Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 607 → Rev 612

/scripts/alcasar-iptables.sh
9,22 → 9,23
# 3 for exterior access attempts.
# The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script
 
private_ip_mask=`grep PRIVATE_IP /usr/local/etc/alcasar-network|cut -d"=" -f2`
conf_file="/usr/local/etc/alcasar.conf"
private_ip_mask=`grep PRIVATE_IP $conf_file|cut -d"=" -f2`
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
dns1=`grep DNS1 /usr/local/etc/alcasar-network|cut -d"=" -f2` # first public DNS server
dns2=`grep DNS2 /usr/local/etc/alcasar-network|cut -d"=" -f2` # second public DNS server
 
IPTABLES="/sbin/iptables"
PROTO_FILTERING="no"
DNS_FILTERING="no"
QOS="no"
dns1=`grep DNS1 $conf_file|cut -d"=" -f2` # first public DNS server
dns2=`grep DNS2 $conf_file|cut -d"=" -f2` # second public DNS server
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING $conf_file|cut -d"=" -f2` # Network protocols filter (yes/no)
DNS_FILTERING=`grep DNS_FILTERING $conf_file|cut -d"=" -f2` # DNS and URLs filter (yes/no)
QOS=`grep QOS $conf_file|cut -d"=" -f2` # QOS (yse/no)
SSH=`grep SSH $conf_file|cut -d"=" -f2` # sshd active (yes/no)
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
EXTIF="eth0"
INTIF="eth1"
TUNIF="tun0" # listen card for chilli daemon
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses
IPTABLES="/sbin/iptables"
 
# Effacement des règles existantes
# Flush all existing rules
96,7 → 97,7
# If DNS filter is activate #
###############################
# Redirection des flux DNS vers le port 54 (dns+blackhole) sauf pour les IP en exceptions
if [ $DNS_FILTERING = "yes" ]; then
if [ $DNS_FILTERING = on ]; then
# Compute exception IP
nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
if [ $nb_exceptions != "0" ]
112,7 → 113,7
# If protocols filter is activate #
#####################################
# filtrage de protocoles sauf pour les IP en exceptions
if [ $PROTO_FILTERING = "yes" ]; then
if [ $PROTOCOLS_FILTERING = on ]; then
# Compute exception IP
nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1`
if [ $nb_exceptions != "0" ]
152,7 → 153,7
########################
# If QOS is activate #
########################
if [ $QOS = "yes" ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then
. /usr/local/etc/alcasar-iptables-qos.sh
fi
 
172,10 → 173,8
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport https -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT
 
# SSHD rules if activate
ssh_active=`grep SSH /usr/local/etc/alcasar-network|cut -d"=" -f2`
if [ $ssh_active = "on" ]
if [ $SSH = on ]
then
Admin_from_IP="0.0.0.0/0.0.0.0" # Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0 = de n'importe où ! )
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
/scripts/alcasar-conf.sh
42,7 → 42,6
# Sauvegarde du logo
cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE
# Sauvegarde des fichiers exploités par dansguardian
cp -f /etc/dansguardian/dansguardian.conf $DIR_UPDATE
cp -f /etc/dansguardian/lists/exceptioniplist $DIR_UPDATE
cp -f /etc/dansguardian/lists/exceptionsitelist $DIR_UPDATE
cp -f /etc/dansguardian/lists/bannedsitelist $DIR_UPDATE
49,11 → 48,9
cp -f /etc/dansguardian/lists/exceptionurllist $DIR_UPDATE
cp -f /etc/dansguardian/lists/bannedurllist $DIR_UPDATE
cp -rf /etc/dansguardian/lists/blacklists/ossi $DIR_UPDATE
# sauvegarde des fichiers : de filtrage, d'exception, digest, etc.
# sauvegarde des fichiers : de conf, de filtrage, d'exception, digest, etc.
mkdir $DIR_UPDATE/etc/
cp -rf $DIR_ETC/* $DIR_UPDATE/etc/
# sauvegarde du fichier alcasar-iptables.sh (pour savoir si on filtre les protocoles)
cp -f $DIR_BIN/alcasar-iptables.sh $DIR_UPDATE
# particularité des versions
# si version < 2.1
if ([ $MAJ_RUNNING_VERSION -lt 2 ] || ([ $MAJ_RUNNING_VERSION -eq 2 ] && [ $MIN_RUNNING_VERSION -lt 1 ]))
96,6 → 93,8
chmod -R 750 /etc/pki
# Import de la dernière base usagers
mysql -u$DB_USER -p$radiuspwd < `ls $DIR_UPDATE/radius*`
# Récupération des paramêtres locaux (fichier de conf, règles de filtrage, fichiers d'exception, comptes de gestion, etc.)
[ -d $DIR_UPDATE/etc ] && cp -rf $DIR_UPDATE/etc/* $DIR_ETC/
# Récupération des fichiers de Dansguardian
[ -e $DIR_UPDATE/exceptioniplist ] && cp -f $DIR_UPDATE/exceptioniplist /etc/dansguardian/lists/
[ -e $DIR_UPDATE/exceptionsitelist ] && cp -f $DIR_UPDATE/exceptionsitelist /etc/dansguardian/lists/
106,21 → 105,17
chown -R dansguardian:apache /etc/dansguardian/lists
chmod -R g+rw /etc/dansguardian/lists
# On active/désactive la BL
active_bl=`cat $DIR_UPDATE/dansguardian.conf|grep ^reportinglevel|cut -d" " -f3`
$SED "s/^reportinglevel =.*/reportinglevel = $active_bl/g" /etc/dansguardian/dansguardian.conf
DNS_FILTERING=`grep DNS_FILTERING $conf_file|cut -d"=" -f2` # DNS and URLs filter (yes/no)
PARENT_SCRIPT=$0
export PARENT_SCRIPT
if [ $active_bl -eq "-1" ]
then $DIR_SBIN/alcasar-bl.sh --off
else $DIR_SBIN/alcasar-bl.sh --on
if [ $DNS_FILTERING -eq "on" ]
then
$DIR_SBIN/alcasar-bl.sh --on
else
$DIR_SBIN/alcasar-bl.sh --off
fi
# Récupération des paramêtres locaux (règles de filtrage, fichiers d'exception, comptes de gestion, etc.)
[ -d $DIR_UPDATE/etc ] && cp -rf $DIR_UPDATE/etc/* $DIR_ETC/
# Prise en compte des comptes de gestion (admin + manager + backup)
$DIR_SBIN/alcasar-profil.sh --list
# On active/désactive le filtrage de protocoles
active_filter=`cat $DIR_UPDATE/alcasar-iptables.sh|grep ^FILTERING|cut -d"=" -f2`
$SED "s/^FILTERING=.*/FILTERING=$active_filter/g" $DIR_BIN/alcasar-iptables.sh
# On applique les paramètres réseau
...
# Effacement du répertoire d'update
/scripts/sbin/alcasar-nf.sh
8,6 → 8,7
SED="/bin/sed -i"
FIC_SERVICES="/usr/local/etc/alcasar-services"
FIC_EXCEPTIONS="/usr/local/etc/alcasar-filter-exceptions"
FIC_CONF="/usr/local/etc/alcasar.conf"
 
usage="Usage: alcasar-nf.sh {--on or -on} | {--off | -off} "
nb_args=$#
24,7 → 25,7
;;
-on|-on)
# activation du filtrage réseau
$SED "s?^PROTO_FILTERING.*?PROTO_FILTERING=\"yes\"?g" /usr/local/bin/alcasar-iptables.sh
$SED "s?^PROTOCOLS_FILTERING.*?PROTOCOLS_FILTERING=on?g" $FIC_CONF
# tri du fichier de services
$SED "/^$/d" $FIC_SERVICES # suppression lignes vides
sort -k2n $FIC_SERVICES > /tmp/alcasar-services-sort
39,7 → 40,7
;;
--off|-off)
# désactivation du filtrage réseau
$SED "s?^PROTO_FILTERING.*?PROTO_FILTERING=\"no\"?g" /usr/local/bin/alcasar-iptables.sh
$SED "s?^PROTOCOLS_FILTERING.*?PROTOCOLS_FILTERING=off?g" $FIC_CONF
/usr/local/bin/alcasar-iptables.sh
;;
*)
/scripts/sbin/alcasar-bl.sh
4,6 → 4,7
# Script de gestion de la BL pour le filtrage de domaine (via dnsmasq) et d'URL (via dansguardian)
# By 3abtux & rexy
 
CONF_FILE="/usr/local/etc/alcasar.conf"
DIR_tmp="/tmp/blacklists"
FILE_tmp="/tmp/fileFilter.txt"
DIR_DG="/etc/dansguardian/lists"
102,7 → 103,7
cat_choice
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" /etc/dansguardian/dansguardian.conf
$SED "s?^#\"?\"?g" $DIR_DG/urlregexplist # Enable 'safesearch'
$SED "s?^DNS_FILTERING.*?DNS_FILTERING=\"yes\"?g" /usr/local/bin/alcasar-iptables.sh
$SED "s?^DNS_FILTERING.*?DNS_FILTERING=on?g" $CONF_FILE
if [ "$PARENT_SCRIPT" != "/usr/local/bin/alcasar-conf.sh" ] # on ne relance lors d'une install
then
service dansguardian restart
115,7 → 116,7
rm -rf $DIR_DNS_FILTER_ENABLED/*
$SED "s/^reportinglevel =.*/reportinglevel = -1/g" /etc/dansguardian/dansguardian.conf
$SED "s?^[^#]?#&?g" $DIR_DG/urlregexplist # Disable 'safesearch'
$SED "s?^DNS_FILTERING.*?DNS_FILTERING=\"no\"?g" /usr/local/bin/alcasar-iptables.sh
$SED "s?^DNS_FILTERING.*?DNS_FILTERING=off?g" $CONF_FILE
if [ "$PARENT_SCRIPT" != "/usr/local/bin/alcasar-conf.sh" ] # on ne relance lors d'une install
then
service dansguardian restart
/scripts/sbin/alcasar-havp.sh
23,6 → 23,7
--on|-on)
# activation havp
$SED "s/^proxyport =.*/proxyport = 8090/g" /etc/dansguardian/dansguardian.conf
$SED "s/^WEB_ANTIVIRUS=.*/WEB_ANTIVIRUS=on/g" /usr/local/etc/alcasar.conf
service dansguardian reload
service havp start
;;
29,6 → 30,7
--off|-off)
# désactivation du filtrage
$SED "s/^proxyport =.*/proxyport = 3128/g" /etc/dansguardian/dansguardian.conf
$SED "s/^WEB_ANTIVIRUS=.*/WEB_ANTIVIRUS=off/g" /usr/local/etc/alcasar.conf
service dansguardian reload
service havp stop
;;