Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1390 → Rev 1389

/alcasar.sh
1302,9 → 1302,9
rm -rf /tmp/nfsen-1.3.6p1/
} # End of nfsen ()
 
##################################################
##########################################################
## Function "dnsmasq" ##
##################################################
##########################################################
dnsmasq ()
{
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
1316,7 → 1316,6
# Configuration file for "dnsmasq in forward mode"
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
listen-address=$PRIVATE_IP
pid-file=/var/run/dnsmasq.pid
listen-address=127.0.0.1
no-dhcp-interface=$INTIF
no-dhcp-interface=tun0
1340,11 → 1339,10
EOF
# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
cat << EOF > /etc/dnsmasq-blacklist.conf
# Configuration file for "dnsmasq with blacklist"
# Configuration file for "dnsmasq with blacklist"
# Add Toulouse blacklist domains
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
pid-file=/var/run/dnsmasq-blacklist.pid
listen-address=$PRIVATE_IP
port=54
no-dhcp-interface=$INTIF
1361,12 → 1359,11
EOF
# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
cat << EOF > /etc/dnsmasq-whitelist.conf
# Configuration file for "dnsmasq with whitelist"
# Configuration file for "dnsmasq with whitelist"
# Inclusion de la whitelist <domains> de Toulouse dans la configuration
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
listen-address=$PRIVATE_IP
pid-file=/var/run/dnsmasq-whitelist.pid
port=55
no-dhcp-interface=$INTIF
no-dhcp-interface=tun0
1378,7 → 1375,6
bogus-priv
filterwin2k
address=/#/$PRIVATE_IP
ipset=/#/whitelist_ip_allowed
EOF
# Start after chilli (which create tun0)
$SED "s?^After=.*?After=syslog.target network.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1387,9 → 1383,13
cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-whitelist.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-blacklist.conf?g" /lib/systemd/system/dnsmasq-blacklist.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
<<<<<<< .mine
} # End of dnsmasq()
=======
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-blacklist.pid?g" /lib/systemd/system/dnsmasq-blacklist.service
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
} # End dnsmasq
>>>>>>> .r1387
 
##########################################################
## Fonction "BL" ##
/scripts/sbin/alcasar-bl.sh
28,9 → 28,12
DIR_DNS_BL="$DIR_SHARE/dnsmasq-bl" # all the BL in the DNSMASQ format
DIR_DNS_WL="$DIR_SHARE/dnsmasq-wl" # all the WL ' ' '
DIR_IP_BL="$DIR_SHARE/iptables-bl" # all the IP addresses of the BL
DIR_IP_WL="$DIR_SHARE/iptables-wl" # all the IP addresses of the WL
OSSI_WL_IP="$DIR_IP_WL/ossi" # all the IP addresses of the WL ossi category
DIR_DNS_BL_ENABLED="$DIR_SHARE/dnsmasq-bl-enabled" # symbolic link to the domains BL (only enabled categories)
DIR_DNS_WL_ENABLED="$DIR_SHARE/dnsmasq-wl-enabled" # ' ' ' WL ' ' '
DIR_IP_BL_ENABLED="$DIR_SHARE/iptables-bl-enabled" # ' ' ip BL (only enabled categories)
DIR_IP_WL_ENABLED="$DIR_SHARE/iptables-wl-enabled" # ' ' ip WL (only enabled categories)
DNSMASQ_BL_CONF="/etc/dnsmasq-blacklist.conf" # conf file of dnsmasq-blacklist
DNS1=`grep "DNS1" $CONF_FILE | cut -d '=' -f 2` # server DNS1 (for WL domain names)
BL_SERVER="dsi.ut-capitole.fr"
45,11 → 48,11
cp $DIR_IP_BL_ENABLED/ossi-* $DIR_tmp
fi
cp $DIR_IP_BL/ossi $DIR_tmp
rm -rf $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED # cleaning for dnsmasq and iptables
rm -rf $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED # cleaning for dnsmasq and iptables
$SED "/\.Include/d" $DIR_DG/bannedsitelist $DIR_DG/bannedurllist # cleaning for DG
$SED "s?^[^#]?#&?g" $BL_CATEGORIES $WL_CATEGORIES # cleaning BL & WL categories file (comment all lines)
mkdir $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED
chown apache $DIR_IP_BL_ENABLED
mkdir $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED
chown apache $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED
# process the file $BL_CATEGORIES with the choice of categories
for ENABLE_CATEGORIE in `cat $BL_CATEGORIES_ENABLED`
do
68,6 → 71,7
$SED "/\/$ENABLE_CATEGORIE$/d" $WL_CATEGORIES
$SED "1i\/etc\/dansguardian\/lists\/blacklists\/$ENABLE_CATEGORIE" $WL_CATEGORIES
ln -s $DIR_DNS_WL/$ENABLE_CATEGORIE.conf $DIR_DNS_WL_ENABLED/$ENABLE_CATEGORIE
ln -s $DIR_IP_WL/$ENABLE_CATEGORIE $DIR_IP_WL_ENABLED/$ENABLE_CATEGORIE
done
sort +0.0 -0.2 $WL_CATEGORIES -o $FILE_tmp
mv $FILE_tmp $WL_CATEGORIES
106,7 → 110,75
/usr/local/bin/alcasar-iptables.sh
fi
}
usage="Usage: alcasar-bl.sh { -cat_choice or --cat_choice } | { -download or --download } | { -adapt or --adapt } | { -reload or --reload }"
function ip_retrieving (){
# retrieving IPs of all domain names for the whitelist
index=0
if [ ! -d $DIR_IP_WL ]
then
mkdir $DIR_IP_WL
touch $DIR_IP_WL/ossi
chown apache $DIR_IP_WL/ossi
else
# delete old IPs
mkdir $DIR_tmp
cp $DIR_IP_WL/ossi $DIR_tmp
rm -rf $DIR_IP_WL/*
cp $DIR_tmp/ossi $DIR_IP_WL
rm -rf $DIR_tmp
fi
echo "Retrieving IPs :"
cd $DIR_DNS_WL
for category in `ls | cut -d '.' -f 1`
do
echo -n "$category :"
for domain in `cat $category.conf | cut -d '/' -f 2`
do
echo `host $domain | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'` >> $DIR_IP_WL/$category.tmp &
((index++))
echo -n "."
if [ $index -eq 100 ]
then
index=0
sleep 1
fi
done
done
echo "done"
sleep 5
cd $DIR_IP_WL
for category in `ls`
do
# one IP per line
$SED 's/ /\n/g' $category
# add SET syntax
$SED 's/^/add whitelist_ip_allowed /g' $category
# delete empty lines
$SED '/^$/d' $category
# delete false entries
$SED -r '/([0-9]{1,3}.){3}[0-9]{1,3}/!d' $category
# delete duplicate lines
sort -u $category > ${category%%.*}
done
rm -f *.tmp
}
function ip_retrieving_ossi (){
# retrieving IPs of all domain names for the ossi category
> $OSSI_WL_IP
for domain in `cat $OSSI_DOMAINS_WL`
do
echo `host $domain | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'` >> $OSSI_WL_IP &
done
sleep 5
# one IP per line
$SED 's/ /\n/g' $OSSI_WL_IP
# add SET syntax
$SED 's/^/add whitelist_ip_allowed /g' $OSSI_WL_IP
# delete empty lines
$SED '/^$/d' $OSSI_WL_IP
# delete false entries
$SED -r '/([0-9]{1,3}.){3}[0-9]{1,3}/!d' $OSSI_WL_IP
}
usage="Usage: alcasar-bl.sh { -cat_choice or --cat_choice } | { -download or --download } | { -adapt or --adapt } | { -reload or --reload } | { -ip_retrieving or --ip_retrieving } | { -ip_retrieving_ossi or --ip_retrieving_ossi }"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
240,6 → 312,14
cp -f $DIR_DG_BL/ossi/domains_wl $DIR_DNS_WL/ossi.conf
bl_enable
;;
# retrieving IPs of all domain names for the whitelist
-ip_retrieving | --ip_retrieving)
ip_retrieving
;;
# retrieving IPs of all domain names for the whitelist ossi category
-ip_retrieving_ossi | --ip_retrieving_ossi)
ip_retrieving_ossi
;;
*)
echo "Argument inconnu :$1";
echo "$usage"
/scripts/alcasar-iptables.sh
30,8 → 30,10
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
DNS_FILTERING=${DNS_FILTERING:=off}
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty
WL_IP_OSSI="/usr/local/share/ossi-ip-wl" # ip of the whitelist
WL_IP_OSSI_DOMAIN="/usr/local/share/iptables-wl/ossi" # ip of the domain names whitelist
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
115,10 → 117,20
ipset del blacklist_ip_blocked $ip
done
 
# Calcul de la taille du set de la whitelist
# Compute the whitelist set length
cd $WL_IP_CAT
set_wl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $WL_IP_OSSI | awk '{print $1}')+$(wc -l $WL_IP_OSSI_DOMAIN | awk '{print $1}')))
 
# Création du fichier set temporaire, remplissage, chargement et suppression
# Creating the temporary set file, filling, loading and deleting
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024" > $TMP_set_save
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $set_wl_length" > $TMP_set_save
for category in `ls -1 | cut -d '@' -f1`
do
cat $WL_IP_CAT/$category >> $TMP_set_save
done
cat $WL_IP_OSSI >> $TMP_set_save
cat $WL_IP_OSSI_DOMAIN >> $TMP_set_save
ipset -! restore < $TMP_set_save
rm -f $TMP_set_save
 
172,6 → 184,9
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Redirection des requêtes HTTP des IP qui ne sont pas dans la whitelist vers ALCASAR (page 'accès interdit') pour le set havp_wl_set
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
/web/acc/admin/bl_categories_help.php
78,11 → 78,11
{
$wl_categorie_domain_file = $wl_dnsmasq_dir.$categorie.".conf";
$wl_categorie_ip_file = $wl_iptables_dir.$categorie;
if(isset($_GET['nb_domains']))
if(isset($_GET['nb_domains']) && isset($_GET['nb_ip']))
{
$nb_domains = $_GET['nb_domains'];
$nb_urls = 0;
$nb_ip = 0;
$nb_ip = $_GET['nb_ip'];
}
else
{
91,7 → 91,10
else
$nb_domains = $l_error_open_file." ".$wl_categorie_domain_file;
$nb_urls = 0;
$nb_ip = 0;
if(file_exists($wl_categorie_ip_file))
$nb_ip = exec("wc -l $wl_categorie_ip_file | cut -d ' ' -f1");
else
$nb_ip = $l_error_open_file." ".$wl_categorie_ip_file;
}
}
$global_usage = file($bl_dir."global_usage");
/web/acc/admin/bl_filter.php
85,6 → 85,8
$l_remove="Supprimer";
$l_submit="Envoyer";
$l_nb_ip="Nombre d'IP";
$l_update_ip="Mettre à jour les IP";
$l_update_ip_info="(Temps estimé : 3 min 30 sec)";
$l_nbDomainNames="Noms de domaine :";
$l_nbUrl="Url :";
$l_nbIp="Ip :";
133,6 → 135,8
$l_remove="Delete";
$l_submit="Submit";
$l_nb_ip="Number of IP";
$l_update_ip="Update IPs";
$l_update_ip_info="(Estimated time : 3 min 30 sec)";
$l_nbDomainNames="Domain names :";
$l_nbUrl="Url :";
$l_nbIp="Ip :";
211,6 → 215,7
fputs($fichier, form_filter($_POST['BL_rehabilited_ip']));
fclose($fichier);
unset($_POST['BL_rehabilited_ip']);
exec ("sudo /usr/local/sbin/alcasar-bl.sh --reload");
break;
case 'MAJ_cat_wl' :
$tab=file($wl_categories_enabled);
236,6 → 241,7
fputs($fichier, form_filter_ip($_POST['OSSI_wl_ip'], "white"));
fclose($fichier);
unset($_POST['OSSI_wl_ip']);
exec ("sudo /usr/local/sbin/alcasar-bl.sh --ip_retrieving_ossi");
exec ("sudo /usr/local/sbin/alcasar-bl.sh --reload");
break;
case 'Specific_filtering' :
281,6 → 287,10
}
exec ("sudo /usr/local/bin/alcasar-iptables.sh");
break;
case 'Update_IP_WL' :
shell_exec ("nohup nice -n 10 sudo /usr/local/sbin/alcasar-bl.sh --ip_retrieving > /dev/null 2>/dev/null &");
exec ("sudo /usr/local/sbin/alcasar-bl.sh --reload");
break;
}
?>
<?php
/web/acc/admin/bl_filter2.php
168,7 → 168,7
echo "<center>";
$nbDomainNames = exec ("wc -l /usr/local/share/dnsmasq-wl/* | tail -n 1 | awk '{print $1}'");
$nbUrl = 0;
$nbIp = 0;
$nbIp = exec ("wc -l /usr/local/share/iptables-wl/* | tail -n 1 | awk '{print $1}'");
echo "<b>$l_nbDomainNames</b> $nbDomainNames, <b>$l_nbUrl</b> $nbUrl, <b>$l_nbIp</b> $nbIp<br/>";
echo "$l_wl_categories</center></td></tr>";
//on lit et on interprete le fichier de catégories
211,8 → 211,8
echo "<H3>$l_allowed_ip</H3>$l_forbidden_ip_explain<BR>";
echo "<textarea name='OSSI_wl_ip' rows=3 cols=40>";
echo_ip_file ($file_wl_ip);
echo "</textarea></td></tr><tr><td colspan=10>";
echo "<input type='submit' value='$l_record'></form></td></tr>";
echo "</textarea></td></tr><tr><td colspan=5>";
echo "<input type='submit' value='$l_record'></form></td><form action='bl_filter.php' method='POST'><td valign='middle' align='left' colspan=5><input type='hidden' name='choix' value='Update_IP_WL'><input type='submit' value='$l_update_ip'> $l_update_ip_info</form></td></tr>";
?>
</TABLE><br/>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
/web/acc/admin/filter_exceptions.php
0,0 → 1,104
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><!-- written by Rexy -->
<HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<TITLE>ALCASAR Filter Exceptions</TITLE>
<link rel="stylesheet" href="/css/style.css" type="text/css">
</HEAD>
<body>
<?
# Choice of language
$Language = 'en';
if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])){
$Langue = explode(",",$_SERVER['HTTP_ACCEPT_LANGUAGE']);
$Language = strtolower(substr(chop($Langue[0]),0,2)); }
if($Language == 'fr'){
$l_error_open_file="Erreur d'ouverture du fichier";
$l_exception_IP = "Exception au filtrage";
$l_exception_txt="Entrez ici les adresses IP des stations du réseau de consultation ne subissant ni filtrage de domaine ni filtrage réseau<BR>Entrez une adresse IP par ligne";
$l_submit = "Enregistrer";
}
else {
$l_error_open_file="Error opening the file";
$l_exception_IP = "Network filtering exceptions";
$l_exception_txt="Put here the stations IP address that won't be neither domain filtered nor network filtered<BR>Put one IP per row";
$l_submit = "Submit";
}
$conf_file="/usr/local/etc/alcasar.conf";
if (isset($_POST['choix'])){
switch ($_POST['choix'])
{
case 'IP_exceptions' :
// ISO encode + unix format
$ip_list = str_replace("\r\n", "\n", utf8_decode($_POST['exception_list']));
unset($_POST['exception_list']);
// write exception IP for Dansguardian (URL filter)
$fichier=fopen("/etc/dansguardian/lists/exceptioniplist", "w+");
if (strlen($ip_list) > 7) { fputs($fichier,$ip_list);} //only if not empty
fclose($fichier);
// write exception IP for DnsMasq (DNS blackholl)
$fichier=fopen("/usr/local/etc/alcasar-filter-exceptions", "w+");
if (strlen($ip_list) > 7) { fputs($fichier, $ip_list);} // only if not empty
fclose($fichier);
// test if Dansguardian filter is enabled
if (is_file ($conf_file))
{
$tab=file($conf_file);
if ($tab)
{
foreach ($tab as $line)
{
$field=explode("=", $line);
if ($field[0] == "DNS_FILTERING") {$DNS_FILTERING=trim($field[1]);}
if ($field[0] == "PROTOCOLS_FILTERING") {$PROTOCOLS_FILTERING=trim($field[1]);}
}
}
}
else { echo "$l_error_open_file $conf_file";}
if ($DNS_FILTERING == "on")
{
exec ("sudo service dansguardian restart");
}
if (($DNS_FILTERING == "on")||($PROTOCOLS_FILTERING == "on"))
{
exec ("sudo /usr/local/bin/alcasar-iptables.sh");
}
break;
}
}
?>
<TABLE width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><th><?php echo $l_exception_IP ;?></th></tr>
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" height="2"></td></tr>
</TABLE>
<TABLE width="100%" border=1 cellspacing=0 cellpadding=1>
<tr><td valign="middle" align="left">
<TABLE width=70% border=0>
<?php
echo "<form action='$_SERVER[PHP_SELF]' method='POST'>";
echo " $l_exception_txt";
echo "<BR><textarea name='exception_list' rows=5 cols=40>";
$filename="/usr/local/etc/alcasar-filter-exceptions";
if (file_exists($filename))
{
if (filesize($filename) != 0)
{
$pointeur=fopen($filename,"r");
$tampon = fread($pointeur, filesize($filename));
fclose($pointeur);
echo $tampon;
}
}
else
{
echo "erreur d'ouverture du fichier $filename";
}
echo "</textarea><BR>";
?>
<input type='hidden' name='choix' value='IP_exceptions'>
<input type='submit' value='<?php echo $l_submit ;?>'></CENTER>
</FORM>
</td></tr>
</TABLE>
</BODY>
</HTML>