/scripts/alcasar-iptables.sh |
---|
40,14 → 40,16 |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation |
TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips |
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off) |
SSH=${SSH:=off} |
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2` # local SSH active |
SSH_LAN=${SSH_LAN:=off} |
SSH_PORT=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` #ssh WAN port |
SSH_PORT=${SSH_PORT:=0} |
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2` |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side) |
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2` # SSH LAN port |
SSH_LAN=${SSH_LAN:=0} |
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` #ssh WAN port |
SSH_WAN=${SSH_WAN:=0} |
SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f2` |
SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"} |
SSH_WAN_ADMIN_FROM=$([ "$SSH_WAN_ADMIN_FROM" == "0.0.0.0" ] && echo "0.0.0.0/0" || echo "$SSH_WAN_ADMIN_FROM" ) |
SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1` |
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"} |
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" ) |
IPTABLES="/sbin/iptables" |
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP |
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users) |
393,21 → 395,18 |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990:3991 -j ACCEPT # Requêtes de deconnexion usagers # Users logout requests |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server |
# Accès au serveur SSHD si activé |
# SSHD server access if enabled |
if [ $SSH = on ] |
# Accès au serveur SSHD si activé en LAN et WAN |
# SSHD server access in LAN and WAN if enabled |
if [ $SSH_LAN -gt 0 ] |
then |
if [ $SSH_LAN = on ] |
then |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT" |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT" |
$IPTABLES -A INPUT -i $TUNIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -j ACCEPT |
fi |
if [ $SSH_PORT -gt 0 ] |
if [ $SSH_WAN -gt 0 ] |
then |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_PORT -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT" |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_PORT -m conntrack --ctstate NEW -j ACCEPT |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT" |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW -j ACCEPT |
fi |
fi |
# Insertion de règles locales |
# Here, we add local rules (i.e. VPN from Internet) |
/scripts/alcasar-ssh.sh |
---|
1,3 → 1,4 |
#!/bin/bash |
# alcasar-ssh.sh |
30,12 → 31,12 |
NUM_REGEX='^[0-9]+$' |
if ! [[ $SSH_PORT =~ $NUM_REGEX ]]; |
then |
echo "The port+$SSH_PORT+is invalid" |
echo "The port $SSH_PORT is invalid" |
exit 1 |
fi |
if [ $SSH_PORT -lt 0 ] || [ $SSH_PORT -gt 65535 ] |
then |
echo "The port+$SSH_PORT+is invalid" |
echo "The port $SSH_PORT is invalid" |
exit 1 |
fi |
;; |
62,11 → 63,11 |
exit 0 |
;; |
--off | -off) |
$NETWORK={NETWORK:="none"} |
NETWORK=${NETWORK:="none"} |
if [ $NETWORK == "wan" ] |
then |
# Editing Alcasar configuration - Deleting the port |
$SED "s/^SSH_WAN=.*/SSH_WAN=/g" $ALCASAR_CONF |
$SED "s/^SSH_WAN=.*/SSH_WAN=0/g" $ALCASAR_CONF |
# Editing SSH configuration - Deleting any port other than 22 |
$SED "/^.*Port\s[0-9]*/{/\s22$/!d}" $SSH_CONF |
# Applying iptables |
74,7 → 75,7 |
elif [ $NETWORK == "lan" ] |
then |
# Editing Alcasar configuration |
$SED "s/^SSH_LAN=.*/SSH_LAN=off/g" $ALCASAR_CONF |
$SED "s/^SSH_LAN=.*/SSH_LAN=0/g" $ALCASAR_CONF |
# Applying iptables |
/usr/local/bin/alcasar-iptables.sh |
else |
81,18 → 82,7 |
echo "$usage" |
exit 0 |
fi |
# Check if LAN and WAN is off |
LAN_STATUS = `grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2` |
LAN_STATUS=${LAN_STATUS:=off} |
WAN_STATUS = `grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` |
WAN_STATUS=${WAN_STATUS:=off} |
if [ $LAN_STATUS == off ] && [ $WAN_STATUS == off ] |
then |
$SYSTEMCTL stop sshd |
$SYSTEMCTL disable sshd |
else |
$SYSTEMCTL restart sshd |
fi |
exit 0 |
;; |
--on | -on) |
99,25 → 89,29 |
NETWORK=${NETWORK:="none"} |
if [ $NETWORK == "wan" ] |
then |
# Getting LAN IP |
LAN_IP=`$GREP "^SSH_ADMIN_FROM=" $ALCASAR_CONF |cut -d"=" -f2|cut -d"/" -f1` |
# Setting accepted IP in Alcasar configuration |
IP_FROM=${IP_FROM:="0.0.0.0\/0"} |
$SED "s ^SSH_ADMIN_FROM=.* SSH_ADMIN_FROM=$IP_FROM g" $ALCASAR_CONF |
IP_FROM=${IP_FROM:="0.0.0.0"} |
$SED "s ^SSH_ADMIN_FROM=.* SSH_ADMIN_FROM=$LAN_IP/$IP_FROM g" $ALCASAR_CONF |
# Setting SSH port in Alcasar configuration |
SSH_PORT=${SSH_PORT:=22} |
$SED "s/^SSH_WAN=.*/SSH_WAN=$SSH_PORT/g" $ALCASAR_CONF |
# Checking if there is already a port other than 22 set |
if [ `grep -E "^.*Port\s[0-9]*" /etc/ssh/sshd_config| grep -vEc "\s22$"` -gt 0 ] |
LAN_PORT =`$GREP "^SSH_LAN=" $ALCASAR_CONF | cut -d"=" -f2` |
LAN_PORT=${LAN_PORT:=0} |
# Checking if there is already a port other than the LAN port set |
if [ `grep -E "^.*Port\s[0-9]*" /etc/ssh/sshd_config| grep -vEc "\s$LAN_PORT$"` -gt 0 ] |
then |
if [ $SSH_PORT -ne 22 ] |
if [ $SSH_PORT -ne $LAN_PORT ] |
then |
# Editing SSH configuration - Changing any port other than 22 |
$SED "/\s22$/! s/^.*Port\s[0-9]*/Port $SSH_PORT/" $SSH_CONF |
# Editing SSH configuration - Changing any port other than the LAN port |
$SED "/\s$LAN_PORT$/! s/^.*Port\s[0-9]*/Port $SSH_PORT/" $SSH_CONF |
else |
# Editing SSH configuration - Deleting any port other than 22 (as 22 port is used) |
$SED "/^.*Port\s[0-9]*/{/\s22$/!d}" $SSH_CONF |
# Editing SSH configuration - Deleting any port other than the LAN port |
$SED "/^.*Port\s[0-9]*/{/\s$LAN_PORT$/!d}" $SSH_CONF |
fi |
else |
if [ $SSH_PORT -ne 22 ] |
if [ $SSH_PORT -ne $LAN_PORT ] |
then |
# Adding the new SSH port in the config |
echo "Port $SSH_PORT" >> $SSH_CONF |
127,8 → 121,36 |
/usr/local/bin/alcasar-iptables.sh |
elif [ $NETWORK == "lan" ] |
then |
# Getting WAN IP |
WAN_IP=`$GREP "^SSH_ADMIN_FROM=" $ALCASAR_CONF |cut -d"=" -f2|cut -d"/" -f2` |
# Setting accepted IP in Alcasar configuration |
IP_FROM=${IP_FROM:="0.0.0.0"} |
$SED "s ^SSH_ADMIN_FROM=.* SSH_ADMIN_FROM=$IP_FROM/$WAN_IP g" $ALCASAR_CONF |
# Editing Alcasar configuration |
$SED "s/^SSH_LAN=.*/SSH_LAN=on/g" $ALCASAR_CONF |
$SED "s/^SSH_LAN=.*/SSH_LAN=$SSH_PORT/g" $ALCASAR_CONF |
# Setting SSH port in Alcasar configuration |
SSH_PORT=${SSH_PORT:=22} |
$SED "s/^SSH_LAN=.*/SSH_LAN=$SSH_PORT/g" $ALCASAR_CONF |
WAN_PORT =`$GREP "^SSH_WAN=" $ALCASAR_CONF | cut -d"=" -f2` |
WAN_PORT=${WAN_PORT:=0} |
# Checking if there is already a port other than the WAN port set |
if [ `grep -E "^.*Port\s[0-9]*" /etc/ssh/sshd_config| grep -vEc "\s$WAN_PORT$"` -gt 0 ] |
then |
if [ $SSH_PORT -ne $WAN_PORT ] |
then |
# Editing SSH configuration - Changing any port other than the WAN port |
$SED "/\s$WAN_PORT$/! s/^.*Port\s[0-9]*/Port $SSH_PORT/" $SSH_CONF |
else |
# Editing SSH configuration - Deleting any port other than the WAN port |
$SED "/^.*Port\s[0-9]*/{/\s$WAN_PORT$/!d}" $SSH_CONF |
fi |
else |
if [ $SSH_PORT -ne $WAN_PORT ] |
then |
# Adding the new SSH port in the config |
echo "Port $SSH_PORT" >> $SSH_CONF |
fi |
fi |
# Applying iptables |
/usr/local/bin/alcasar-iptables.sh |
else |
135,16 → 157,7 |
echo "$usage" |
exit 0 |
fi |
# Check if sshd is enabled |
SSHD_STATUS=`systemctl is-enabled sshd` |
SSHD_STATUS=${SSHD_STATUS:=disabled} |
if [ $SSHD_STATUS == "enabled" ] |
then |
$SYSTEMCTL restart sshd |
else |
$SYSTEMCTL enable sshd |
$SYSTEMCTL restart sshd |
fi |
exit 0 |
;; |
*) |
/web/acc/admin/network.php |
---|
381,8 → 381,12 |
break; |
case 'enable_lan_ssh': // Activate SSH on LAN |
if (isset($_POST['sshlan'])) { |
exec('sudo /usr/local/bin/alcasar-ssh.sh --on -l'); |
exec('sudo /usr/local/bin/alcasar-ssh.sh --on -l -p'.escapeshellarg($_POST["ssh_port"]).' -i'.escapeshellarg($_POST["ssh_from"]),$output,$exitCode); |
if($exitCode === 1){ |
echo("<html><script>if(!alert(`$l_error_bad_ip_port`)){window.location.href = window.location.href;}</script></html>"); |
}else{ |
header('Location: '.$_SERVER['PHP_SELF']); |
} |
} else{ |
exec('sudo /usr/local/bin/alcasar-ssh.sh --off -l'); |
header('Location: '.$_SERVER['PHP_SELF']); |
1202,7 → 1206,19 |
<div class="panel-row"> |
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>"> |
<input type="hidden" name="choix" value="enable_lan_ssh"> |
<input type="checkbox" name="sshlan" id="sshlan" <?= $conf['SSH_LAN'] === 'on' ? "checked": "" ?>> <b><?= $l_ssh_lan_activate ?></b><br><br> |
<input type="checkbox" name="sshlan" id="sshlan" <?= $conf['SSH_LAN'] !== '0' ? "checked": "" ?> onchange="document.getElementById('sshtablelan').style.display = this.checked ? 'block' : 'none';"> <b><?= $l_ssh_lan_activate ?></b><br><br> |
<div id="sshtablelan" style="display:<?= $conf['SSH_LAN'] !== '0'? "block": "none" ?>"> |
<table cellspacing="2" cellpadding="3" border="1"> |
<tr> |
<th><?= $l_ssh_port ?></th><th><?= $l_ssh_from ?></th> |
</tr> |
<tr> |
<td><input style="width:120px" type="text" id="ssh_port" name="ssh_port" value="<?= $conf['SSH_LAN'] !== '0' ? $conf['SSH_LAN']:22 ?>" /></td> |
<td><input style="width:120px" type="text" id="ssh_from" name="ssh_from" value="<?= explode('/',$conf['SSH_ADMIN_FROM'])[0] ?>" /></td> |
</tr> |
</table> |
<p>Activer sur tout le LAN : 0.0.0.0</p> |
</div> |
<input type="submit" onClick="document.getElementById('ldoverlay').style.display='block';" value="<?= $l_apply ?>"><br> |
</form> |
</div> |
1211,18 → 1227,18 |
<div class="panel-row"> |
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>"> |
<input type="hidden" name="choix" value="enable_wan_ssh"> |
<input type="checkbox" name="togglessh" id="togglessh" <?= is_numeric($conf['SSH_WAN'])? "checked": "" ?> onchange="document.getElementById('sshtable').style.display = this.checked ? 'block' : 'none';"> <b><?= $l_ssh_wan_activate ?></b><br><br> |
<div id="sshtable" style="display:<?= is_numeric($conf['SSH_WAN'])? "block": "none" ?>"> |
<input type="checkbox" name="togglessh" id="togglessh" <?= $conf['SSH_WAN'] !== '0'? "checked": "" ?> onchange="document.getElementById('sshtablewan').style.display = this.checked ? 'block' : 'none';"> <b><?= $l_ssh_wan_activate ?></b><br><br> |
<div id="sshtablewan" style="display:<?= $conf['SSH_WAN'] !== '0'? "block": "none" ?>"> |
<table cellspacing="2" cellpadding="3" border="1"> |
<tr> |
<th><?= $l_ssh_port ?></th><th><?= $l_ssh_from ?></th> |
</tr> |
<tr> |
<td><input style="width:120px" type="text" id="ssh_port" name="ssh_port" value="<?= is_numeric($conf['SSH_WAN']) ? $conf['SSH_WAN']:22 ?>" /></td> |
<td><input style="width:120px" type="text" id="ssh_from" name="ssh_from" value="<?= $conf['SSH_ADMIN_FROM'] ?>" /></td> |
<td><input style="width:120px" type="text" id="ssh_port" name="ssh_port" value="<?= $conf['SSH_WAN'] !== '0' ? $conf['SSH_WAN']:22 ?>" /></td> |
<td><input style="width:120px" type="text" id="ssh_from" name="ssh_from" value="<?= explode('/',$conf['SSH_ADMIN_FROM'])[1] ?>" /></td> |
</tr> |
</table> |
<p>Activer sur tout réseau : 0.0.0.0/0</p> |
<p>Activer sur tout réseau : 0.0.0.0</p> |
</div> |
<input type="submit" onClick="document.getElementById('ldoverlay').style.display='block';" value="<?= $l_apply ?>"><br> |
</form> |