Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar-iptables.sh 3044 2022-07-24 21:55:18Z rexy $
|
2 |
# $Id: alcasar-iptables.sh 3046 2022-07-30 22:07:33Z rexy $
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
3 |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal)
|
4 |
# This script writes the netfilter rules for ALCASAR
|
4 |
# This script writes the netfilter rules for ALCASAR
|
5 |
# Rexy - 3abtux - CPN
|
5 |
# Rexy - 3abtux - CPN
|
6 |
#
|
6 |
#
|
7 |
# Reminders
|
7 |
# Reminders
|
Line 20... |
Line 20... |
20 |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
|
20 |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
|
21 |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
|
21 |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
|
22 |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
|
22 |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
|
23 |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # LAN IP address + prefix (192.168.182.0/24)
|
23 |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # LAN IP address + prefix (192.168.182.0/24)
|
24 |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
|
24 |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
|
- |
|
25 |
dhcp_on_extif="off"
|
25 |
if [[ "$public_ip_mask" == "dhcp" ]]
|
26 |
if [[ "$public_ip_mask" == "dhcp" ]]
|
26 |
then
|
27 |
then
|
- |
|
28 |
dhcp_on_extif="on"
|
27 |
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
|
29 |
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
|
28 |
public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN`
|
30 |
public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN`
|
29 |
fi
|
31 |
fi
|
30 |
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
|
32 |
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
|
31 |
dns1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2`
|
33 |
dns1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2`
|
Line 55... |
Line 57... |
55 |
ALLOWED_SITES="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)
|
57 |
ALLOWED_SITES="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)
|
56 |
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
|
58 |
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
|
57 |
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
|
59 |
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
|
58 |
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
|
60 |
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
|
59 |
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
|
61 |
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
|
- |
|
62 |
interlan=`grep ^INTERLAN= $CONF_FILE|cut -d"=" -f2`
|
- |
|
63 |
interlan=${interlan:=off}
|
60 |
|
64 |
|
61 |
# Allow requests to internal DNS if activated
|
65 |
# Allow requests to internal DNS if activated
|
62 |
if [ "$INT_DNS_ACTIVE" = "on" ]
|
66 |
if [ "$INT_DNS_ACTIVE" = "on" ]
|
63 |
then
|
67 |
then
|
64 |
DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
|
68 |
DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
|
Line 321... |
Line 325... |
321 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
325 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
|
322 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
326 |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
|
323 |
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
327 |
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
|
324 |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
328 |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
|
325 |
|
329 |
|
326 |
# Si configéré, on autorise les réponses DHCP
|
330 |
# Si configuré, on autorise les réponses DHCP sur EXTIF
|
327 |
# Allow DHCP answers if configured
|
331 |
# If configured, DHCP responses are allowed on EXTIF
|
328 |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
|
- |
|
329 |
if [[ "$public_ip_mask" == "dhcp" ]]
|
332 |
if [[ "$dhcp_on_extif" == "on" ]]
|
330 |
then
|
333 |
then
|
331 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 68 -j ACCEPT
|
334 |
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 68 -j ACCEPT
|
332 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 68 -j ACCEPT
|
335 |
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 68 -j ACCEPT
|
333 |
fi
|
336 |
fi
|
- |
|
337 |
|
334 |
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation)
|
338 |
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation)
|
335 |
# Drop broadcast & multicast on EXTIF to avoid log
|
339 |
# Drop broadcast & multicast on EXTIF to avoid log
|
336 |
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
|
340 |
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
|
337 |
|
341 |
|
338 |
# On autorise les retours de connexions légitimes par INPUT
|
342 |
# On autorise les retours de connexions légitimes par INPUT
|
Line 418... |
Line 422... |
418 |
$IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"
|
422 |
$IPTABLES -A INPUT -i $EXTIF -m conntrack --ctstate NEW -j NFLOG --nflog-group 3 --nflog-threshold 10 --nflog-prefix "RULE rej-ext -- DROP"
|
419 |
|
423 |
|
420 |
#############################
|
424 |
#############################
|
421 |
# FORWARD #
|
425 |
# FORWARD #
|
422 |
#############################
|
426 |
#############################
|
- |
|
427 |
# On autorise (ou pas) les utilisateurs à accéder au réseau situé entre ALCASAR et le routeur Internet
|
- |
|
428 |
# Users are allowed (or not allowed) to access the network between ALCASAR and the Internet router
|
- |
|
429 |
if [ "$interlan" != "on" ]
|
- |
|
430 |
then
|
- |
|
431 |
$IPTABLES -A FORWARD -i $TUNIF -d $public_ip_mask -j DROP
|
- |
|
432 |
fi
|
- |
|
433 |
|
423 |
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl
|
434 |
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl
|
424 |
# Deny IPs of the SET bl_ip_blocked for the set av_bl
|
435 |
# Deny IPs of the SET bl_ip_blocked for the set av_bl
|
425 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
|
436 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
|
426 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
|
437 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-host-prohibited
|
427 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
|
438 |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
|
Line 512... |
Line 523... |
512 |
#############################
|
523 |
#############################
|
513 |
# On laisse tout sortir sur la carte interne (voir les règles suivantes pour la carte externe)
|
524 |
# On laisse tout sortir sur la carte interne (voir les règles suivantes pour la carte externe)
|
514 |
# We let everything out on INTIF (see following rules for the EXTIF)
|
525 |
# We let everything out on INTIF (see following rules for the EXTIF)
|
515 |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
|
526 |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
|
516 |
|
527 |
|
517 |
# Si configuré, on autorise les requêtes DHCP
|
528 |
# Si configuré, on autorise les requêtes DHCP sur EXTIF
|
518 |
# Allow DHCP requests if configured
|
529 |
# Allow DHCP requests on EXTIF if configured
|
519 |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
|
- |
|
520 |
if [[ "$public_ip_mask" == "dhcp" ]]
|
530 |
if [[ "$dhcp_on_extif" == "on" ]]
|
521 |
then
|
531 |
then
|
522 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT
|
532 |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT
|
523 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 67 -j ACCEPT
|
533 |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 67 -j ACCEPT
|
524 |
fi
|
534 |
fi
|
525 |
|
535 |
|