -i lo -j ACCEPT
|
| 116 |
|
117 |
|
| 117 |
|
- |
|
| 118 |
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
|
118 |
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
|
| 119 |
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
|
119 |
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
|
| 120 |
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
|
120 |
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
|
| 121 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
121 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
| 122 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
122 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
| 123 |
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
123 |
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
| 124 |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
|
124 |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP
|
| 125 |
|
125 |
|
| 126 |
# On rejette les trame en broadcast et en multicast sur EXTIF (pour ne pas les journaliser)
|
126 |
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation)
|
| 127 |
# Drop broadcast & multicast on EXTIF to not be logged
|
127 |
# Drop broadcast & multicast on EXTIF to avoid log
|
| 128 |
$IPTABLES -A INPUT -i $EXTIF -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
|
128 |
$IPTABLES -A INPUT -i $EXTIF -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
|
| 129 |
|
129 |
|
| 130 |
# On autorise les retours de connexions légitimes par INPUT
|
130 |
# On autorise les retours de connexions légitimes par INPUT
|
| 131 |
# Conntrack on INPUT
|
131 |
# Conntrack on INPUT
|
| 132 |
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
132 |
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
| Line 199... |
Line 199... |
| 199 |
|
199 |
|
| 200 |
# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)
|
200 |
# Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)
|
| 201 |
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
|
201 |
# On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
|
| 202 |
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"
|
202 |
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"
|
| 203 |
|
203 |
|
| - |
|
204 |
|
| 204 |
#############################
|
205 |
#############################
|
| 205 |
# FORWARD #
|
206 |
# FORWARD #
|
| 206 |
#############################
|
207 |
#############################
|
| 207 |
|
208 |
|
| 208 |
# Rejet des requêtes DNS vers Internet
|
209 |
# Rejet des requêtes DNS vers Internet
|
| Line 241... |
Line 242... |
| 241 |
do
|
242 |
do
|
| 242 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
|
243 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
|
| 243 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
|
244 |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
|
| 244 |
done < /usr/local/etc/alcasar-filter-exceptions
|
245 |
done < /usr/local/etc/alcasar-filter-exceptions
|
| 245 |
fi
|
246 |
fi
|
| 246 |
# Compute uamallowed IP (IP address of equipments connect between ALCASAR and Internet (DMZ, own servers, ...)
|
247 |
# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
|
| 247 |
nb_exceptions=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1`
|
248 |
nb_uamallowed=`wc -l /usr/local/etc/alcasar-uamallowed | cut -d" " -f1`
|
| 248 |
if [ $nb_exceptions != "0" ]
|
249 |
if [ $nb_uamallowed != "0" ]
|
| 249 |
then
|
250 |
then
|
| 250 |
while read ip_allowed_line
|
251 |
while read ip_allowed_line
|
| 251 |
do
|
252 |
do
|
| 252 |
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
|
253 |
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
|
| 253 |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
|
254 |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
|