Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 3041 → Rev 3042

/scripts/alcasar-iptables.sh
40,14 → 40,16
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off)
SSH=${SSH:=off}
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2` # local SSH active
SSH_LAN=${SSH_LAN:=off}
SSH_PORT=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` #ssh WAN port
SSH_PORT=${SSH_PORT:=0}
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2` # SSH LAN port
SSH_LAN=${SSH_LAN:=0}
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` #ssh WAN port
SSH_WAN=${SSH_WAN:=0}
SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f2`
SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"}
SSH_WAN_ADMIN_FROM=$([ "$SSH_WAN_ADMIN_FROM" == "0.0.0.0" ] && echo "0.0.0.0/0" || echo "$SSH_WAN_ADMIN_FROM" )
SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" )
IPTABLES="/sbin/iptables"
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)
393,21 → 395,18
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990:3991 -j ACCEPT # Requêtes de deconnexion usagers # Users logout requests
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server
 
# Accès au serveur SSHD si activé
# SSHD server access if enabled
if [ $SSH = on ]
# Accès au serveur SSHD si activé en LAN et WAN
# SSHD server access in LAN and WAN if enabled
if [ $SSH_LAN -gt 0 ]
then
if [ $SSH_LAN = on ]
then
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
fi
if [ $SSH_PORT -gt 0 ]
then
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_PORT -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_PORT -m conntrack --ctstate NEW -j ACCEPT
fi
$IPTABLES -A INPUT -i $TUNIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $TUNIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -j ACCEPT
fi
if [ $SSH_WAN -gt 0 ]
then
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW -j ACCEPT
fi
 
# Insertion de règles locales
# Here, we add local rules (i.e. VPN from Internet)
/scripts/alcasar-ssh.sh
1,3 → 1,4
 
#!/bin/bash
 
# alcasar-ssh.sh
30,12 → 31,12
NUM_REGEX='^[0-9]+$'
if ! [[ $SSH_PORT =~ $NUM_REGEX ]];
then
echo "The port+$SSH_PORT+is invalid"
echo "The port $SSH_PORT is invalid"
exit 1
fi
if [ $SSH_PORT -lt 0 ] || [ $SSH_PORT -gt 65535 ]
then
echo "The port+$SSH_PORT+is invalid"
echo "The port $SSH_PORT is invalid"
exit 1
fi
;;
62,11 → 63,11
exit 0
;;
--off | -off)
$NETWORK={NETWORK:="none"}
NETWORK=${NETWORK:="none"}
if [ $NETWORK == "wan" ]
then
# Editing Alcasar configuration - Deleting the port
$SED "s/^SSH_WAN=.*/SSH_WAN=/g" $ALCASAR_CONF
$SED "s/^SSH_WAN=.*/SSH_WAN=0/g" $ALCASAR_CONF
# Editing SSH configuration - Deleting any port other than 22
$SED "/^.*Port\s[0-9]*/{/\s22$/!d}" $SSH_CONF
# Applying iptables
74,7 → 75,7
elif [ $NETWORK == "lan" ]
then
# Editing Alcasar configuration
$SED "s/^SSH_LAN=.*/SSH_LAN=off/g" $ALCASAR_CONF
$SED "s/^SSH_LAN=.*/SSH_LAN=0/g" $ALCASAR_CONF
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
else
81,18 → 82,7
echo "$usage"
exit 0
fi
# Check if LAN and WAN is off
LAN_STATUS = `grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2`
LAN_STATUS=${LAN_STATUS:=off}
WAN_STATUS = `grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2`
WAN_STATUS=${WAN_STATUS:=off}
if [ $LAN_STATUS == off ] && [ $WAN_STATUS == off ]
then
$SYSTEMCTL stop sshd
$SYSTEMCTL disable sshd
else
$SYSTEMCTL restart sshd
fi
$SYSTEMCTL restart sshd
exit 0
;;
--on | -on)
99,52 → 89,75
NETWORK=${NETWORK:="none"}
if [ $NETWORK == "wan" ]
then
# Getting LAN IP
LAN_IP=`$GREP "^SSH_ADMIN_FROM=" $ALCASAR_CONF |cut -d"=" -f2|cut -d"/" -f1`
# Setting accepted IP in Alcasar configuration
IP_FROM=${IP_FROM:="0.0.0.0\/0"}
$SED "s ^SSH_ADMIN_FROM=.* SSH_ADMIN_FROM=$IP_FROM g" $ALCASAR_CONF
IP_FROM=${IP_FROM:="0.0.0.0"}
$SED "s ^SSH_ADMIN_FROM=.* SSH_ADMIN_FROM=$LAN_IP/$IP_FROM g" $ALCASAR_CONF
# Setting SSH port in Alcasar configuration
SSH_PORT=${SSH_PORT:=22}
$SED "s/^SSH_WAN=.*/SSH_WAN=$SSH_PORT/g" $ALCASAR_CONF
# Checking if there is already a port other than 22 set
if [ `grep -E "^.*Port\s[0-9]*" /etc/ssh/sshd_config| grep -vEc "\s22$"` -gt 0 ]
LAN_PORT =`$GREP "^SSH_LAN=" $ALCASAR_CONF | cut -d"=" -f2`
LAN_PORT=${LAN_PORT:=0}
# Checking if there is already a port other than the LAN port set
if [ `grep -E "^.*Port\s[0-9]*" /etc/ssh/sshd_config| grep -vEc "\s$LAN_PORT$"` -gt 0 ]
then
if [ $SSH_PORT -ne 22 ]
if [ $SSH_PORT -ne $LAN_PORT ]
then
# Editing SSH configuration - Changing any port other than 22
$SED "/\s22$/! s/^.*Port\s[0-9]*/Port $SSH_PORT/" $SSH_CONF
# Editing SSH configuration - Changing any port other than the LAN port
$SED "/\s$LAN_PORT$/! s/^.*Port\s[0-9]*/Port $SSH_PORT/" $SSH_CONF
else
# Editing SSH configuration - Deleting any port other than 22 (as 22 port is used)
$SED "/^.*Port\s[0-9]*/{/\s22$/!d}" $SSH_CONF
# Editing SSH configuration - Deleting any port other than the LAN port
$SED "/^.*Port\s[0-9]*/{/\s$LAN_PORT$/!d}" $SSH_CONF
fi
else
if [ $SSH_PORT -ne 22 ]
if [ $SSH_PORT -ne $LAN_PORT ]
then
# Adding the new SSH port in the config
echo "Port $SSH_PORT" >> $SSH_CONF
fi
fi
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
elif [ $NETWORK == "lan" ]
then
# Getting WAN IP
WAN_IP=`$GREP "^SSH_ADMIN_FROM=" $ALCASAR_CONF |cut -d"=" -f2|cut -d"/" -f2`
# Setting accepted IP in Alcasar configuration
IP_FROM=${IP_FROM:="0.0.0.0"}
$SED "s ^SSH_ADMIN_FROM=.* SSH_ADMIN_FROM=$IP_FROM/$WAN_IP g" $ALCASAR_CONF
# Editing Alcasar configuration
$SED "s/^SSH_LAN=.*/SSH_LAN=on/g" $ALCASAR_CONF
$SED "s/^SSH_LAN=.*/SSH_LAN=$SSH_PORT/g" $ALCASAR_CONF
# Setting SSH port in Alcasar configuration
SSH_PORT=${SSH_PORT:=22}
$SED "s/^SSH_LAN=.*/SSH_LAN=$SSH_PORT/g" $ALCASAR_CONF
WAN_PORT =`$GREP "^SSH_WAN=" $ALCASAR_CONF | cut -d"=" -f2`
WAN_PORT=${WAN_PORT:=0}
# Checking if there is already a port other than the WAN port set
if [ `grep -E "^.*Port\s[0-9]*" /etc/ssh/sshd_config| grep -vEc "\s$WAN_PORT$"` -gt 0 ]
then
if [ $SSH_PORT -ne $WAN_PORT ]
then
# Editing SSH configuration - Changing any port other than the WAN port
$SED "/\s$WAN_PORT$/! s/^.*Port\s[0-9]*/Port $SSH_PORT/" $SSH_CONF
else
# Editing SSH configuration - Deleting any port other than the WAN port
$SED "/^.*Port\s[0-9]*/{/\s$WAN_PORT$/!d}" $SSH_CONF
fi
else
if [ $SSH_PORT -ne $WAN_PORT ]
then
# Adding the new SSH port in the config
echo "Port $SSH_PORT" >> $SSH_CONF
fi
fi
# Applying iptables
/usr/local/bin/alcasar-iptables.sh
else
echo "$usage"
exit 0
fi
# Check if sshd is enabled
SSHD_STATUS=`systemctl is-enabled sshd`
SSHD_STATUS=${SSHD_STATUS:=disabled}
if [ $SSHD_STATUS == "enabled" ]
then
$SYSTEMCTL restart sshd
else
$SYSTEMCTL enable sshd
$SYSTEMCTL restart sshd
fi
fi
$SYSTEMCTL restart sshd
exit 0
;;
*)
/web/acc/admin/network.php
381,8 → 381,12
break;
case 'enable_lan_ssh': // Activate SSH on LAN
if (isset($_POST['sshlan'])) {
exec('sudo /usr/local/bin/alcasar-ssh.sh --on -l');
header('Location: '.$_SERVER['PHP_SELF']);
exec('sudo /usr/local/bin/alcasar-ssh.sh --on -l -p'.escapeshellarg($_POST["ssh_port"]).' -i'.escapeshellarg($_POST["ssh_from"]),$output,$exitCode);
if($exitCode === 1){
echo("<html><script>if(!alert(`$l_error_bad_ip_port`)){window.location.href = window.location.href;}</script></html>");
}else{
header('Location: '.$_SERVER['PHP_SELF']);
}
} else{
exec('sudo /usr/local/bin/alcasar-ssh.sh --off -l');
header('Location: '.$_SERVER['PHP_SELF']);
1202,7 → 1206,19
<div class="panel-row">
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>">
<input type="hidden" name="choix" value="enable_lan_ssh">
<input type="checkbox" name="sshlan" id="sshlan" <?= $conf['SSH_LAN'] === 'on' ? "checked": "" ?>> <b><?= $l_ssh_lan_activate ?></b><br><br>
<input type="checkbox" name="sshlan" id="sshlan" <?= $conf['SSH_LAN'] !== '0' ? "checked": "" ?> onchange="document.getElementById('sshtablelan').style.display = this.checked ? 'block' : 'none';"> <b><?= $l_ssh_lan_activate ?></b><br><br>
<div id="sshtablelan" style="display:<?= $conf['SSH_LAN'] !== '0'? "block": "none" ?>">
<table cellspacing="2" cellpadding="3" border="1">
<tr>
<th><?= $l_ssh_port ?></th><th><?= $l_ssh_from ?></th>
</tr>
<tr>
<td><input style="width:120px" type="text" id="ssh_port" name="ssh_port" value="<?= $conf['SSH_LAN'] !== '0' ? $conf['SSH_LAN']:22 ?>" /></td>
<td><input style="width:120px" type="text" id="ssh_from" name="ssh_from" value="<?= explode('/',$conf['SSH_ADMIN_FROM'])[0] ?>" /></td>
</tr>
</table>
<p>Activer sur tout le LAN : 0.0.0.0</p>
</div>
<input type="submit" onClick="document.getElementById('ldoverlay').style.display='block';" value="<?= $l_apply ?>"><br>
</form>
</div>
1211,18 → 1227,18
<div class="panel-row">
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>">
<input type="hidden" name="choix" value="enable_wan_ssh">
<input type="checkbox" name="togglessh" id="togglessh" <?= is_numeric($conf['SSH_WAN'])? "checked": "" ?> onchange="document.getElementById('sshtable').style.display = this.checked ? 'block' : 'none';"> <b><?= $l_ssh_wan_activate ?></b><br><br>
<div id="sshtable" style="display:<?= is_numeric($conf['SSH_WAN'])? "block": "none" ?>">
<input type="checkbox" name="togglessh" id="togglessh" <?= $conf['SSH_WAN'] !== '0'? "checked": "" ?> onchange="document.getElementById('sshtablewan').style.display = this.checked ? 'block' : 'none';"> <b><?= $l_ssh_wan_activate ?></b><br><br>
<div id="sshtablewan" style="display:<?= $conf['SSH_WAN'] !== '0'? "block": "none" ?>">
<table cellspacing="2" cellpadding="3" border="1">
<tr>
<th><?= $l_ssh_port ?></th><th><?= $l_ssh_from ?></th>
</tr>
<tr>
<td><input style="width:120px" type="text" id="ssh_port" name="ssh_port" value="<?= is_numeric($conf['SSH_WAN']) ? $conf['SSH_WAN']:22 ?>" /></td>
<td><input style="width:120px" type="text" id="ssh_from" name="ssh_from" value="<?= $conf['SSH_ADMIN_FROM'] ?>" /></td>
<td><input style="width:120px" type="text" id="ssh_port" name="ssh_port" value="<?= $conf['SSH_WAN'] !== '0' ? $conf['SSH_WAN']:22 ?>" /></td>
<td><input style="width:120px" type="text" id="ssh_from" name="ssh_from" value="<?= explode('/',$conf['SSH_ADMIN_FROM'])[1] ?>" /></td>
</tr>
</table>
<p>Activer sur tout réseau : 0.0.0.0/0</p>
<p>Activer sur tout réseau : 0.0.0.0</p>
</div>
<input type="submit" onClick="document.getElementById('ldoverlay').style.display='block';" value="<?= $l_apply ?>"><br>
</form>