#! /bin/sh IPT="/usr/sbin/iptables -w 20" IP6T="/usr/sbin/ip6tables -w 20" # Si pas de configuration, on ne fait rien if [ ! -f /etc/fwconfig ]; then exit; fi # Kill des autres processus, celui lancé plus recemment a raison script_name=${BASH_SOURCE[0]} for pid in $(pidof -x $script_name); do if [ $pid != $$ ]; then kill -9 $pid fi done # On recupere la configuration source /etc/fwconfig # Config des ports SIP et RTP SIPPORT=`grep SIPPORT /etc/asterisk/callbox-sip.conf | awk -F'=' '{print $2}'` RTPPORT=`grep RTPPORT /etc/asterisk/callbox-sip.conf | awk -F'=' '{print $2}'` if [ "$SIPPORT" -gt "1024" ]; then echo ""; else SIPPORT="5060"; RTPPORT="10000:20000"; fi SIPTLSPORT=$((SIPPORT+1)) # Tout effacer $IPT -t filter -F INPUT $IPT -F IpAdministration 2>/dev/null $IPT -F IpLan 2>/dev/null $IPT -F IpSipTrunk 2>/dev/null $IPT -F IpThinkro 2>/dev/null $IPT -F IpSupp 2>/dev/null $IPT -t filter -F FORWARD $IPT -t filter -F OUTPUT $IP6T -t filter -F INPUT $IP6T -F IpAdministration 2>/dev/null $IP6T -F IpLan 2>/dev/null $IP6T -F IpSipTrunk 2>/dev/null $IP6T -F IpThinkro 2>/dev/null $IP6T -F IpSupp 2>/dev/null $IP6T -t filter -F FORWARD $IP6T -t filter -F OUTPUT # Provisoire pour éviter coupures $IPT -P INPUT ACCEPT $IP6T -P INPUT ACCEPT # Tout autoriser sur loopback $IPT -t filter -A INPUT -i lo -j ACCEPT $IPT -t filter -A OUTPUT -o lo -j ACCEPT $IP6T -t filter -A INPUT -i lo -j ACCEPT $IP6T -t filter -A OUTPUT -o lo -j ACCEPT # Autoriser ping $IPT -t filter -A INPUT -p icmp -j ACCEPT $IP6T -t filter -A INPUT -p ipv6-icmp -j ACCEPT # En sortie pour le script de check gateway $IPT -t filter -A OUTPUT -p icmp -j ACCEPT $IP6T -t filter -A OUTPUT -p ipv6-icmp -j ACCEPT # On cree la chaine ip administration $IPT -N IpAdministration 2>/dev/null # Creer la chaine $IP6T -N IpAdministration 2>/dev/null # Creer la chaine $IPT -F IpAdministration # Vider la chaine $IP6T -F IpAdministration # Vider la chaine liste=$(echo $FW_CHAINIPADMIN | tr ";" "\n") for addr in $liste; do if [[ $addr =~ .*:.* ]];then $IP6T -A IpAdministration -s $addr -j ACCEPT else $IPT -A IpAdministration -s $addr -j ACCEPT fi done # On cree la chaine sip providers $IPT -N IpSipTrunk 2>/dev/null # Creer la chaine $IP6T -N IpSipTrunk 2>/dev/null # Creer la chaine $IPT -F IpSipTrunk # Vider la chaine $IP6T -F IpSipTrunk # Vider la chaine liste=$(echo $FW_SIPPROVIDER | tr ";" "\n") for addr in $liste; do if [[ $addr =~ .*:.* ]];then $IP6T -A IpSipTrunk -s $addr -j ACCEPT else $IPT -A IpSipTrunk -s $addr -j ACCEPT fi done # On cree la chaine ip lan $IPT -N IpLan 2>/dev/null # Creer la chaine $IP6T -N IpLan 2>/dev/null # Creer la chaine $IPT -F IpLan # Vider la chaine $IP6T -F IpLan # Vider la chaine if [ "$FW_CHAINLAN" != "" ]; then # Si un lan existe liste=$(echo $FW_CHAINLAN | tr ";" "\n") for addr in $liste; do if [[ $addr =~ .*:.* ]];then $IP6T -A IpLan -s $addr -j ACCEPT else $IPT -A IpLan -s $addr -j ACCEPT fi done # On regarde si il y a des ips secondaires pour le lan liste=$(ip -o -f inet addr show | grep 'eth0:\|eth0.2\|eth0.3' | awk '/scope global/ {print $4}') for addr in $liste; do $IPT -A IpLan -s $addr -j ACCEPT done liste=$(ip -o -f inet6 addr show | grep eth0: | awk '/scope global/ {print $4}') for addr in $liste; do $IP6T -A IpLan -s $addr -j ACCEPT done fi # On cree la chaine ip thinkro $IPT -N IpThinkro 2>/dev/null # Creer la chaine $IP6T -N IpThinkro 2>/dev/null # Creer la chaine $IPT -F IpThinkro # Vider la chaine $IP6T -F IpThinkro # Vider la chaine liste=$(echo $FW_CHAINTHINKRO | tr ";" "\n") for addr in $liste; do if [[ $addr =~ .*:.* ]];then $IP6T -A IpThinkro -s $addr -j ACCEPT else $IPT -A IpThinkro -s $addr -j ACCEPT fi done # On cree la chaine ip supplementaires si besoin if [ "$FW_HTTP" = "FILTER_SUP" ] || [ "$FW_SIP" = "FILTER_SUP" ] || [ "$FW_XMPP" = "FILTER_SUP" ]; then $IPT -N IpSupp 2>/dev/null # Creer la chaine $IP6T -N IpSupp 2>/dev/null # Creer la chaine $IPT -F IpSupp # Vider la chaine $IP6T -F IpSupp # Vider la chaine liste=$(echo $FW_CHAINIPSUPP | tr ";" "\n") for addr in $liste; do if [[ $addr =~ ZONE_(.*) ]];then filename=${BASH_REMATCH[1]}".zone"; if [[ $(find "/etc/geoip/$filename" -mtime +7 -print) || ! -f "/etc/geoip/$filename" ]]; then wget --no-check-certificate -O /tmp/geoip "https://mir.thinkrosystem.com/geoip/$filename" if [ "$?" -eq "0" ] && [ -s /tmp/geoip ]; then mv /tmp/geoip /etc/geoip/$filename; touch /etc/geoip/$filename; fi fi IPSL=$(egrep -v "^#|^$" /etc/geoip/${BASH_REMATCH[1]}.zone) ipset destroy ${BASH_REMATCH[1]}.zone 2>&1 ipset create ${BASH_REMATCH[1]}.zone hash:net family inet maxelem 1000000 for ipblock in $IPSL;do ipset add ${BASH_REMATCH[1]}.zone $ipblock; done $IPT -A IpSupp -m set --match-set ${BASH_REMATCH[1]}.zone src -j ACCEPT elif [[ $addr =~ .*:.* ]];then $IP6T -A IpSupp -s $addr -j ACCEPT else $IPT -A IpSupp -s $addr -j ACCEPT fi done fi # Registrations SIP block by callbox_check_gateway cat /etc/fwconfig-check_gateway | while read ligne ; do $IPT -A OUTPUT -p udp -d $ligne -j DROP $IP6T -A OUTPUT -p udp -d $ligne -j DROP done # Le SSH if [ "$FW_SSH" = "OPEN" ]; then # Autorise sans restriction d'ips liste2=$(echo $FW_PORTSSH | tr ";" "\n") for port in $liste2; do $IPT -t filter -A INPUT -p tcp --dport $port -j ACCEPT $IP6T -t filter -A INPUT -p tcp --dport $port -j ACCEPT done else # Autoriser le ssh depuis les ips lan et thinkro liste2=$(echo $FW_PORTSSH | tr ";" "\n") for port in $liste2; do $IPT -t filter -A INPUT -p tcp --dport $port -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport $port -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport $port -j IpLan $IP6T -t filter -A INPUT -p tcp --dport $port -j IpLan done fi # SNMP (UDP 22 ET 422) liste2=$(echo $FW_PORTSSH | tr ";" "\n") for port in $liste2; do $IPT -t filter -A INPUT -p udp --dport $port -j IpThinkro $IP6T -t filter -A INPUT -p udp --dport $port -j IpThinkro $IPT -t filter -A INPUT -p udp --dport $port -j IpLan $IP6T -t filter -A INPUT -p udp --dport $port -j IpLan $IPT -t filter -A INPUT -p udp --dport $port -j IpAdministration $IP6T -t filter -A INPUT -p udp --dport $port -j IpAdministration done # Proxy HTTP if [ "$FW_PORTPROXY" != "0" ]; then $IPT -t filter -A INPUT -p tcp --dport $FW_PORTPROXY -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport $FW_PORTPROXY -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport $FW_PORTPROXY -j IpLan $IP6T -t filter -A INPUT -p tcp --dport $FW_PORTPROXY -j IpLan $IPT -t filter -A INPUT -p tcp --dport $FW_PORTPROXY -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport $FW_PORTPROXY -j IpAdministration fi # TFTP sur le lan $IPT -t filter -A INPUT -p udp --dport 69 -j IpLan $IP6T -t filter -A INPUT -p udp --dport 69 -j IpLan # Multicast DNS sur le lan $IPT -t filter -A INPUT -p udp --dport 5353 -j IpLan $IP6T -t filter -A INPUT -p udp --dport 5353 -j IpLan # Sip multicast discover sur le lan $IPT -t filter -A INPUT -p udp --dport 5060 -j IpLan $IP6T -t filter -A INPUT -p udp --dport 5060 -j IpLan # XMPP : messagerie instantanee if [ "$FW_XMPP" = "OPEN" ]; then $IPT -t filter -A INPUT -p tcp --dport 5222 -j ACCEPT $IP6T -t filter -A INPUT -p tcp --dport 5222 -j ACCEPT $IPT -t filter -A INPUT -p tcp --dport 5269 -j ACCEPT $IP6T -t filter -A INPUT -p tcp --dport 5269 -j ACCEPT $IPT -t filter -A INPUT -p tcp --dport 7777 -j ACCEPT $IP6T -t filter -A INPUT -p tcp --dport 7777 -j ACCEPT elif [ "$FW_XMPP" = "FILTER" ]; then # xmpp filtre sur ip lan, administration et thinkro $IPT -t filter -A INPUT -p tcp --dport 5222 -j IpLan $IP6T -t filter -A INPUT -p tcp --dport 5222 -j IpLan $IPT -t filter -A INPUT -p tcp --dport 5269 -j IpLan $IP6T -t filter -A INPUT -p tcp --dport 5269 -j IpLan $IPT -t filter -A INPUT -p tcp --dport 7777 -j IpLan $IP6T -t filter -A INPUT -p tcp --dport 7777 -j IpLan $IPT -t filter -A INPUT -p tcp --dport 5222 -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport 5222 -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport 5269 -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport 5269 -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport 7777 -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport 7777 -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport 5222 -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport 5222 -j IpAdministration $IPT -t filter -A INPUT -p tcp --dport 5269 -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport 5269 -j IpAdministration $IPT -t filter -A INPUT -p tcp --dport 7777 -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport 7777 -j IpAdministration elif [ "$FW_XMPP" = "FILTER_SUP" ]; then # xmpp filtre sur ip lan, administration, suppet thinkro $IPT -t filter -A INPUT -p tcp --dport 5222 -j IpLan $IP6T -t filter -A INPUT -p tcp --dport 5222 -j IpLan $IPT -t filter -A INPUT -p tcp --dport 5269 -j IpLan $IP6T -t filter -A INPUT -p tcp --dport 5269 -j IpLan $IPT -t filter -A INPUT -p tcp --dport 7777 -j IpLan $IP6T -t filter -A INPUT -p tcp --dport 7777 -j IpLan $IPT -t filter -A INPUT -p tcp --dport 5222 -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport 5222 -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport 5269 -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport 5269 -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport 7777 -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport 7777 -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport 5222 -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport 5222 -j IpAdministration $IPT -t filter -A INPUT -p tcp --dport 5269 -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport 5269 -j IpAdministration $IPT -t filter -A INPUT -p tcp --dport 7777 -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport 7777 -j IpAdministration $IPT -t filter -A INPUT -p tcp --dport 5222 -j IpSupp $IP6T -t filter -A INPUT -p tcp --dport 5222 -j IpSupp $IPT -t filter -A INPUT -p tcp --dport 5269 -j IpSupp $IP6T -t filter -A INPUT -p tcp --dport 5269 -j IpSupp $IPT -t filter -A INPUT -p tcp --dport 7777 -j IpSupp $IP6T -t filter -A INPUT -p tcp --dport 7777 -j IpSupp else # xmpp filtre sur ip lan et thinkro $IPT -t filter -A INPUT -p tcp --dport 5222 -j IpLan $IP6T -t filter -A INPUT -p tcp --dport 5222 -j IpLan $IPT -t filter -A INPUT -p tcp --dport 5269 -j IpLan $IP6T -t filter -A INPUT -p tcp --dport 5269 -j IpLan $IPT -t filter -A INPUT -p tcp --dport 7777 -j IpLan $IP6T -t filter -A INPUT -p tcp --dport 7777 -j IpLan $IPT -t filter -A INPUT -p tcp --dport 5222 -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport 5222 -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport 5269 -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport 5269 -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport 7777 -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport 7777 -j IpThinkro fi # HTTP 80 : Le port 80 que depuis lan et thinkro $IPT -t filter -A INPUT -p tcp --dport 80 -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport 80 -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport 80 -j IpLan $IP6T -t filter -A INPUT -p tcp --dport 80 -j IpLan # HTTP 480 Le port d'administration if [ "$FW_HTTP" = "OPEN" ]; then # port admin tout ouvert liste2=$(echo $FW_PORTHTTP | tr ";" "\n") for port in $liste2; do $IPT -t filter -A INPUT -p tcp --dport $port -j ACCEPT $IP6T -t filter -A INPUT -p tcp --dport $port -j ACCEPT done # dans ce mode, port 80 également accessible aux ips d'administration $IPT -t filter -A INPUT -p tcp --dport 80 -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport 80 -j IpAdministration elif [ "$FW_HTTP" = "FILTER" ]; then # ports admin filtre sur ip lan, administration et thinkro liste2=$(echo $FW_PORTHTTP | tr ";" "\n") for port in $liste2; do $IPT -t filter -A INPUT -p tcp --dport $port -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport $port -j IpAdministration $IPT -t filter -A INPUT -p tcp --dport $port -j IpLan $IP6T -t filter -A INPUT -p tcp --dport $port -j IpLan $IPT -t filter -A INPUT -p tcp --dport $port -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport $port -j IpThinkro done # dans ce mode, port 80 également accessible aux ips d'administration $IPT -t filter -A INPUT -p tcp --dport 80 -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport 80 -j IpAdministration elif [ "$FW_HTTP" = "FILTER_SUP" ]; then # ports admin filtre sur ip lan, administration, supp et thinkro liste2=$(echo $FW_PORTHTTP | tr ";" "\n") for port in $liste2; do $IPT -t filter -A INPUT -p tcp --dport $port -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport $port -j IpAdministration $IPT -t filter -A INPUT -p tcp --dport $port -j IpLan $IP6T -t filter -A INPUT -p tcp --dport $port -j IpLan $IPT -t filter -A INPUT -p tcp --dport $port -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport $port -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport $port -j IpSupp $IP6T -t filter -A INPUT -p tcp --dport $port -j IpSupp done # dans ce mode, port 80 également accessible aux ips d'administration $IPT -t filter -A INPUT -p tcp --dport 80 -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport 80 -j IpAdministration else # port admin filtre sur ip lan et thinkro liste2=$(echo $FW_PORTHTTP | tr ";" "\n") for port in $liste2; do $IPT -t filter -A INPUT -p tcp --dport $port -j IpLan $IP6T -t filter -A INPUT -p tcp --dport $port -j IpLan $IPT -t filter -A INPUT -p tcp --dport $port -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport $port -j IpThinkro done fi # Autoriser le sip pour FW_SIPPROVIDER (tcp + udp 5060 et rtp 10000 - 20000) $IPT -t filter -A INPUT -p tcp --dport $SIPPORT -j IpSipTrunk $IPT -t filter -A INPUT -p udp --dport $SIPPORT -j IpSipTrunk $IPT -t filter -A INPUT -p udp --dport $RTPPORT -j IpSipTrunk $IPT -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpSipTrunk $IP6T -t filter -A INPUT -p tcp --dport $SIPPORT -j IpSipTrunk $IP6T -t filter -A INPUT -p udp --dport $SIPPORT -j IpSipTrunk $IP6T -t filter -A INPUT -p udp --dport $RTPPORT -j IpSipTrunk $IP6T -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpSipTrunk # IAX Toujours ouvert $IPT -t filter -A INPUT -p udp --dport 4569 -j ACCEPT $IP6T -t filter -A INPUT -p udp --dport 4569 -j ACCEPT # Autoriser le sip (tcp + udp 5060 et rtp 10000 - 20000) if [ "$FW_SIP" = "OPEN" ]; then # Tout ouvert # On drop les scanners connus scannListe="VaxSIPUserAgent friendly-scanner sundayddr sipsak sipvicious iWar sip-scan VaxSIPUserAgent sipcli nmap UsaAirport" for scanner in $scannListe; do $IPT -I INPUT -j DROP -p tcp --dport $SIPPORT -m string --string "$scanner" --algo bm $IPT -I INPUT -j DROP -p tcp --dport $SIPTLSPORT -m string --string "$scanner" --algo bm $IPT -I INPUT -j DROP -p udp --dport $SIPPORT -m string --string "$scanner" --algo bm $IP6T -I INPUT -j DROP -p tcp --dport $SIPPORT -m string --string "$scanner" --algo bm $IP6T -I INPUT -j DROP -p tcp --dport $SIPTLSPORT -m string --string "$scanner" --algo bm $IP6T -I INPUT -j DROP -p udp --dport $SIPPORT -m string --string "$scanner" --algo bm done # On ouvre le reste $IPT -t filter -A INPUT -p tcp --dport $SIPPORT -j ACCEPT $IPT -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j ACCEPT $IPT -t filter -A INPUT -p udp --dport $SIPPORT -j ACCEPT $IPT -t filter -A INPUT -p udp --dport $RTPPORT -j ACCEPT $IP6T -t filter -A INPUT -p tcp --dport $SIPPORT -j ACCEPT $IP6T -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j ACCEPT $IP6T -t filter -A INPUT -p udp --dport $SIPPORT -j ACCEPT $IP6T -t filter -A INPUT -p udp --dport $RTPPORT -j ACCEPT elif [ "$FW_SIP" = "FILTER" ]; then # Ouvert sur le lan et les ip admin $IPT -t filter -A INPUT -p tcp --dport $SIPPORT -j IpLan $IPT -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpLan $IPT -t filter -A INPUT -p udp --dport $SIPPORT -j IpLan $IPT -t filter -A INPUT -p udp --dport $RTPPORT -j IpLan $IP6T -t filter -A INPUT -p tcp --dport $SIPPORT -j IpLan $IP6T -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpLan $IP6T -t filter -A INPUT -p udp --dport $SIPPORT -j IpLan $IP6T -t filter -A INPUT -p udp --dport $RTPPORT -j IpLan $IPT -t filter -A INPUT -p tcp --dport $SIPPORT -j IpAdministration $IPT -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpAdministration $IPT -t filter -A INPUT -p udp --dport $SIPPORT -j IpAdministration $IPT -t filter -A INPUT -p udp --dport $RTPPORT -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport $SIPPORT -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpAdministration $IP6T -t filter -A INPUT -p udp --dport $SIPPORT -j IpAdministration $IP6T -t filter -A INPUT -p udp --dport $RTPPORT -j IpAdministration $IPT -t filter -A INPUT -p tcp --dport $SIPPORT -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpThinkro $IPT -t filter -A INPUT -p udp --dport $SIPPORT -j IpThinkro $IPT -t filter -A INPUT -p udp --dport $RTPPORT -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport $SIPPORT -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpThinkro $IP6T -t filter -A INPUT -p udp --dport $SIPPORT -j IpThinkro $IP6T -t filter -A INPUT -p udp --dport $RTPPORT -j IpThinkro elif [ "$FW_SIP" = "FILTER_SUP" ]; then # Ouvert sur le lan et les ip admin $IPT -t filter -A INPUT -p tcp --dport $SIPPORT -j IpLan $IPT -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpLan $IPT -t filter -A INPUT -p udp --dport $SIPPORT -j IpLan $IPT -t filter -A INPUT -p udp --dport $RTPPORT -j IpLan $IP6T -t filter -A INPUT -p tcp --dport $SIPPORT -j IpLan $IP6T -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpLan $IP6T -t filter -A INPUT -p udp --dport $SIPPORT -j IpLan $IP6T -t filter -A INPUT -p udp --dport $RTPPORT -j IpLan $IPT -t filter -A INPUT -p tcp --dport $SIPPORT -j IpAdministration $IPT -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpAdministration $IPT -t filter -A INPUT -p udp --dport $SIPPORT -j IpAdministration $IPT -t filter -A INPUT -p udp --dport $RTPPORT -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport $SIPPORT -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpAdministration $IP6T -t filter -A INPUT -p udp --dport $SIPPORT -j IpAdministration $IP6T -t filter -A INPUT -p udp --dport $RTPPORT -j IpAdministration $IPT -t filter -A INPUT -p tcp --dport $SIPPORT -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpThinkro $IPT -t filter -A INPUT -p udp --dport $SIPPORT -j IpThinkro $IPT -t filter -A INPUT -p udp --dport $RTPPORT -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport $SIPPORT -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpThinkro $IP6T -t filter -A INPUT -p udp --dport $SIPPORT -j IpThinkro $IP6T -t filter -A INPUT -p udp --dport $RTPPORT -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport $SIPPORT -j IpSupp $IPT -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpSupp $IPT -t filter -A INPUT -p udp --dport $SIPPORT -j IpSupp $IPT -t filter -A INPUT -p udp --dport $RTPPORT -j IpSupp $IP6T -t filter -A INPUT -p tcp --dport $SIPPORT -j IpSupp $IP6T -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpSupp $IP6T -t filter -A INPUT -p udp --dport $SIPPORT -j IpSupp $IP6T -t filter -A INPUT -p udp --dport $RTPPORT -j IpSupp else # Ferme, que ouvert sur le lan $IPT -t filter -A INPUT -p tcp --dport $SIPPORT -j IpLan $IPT -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpLan $IPT -t filter -A INPUT -p udp --dport $SIPPORT -j IpLan $IPT -t filter -A INPUT -p udp --dport $RTPPORT -j IpLan $IP6T -t filter -A INPUT -p tcp --dport $SIPPORT -j IpLan $IP6T -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpLan $IP6T -t filter -A INPUT -p udp --dport $SIPPORT -j IpLan $IP6T -t filter -A INPUT -p udp --dport $RTPPORT -j IpLan $IPT -t filter -A INPUT -p tcp --dport $SIPPORT -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpThinkro $IPT -t filter -A INPUT -p udp --dport $SIPPORT -j IpThinkro $IPT -t filter -A INPUT -p udp --dport $RTPPORT -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport $SIPPORT -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport $SIPTLSPORT -j IpThinkro $IP6T -t filter -A INPUT -p udp --dport $SIPPORT -j IpThinkro $IP6T -t filter -A INPUT -p udp --dport $RTPPORT -j IpThinkro fi # LDAP depuis ip Thinkro $IPT -t filter -A INPUT -p tcp --dport 389 -j IpThinkro $IPT -t filter -A INPUT -p tcp --dport 636 -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport 389 -j IpThinkro $IP6T -t filter -A INPUT -p tcp --dport 636 -j IpThinkro # LDAP depuis ip administration $IPT -t filter -A INPUT -p tcp --dport 389 -j IpAdministration $IPT -t filter -A INPUT -p tcp --dport 636 -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport 389 -j IpAdministration $IP6T -t filter -A INPUT -p tcp --dport 636 -j IpAdministration # LDAP depuis ip lan $IPT -t filter -A INPUT -p tcp --dport 389 -j IpLan $IPT -t filter -A INPUT -p tcp --dport 636 -j IpLan $IP6T -t filter -A INPUT -p tcp --dport 389 -j IpLan $IP6T -t filter -A INPUT -p tcp --dport 636 -j IpLan # Si connexion etablie, autoriser le traffic entrant #/sbin/sysctl -w net.netfilter.nf_conntrack_tcp_loose=0 # dans sysctl.conf /usr/sbin/conntrack -F # pour recalculer les regles ESTABLISHED avec le sysctl plus haut $IPT -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT $IP6T -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Redirections https 443 vers 480 # Effacer les redirections $IPT -S -t nat | grep REDIRECT | cut -d " " -f 2- | xargs -L1 $IPT -t nat -D # Redirection pour zscaler paris, zurich et Rouen : https://config.zscaler.com/zscaler.net/cenr liste=$(echo $FW_CHAINIPFORWARD443 | tr ";" "\n") for addr in $liste; do $IPT -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -s $addr -j REDIRECT --to-port 480 done # Drop tout en entree, autoriser tout en sortie $IPT -t filter -P INPUT DROP $IPT -t filter -P FORWARD DROP $IPT -t filter -P OUTPUT ACCEPT $IP6T -t filter -P INPUT DROP $IP6T -t filter -P FORWARD DROP $IP6T -t filter -P OUTPUT ACCEPT # Autoriser le nat depuis eth0.3 ( Vlan 3 pour réseau client ) $IPT -A FORWARD -i eth0.3 -j ACCEPT $IPT -A FORWARD -o eth0.3 -j ACCEPT if [ "$FW_SIP" = "OPEN" ] && [ ! -f "/tmp/ram/callbox_install" ]; then # Activer fail2ban SIP $IPT -I INPUT -p all -j fail2ban-SIP elif [ "$FW_SIP" = "FILTER_SUP" ] && [ ! -f "/tmp/ram/callbox_install" ]; then # Activer fail2ban SIP $IPT -I INPUT -p all -j fail2ban-SIP else # Couper fail2ban SIP $IPT -D INPUT -p all -j fail2ban-SIP fi if [ -x /etc/rc.d/rc.firewall-custom ]; then # Si custom executable, la lancer /etc/rc.d/rc.firewall-custom fi # Fin provisoire pour éviter coupures $IPT -P INPUT DROP $IP6T -P INPUT DROP