BlueGreycalmElegant

Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

Compare Revisions

• This comparison shows the changes necessary to convert path

  → / @ 1543

  → / @ 1544

  ↔ Reverse comparison

• Compare Path:	Rev

  With Path:	Rev

Ignore whitespace Rev 1543 → Rev 1544

/alcasar.sh
1285,9 → 1285,11
[ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
echo "# Whitelist youtube flow" >> /etc/havp/whitelist
echo "*.youtube.com/*" >> /etc/havp/whitelist
# replacement of init script
# adapt init script and systemd unit
[ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
cp -f $DIR_CONF/havp-init /etc/init.d/havp
$SED "/^PIDFile/i ExecStartPre=/bin/mkdir /var/run/havp" /lib/systemd/system/havp.service
$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
# replace of the intercept page (template)
cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1328,6 → 1330,7
$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN
# Create the systemd unit
cat << EOF > /lib/systemd/system/tinyproxy.service
# This file is part of systemd.
1447,7 → 1450,7
tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
cd /tmp/
/usr/bin/sh SURFmap/install.sh
chown -R apache:apache /var/www/html/acc/manager/nfsen
chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
# clear the installation
cd $DirTmp
rm -rf /tmp/nfsen*
2038,6 → 2041,7
-i | --install)
header_install
license
header_install
testing
# RPMs install
$DIR_SCRIPTS/alcasar-urpmi.sh

/conf/logrotate.d/ulogd
1,5 → 1,12
/var/log/ulogd/ulogd.log {
missingok
notifyempty
create 0640 ulogd ulogd
sharedscripts
}
/var/log/firewall/traceability.log {
missingok
notifempty
rotate 52
weekly
dateext
10,6 → 17,7
}
/var/log/firewall/ssh.log {
missingok
notifempty
rotate 52
weekly
dateext
20,6 → 28,7
}
/var/log/firewall/ext-access.log {
missingok
notifempty
rotate 52
weekly
dateext

/scripts/alcasar-iptables.sh
150,6 → 150,7
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 (tinyproxy) pour pouvoir les rejeter en INPUT
# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2
# Marquage des paquets qui tentent d'accéder directement au port udp 54 (DNS-blacklist) pour pouvoir les rejeter en INPUT
164,33 → 165,34
# Mark the udp 56 direct attempts (DNS-blackhole) to REJECT them in INPUT rules
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 56 -j MARK --set-mark 5
# havp_bl_set --> redirection vers le port 54
# havp_bl_set --> redirect to port 54
# redirection DNS des usagers 'havp_bl' vers le port 54
# redirect DNS of 'havp_bl' users to port 54
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
# havp_wl_set --> redirection vers le port 55
# havp_wl_set --> redirect to port 55
# redirection DNS des usagers 'havp_wl' vers le port 55
# redirect DNS of 'havp_bl' users to port 55
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set
# Redirect outbound HTTP requests from blacklist IP to ALCASAR ('access denied' page) for the set havp_bl_set
# Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.
# Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
# Resirection des requêtes HTTP vers les IP qui ne sont pas dans la WL. Redirection vers ALCASAR : page 'accès interdit'
# Redirect outbound HTTP requests to IP which are not in the WL. Redirection to ALCASAR : 'access denied' paae
# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
# Journalisation des requètes HTTP sortante des usagers "BL" (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
# Log HTTP requests to Internet of "BL users" (only syn packets) - Other protocols are logged in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
# Redirection des requêtes HTTP sortantes des usagers "BL+antivirus" vers DansGuardian
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers DansGuardian
# Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
# Redirection des requêtes HTTP sortantes des usager "WL+antivirus" vers Tinyproxy
# Redirection des requêtes HTTP sortantes des usager 'havp_wl' et 'havp' vers Tinyproxy
# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
# Redirection des requêtes NTP vers le serveur NTP local
# Redirect NTP request in local NTP server