#!/bin/bash IPT="/usr/sbin/iptables -w 20" IP6T="/usr/sbin/ip6tables -w 20" # Si pas de configuration, on ne fait rien if [ ! -f /etc/fwconfig ]; then exit; fi # Kill des autres processus, celui lancé plus recemment a raison script_name=${BASH_SOURCE[0]} for pid in $(pidof -x $script_name); do if [ $pid != $$ ]; then kill -9 $pid fi done # On recupere la configuration source /etc/fwconfig # Tout effacer $IPT -t filter -F INPUT $IPT -F IpAdministration 2>/dev/null $IPT -F IpLan 2>/dev/null $IPT -F IpSipTrunk 2>/dev/null $IPT -F IpThinkro 2>/dev/null $IPT -t filter -F FORWARD $IPT -t filter -F OUTPUT $IPT -t filter -X $IP6T -t filter -F INPUT $IP6T -F IpAdministration 2>/dev/null $IP6T -F IpLan 2>/dev/null $IP6T -F IpSipTrunk 2>/dev/null $IP6T -F IpThinkro 2>/dev/null $IP6T -t filter -F FORWARD $IP6T -t filter -F OUTPUT $IP6T -t filter -X # Tout autoriser sur loopback $IPT -t filter -A INPUT -i lo -j ACCEPT $IPT -t filter -A OUTPUT -o lo -j ACCEPT $IP6T -t filter -A INPUT -i lo -j ACCEPT $IP6T -t filter -A OUTPUT -o lo -j ACCEPT # Autoriser ping $IPT -t filter -A INPUT -p icmp -j ACCEPT $IP6T -t filter -A INPUT -p ipv6-icmp -j ACCEPT # En sortie pour le script de check gateway $IPT -t filter -A OUTPUT -p icmp -j ACCEPT $IP6T -t filter -A OUTPUT -p ipv6-icmp -j ACCEPT # On cree la chaine ip lan $IPT -N IpLan 2>/dev/null # Creer la chaine $IP6T -N IpLan 2>/dev/null # Creer la chaine $IPT -F IpLan # Vider la chaine $IP6T -F IpLan # Vider la chaine # On regarde les ipv4 puis ipv6 du lan liste=$(ip -o -f inet addr show | grep eth | awk '/scope global/ {print $4}') for addr in $liste; do $IPT -A IpLan -s $addr -j ACCEPT done liste=$(ip -o -f inet6 addr show | grep eth | awk '/scope global/ {print $4}') for addr in $liste; do $IP6T -A IpLan -s $addr -j ACCEPT done # On cree la chaine ip administration $IPT -N IpAdministration 2>/dev/null # Creer la chaine $IP6T -N IpAdministration 2>/dev/null # Creer la chaine $IPT -F IpAdministration # Vider la chaine $IP6T -F IpAdministration # Vider la chaine liste=$(echo $FW_CHAINIPADMIN | tr ";" "\n") for addr in $liste; do if [[ $addr =~ .*:.* ]];then $IP6T -A IpAdministration -s $addr -j ACCEPT else $IPT -A IpAdministration -s $addr -j ACCEPT fi done # On cree la chaine ip thinkro $IPT -N IpThinkro 2>/dev/null # Creer la chaine $IP6T -N IpThinkro 2>/dev/null # Creer la chaine $IPT -F IpThinkro # Vider la chaine $IP6T -F IpThinkro # Vider la chaine liste=$(echo $FW_CHAINTHINKRO | tr ";" "\n") for addr in $liste; do if [[ $addr =~ .*:.* ]];then $IP6T -A IpThinkro -s $addr -j ACCEPT else $IPT -A IpThinkro -s $addr -j ACCEPT fi done # Le SSH if [ "$FW_SSH" = "OPEN" ]; then # Autorise sans restriction d'ips liste2=$(echo $FW_PORTSSH | tr ";" "\n") for port in $liste2; do $IPT -t filter -A INPUT -p tcp --dport $port -j ACCEPT $IP6T -t filter -A INPUT -p tcp --dport $port -j ACCEPT done else # Autoriser le ssh depuis les ips lan et thinkro liste2=$(echo $FW_PORTSSH | tr ";" "\n") for port in $liste2; do $IPT -t filter -A INPUT -p tcp --dport $port -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport $port -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport $port -j IpLan $IP6T -t filter -A INPUT -p tcp --dport $port -j IpLan done fi # SNMP (UDP 22 ET 422) liste2=$(echo $FW_PORTSSH | tr ";" "\n") for port in $liste2; do $IPT -t filter -A INPUT -p udp --dport $port -j IpThinkro $IP6T -t filter -A INPUT -p udp --dport $port -j IpThinkro $IPT -t filter -A INPUT -p udp --dport $port -j IpLan $IP6T -t filter -A INPUT -p udp --dport $port -j IpLan done # Proxy HTTP if [ "$FW_PORTPROXY" != "0" ]; then $IPT -t filter -A INPUT -p tcp --dport $FW_PORTPROXY -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport $FW_PORTPROXY -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport $FW_PORTPROXY -j IpLan $IP6T -t filter -A INPUT -p tcp --dport $FW_PORTPROXY -j IpLan $IPT -t filter -A INPUT -p tcp --dport $FW_PORTPROXY -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport $FW_PORTPROXY -j IpAdministration fi # TFTP sur le lan $IPT -t filter -A INPUT -p udp --dport 69 -j IpLan $IP6T -t filter -A INPUT -p udp --dport 69 -j IpLan # Multicast DNS sur le lan $IPT -t filter -A INPUT -p udp --dport 5353 -j IpLan $IP6T -t filter -A INPUT -p udp --dport 5353 -j IpLan # Sip multicast discover sur le lan $IPT -t filter -A INPUT -p udp --dport 5060 -j IpLan $IP6T -t filter -A INPUT -p udp --dport 5060 -j IpLan # HTTP 80 : Le port 80 que depuis lan et thinkro $IPT -t filter -A INPUT -p tcp --dport 80 -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport 80 -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport 80 -j IpLan $IP6T -t filter -A INPUT -p tcp --dport 80 -j IpLan # HTTP 480 Le port d'administration if [ "$FW_HTTP" = "OPEN" ]; then # port admin tout ouvert liste2=$(echo $FW_PORTHTTP | tr ";" "\n") for port in $liste2; do $IPT -t filter -A INPUT -p tcp --dport $port -j ACCEPT $IP6T -t filter -A INPUT -p tcp --dport $port -j ACCEPT done # dans ce mode, port 80 également accessible aux ips d'administration $IPT -t filter -A INPUT -p tcp --dport 80 -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport 80 -j IpAdministration elif [ "$FW_HTTP" = "FILTER" ]; then # ports admin filtre sur ip lan, administration et thinkro liste2=$(echo $FW_PORTHTTP | tr ";" "\n") for port in $liste2; do $IPT -t filter -A INPUT -p tcp --dport $port -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport $port -j IpAdministration $IPT -t filter -A INPUT -p tcp --dport $port -j IpLan $IP6T -t filter -A INPUT -p tcp --dport $port -j IpLan $IPT -t filter -A INPUT -p tcp --dport $port -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport $port -j IpThinkro done # dans ce mode, port 80 également accessible aux ips d'administration $IPT -t filter -A INPUT -p tcp --dport 80 -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport 80 -j IpAdministration else # port admin filtre sur ip lan et thinkro liste2=$(echo $FW_PORTHTTP | tr ";" "\n") for port in $liste2; do $IPT -t filter -A INPUT -p tcp --dport $port -j IpLan $IP6T -t filter -A INPUT -p tcp --dport $port -j IpLan $IPT -t filter -A INPUT -p tcp --dport $port -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport $port -j IpThinkro done fi # Si connexion etablie, autoriser le traffic entrant $IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IP6T -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Drop tout en entree, autoriser tout en sortie $IPT -t filter -P INPUT DROP $IPT -t filter -P FORWARD DROP $IPT -t filter -P OUTPUT ACCEPT $IP6T -t filter -P INPUT DROP $IP6T -t filter -P FORWARD DROP $IP6T -t filter -P OUTPUT ACCEPT # Autoriser le nat depuis eth0.3 ( Vlan 3 pour réseau client ) $IPT -A FORWARD -i eth0.3 -j ACCEPT $IPT -A FORWARD -o eth0.3 -j ACCEPT if [ -x /etc/rc.d/rc.firewall-custom ]; then # Si custom executable, la lancer /etc/rc.d/rc.firewall-custom fi # Specificite proxy $IPT -t nat -F $IPT -t nat -X # Paquets entrants Wifi ou ports PC $IPT -t filter -A INPUT -i br6 -j ACCEPT # Nat $IPT --insert FORWARD 1 -i br6 --source 192.168.6.0/24 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT $IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE $IPT --insert FORWARD 1 --source 0.0.0.0/0.0.0.0 --destination 192.168.6.0/24 --jump ACCEPT --out-interface br6 # Marquage pour qos $IPT -A PREROUTING -t mangle -i br6 --source 192.168.6.0/24 -j MARK --set-mark 6 # Nat pour reseau telephones $IPT -t filter -A INPUT -i eth0.3 -j ACCEPT # Nat $IPT --insert FORWARD 1 -i eth0.3 --source 192.168.3.0/24 --destination 0.0.0.0/0.0.0.0 --jump ACCEPT $IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE $IPT --insert FORWARD 1 --source 0.0.0.0/0.0.0.0 --destination 192.168.3.0/24 --jump ACCEPT --out-interface eth0.3 # Si sortie de secours if [ "$FW_SECOURSROUTE" != "" ]; then # Nat pour sortie de secours via velocloud #$IPT -t nat -A POSTROUTING -o eth0.3:1 -j MASQUERADE $IPT -t nat -A POSTROUTING -o eth0.3 -j MASQUERADE # Doublon de code dans callbox_ipsurvey.sh # On calcule la passerelle Allianz ip=`/usr/sbin/ip addr show |grep -w inet |grep eth0.3:1|awk '{ print $2}'| cut -d "/" -f 1`; mask=`/usr/sbin/ifconfig | grep -w inet |grep $ip| awk '{print $4}' | cut -d ":" -f 2` IFS=. read -r i1 i2 i3 i4 <<< "$ip" IFS=. read -r m1 m2 m3 m4 <<< "$mask" firstIp=$((i1 & m1)).$((i2 & m2)).$((i3 & m3)).$(((i4 & m4)+1)); #echo "network: $((i1 & m1)).$((i2 & m2)).$((i3 & m3)).$((i4 & m4))" #echo "broadcast: $((i1 & m1 | 255-m1)).$((i2 & m2 | 255-m2)).$((i3 & m3 | 255-m3)).$((i4 & m4 | 255-m4))" #echo "first IP: $((i1 & m1)).$((i2 & m2)).$((i3 & m3)).$(((i4 & m4)+1))" #echo "last IP: $((i1 & m1 | 255-m1)).$((i2 & m2 | 255-m2)).$((i3 & m3 | 255-m3)).$(((i4 & m4 | 255-m4)-1))" #echo "Using gateway $firstIp"; /usr/sbin/route add -host $FW_SECOURSROUTE gw $firstIp echo -n $FW_SECOURSROUTE > /etc/fwconfig-secoursRouteBackup else #echo "Delete backup route"; if [ -f /etc/fwconfig-secoursRouteBackup ]; then /usr/sbin/route del -host `cat /etc/fwconfig-secoursRouteBackup` 2>/dev/null fi fi