Subversion Repositories ALCASAR

Compare Revisions

Regard whitespace Rev 3042 → Rev 3043

/CHANGELOG
6,7 → 6,7
- mail registration service
CHANGES
- Add a third RPM repository (http://ftp.free.fr)
- Improve firewall local rules
- Improve firewall local rules & firewall rules in bypass mode
- Add SMTP to the list of openned ports (for filtered users)
- Adapt user page when HTTPS is enabled with an official certificate (Thanks to Alexandre VEZIN)
ACC
13,7 → 13,7
- Avoid password preload text in password forms
- Improve "let's encrypt" & "Internet connexion" forms
- Add an overlay with spinner on all submit forms (Thanks to Alexandre VEZIN)
- SSH : admin can disable it on EXTIF (WAN). Admin can change the listen port (Thanks to Alexandre VEZIN)
- SSH : admin can secure it on INTIF & EXTIF : change the default port & set en "admin_from" IP (Thanks to Alexandre VEZIN)
BUGS
- Adapt "alcasar-network.sh" when ALCASAR is in DHCP mode
- Adapt "alcasar-watchdog.sh" when ALCASAR is in multiWAN mode
/alcasar.sh
115,7 → 115,7
system_testing()
{
# Test of Mageia version
# extract the current Mageia version and hardware architecture (i586 ou X64)
# extract the current Mageia version and hardware architecture (X86_64)
fic=`cat /etc/product.id`
unknown_os=0
old="$IFS"
2171,8 → 2171,8
# ALCASAR conf file
echo "HTTPS_LOGIN=off" >> $CONF_FILE
echo "HTTPS_CHILLI=off" >> $CONF_FILE
echo "SSH=off" >> $CONF_FILE
echo "SSH_WAN=22" >> $CONF_FILE
echo "SSH_LAN=22" >> $CONF_FILE
echo "SSH_WAN=0" >> $CONF_FILE
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
echo "LDAP=off" >> $CONF_FILE
echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
/scripts/alcasar-conf.sh
192,14 → 192,6
$DIR_BIN/alcasar-bl.sh -reload
# admin profile update (admin + manager + backup)
$DIR_BIN/alcasar-profil.sh --list
# Start / Stop SSH Daemon
ssh_active=`grep "^SSH=" $CONF_FILE|cut -d"=" -f2`
if [ $ssh_active = "on" ]
then
/usr/bin/systemctl -q enable sshd.service
else
/usr/bin/systemctl -q disable sshd.service
fi
# Apply changes between versions
## V5.4 --> V5.5 ##
[ -e $DIR_ETC/alcasar-iptables-local.sh ] && cp $DIR_ETC/alcasar-iptables-local.sh $DIR_ETC/alcasar-iptables-local.sh.old && cp $CURRENT_DIR/conf/etc/alcasar-iptables-local.sh $DIR_ETC/ # new rule for SMTP output flows
503,22 → 495,6
fi
# Email user registration
$DIR_BIN/alcasar-mail-install.sh
# Start / Stop SSH Daemon
ssh_active=`grep ^SSH= $CONF_FILE|cut -d"=" -f2`
if [ $ssh_active = "on" ]
then
/usr/bin/systemctl enable sshd.service
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
then
/usr/bin/systemctl start sshd.service
fi
else
/usr/bin/systemctl disable sshd.service
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
then
/usr/bin/systemctl stop sshd.service
fi
fi
# Start / Stop LDAP authentification
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage
then
/scripts/alcasar-daemon.sh
9,8 → 9,6
# See /etc/cron.d/alcasar-daemon-watchdog for config the time
 
conf_file="/usr/local/etc/alcasar.conf"
SSH=`grep ^SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
SSH=${SSH:=off}
SMS=`grep ^SMS= $conf_file|cut -d"=" -f2` # SMS active (on/off)
SMS=${SMS:=off}
LDAP=`grep ^LDAP= $conf_file|cut -d"=" -f2` # ldap active (on/off)
63,12 → 61,7
nb_srv=0
for service in $SERVICES; do
if [ $service == 'sshd' ]; then
if [ $SSH != "ON" ] && [ $SSH != "on" ] && [ $SSH != "On" ]; then
nb_available_srv=$((nb_available_srv-1))
continue
fi
elif [ $service == 'gammu-smsd' ]; then
if [ $service == 'gammu-smsd' ]; then
if [ $SMS != "ON" ] && [ $SMS != "on" ] && [ $SMS != "On" ]; then
nb_available_srv=$((nb_available_srv-1))
continue
/scripts/alcasar-iptables-bypass.sh
5,8 → 5,8
# by Rexy - 3abtux
# This script is distributed under the Gnu General Public License (GPL)
 
# applique les regles du parefeu en mode ByPass
# put the firewall rules in 'ByPass' mode
# Applique les regles du parefeu en mode ByPass
# Set the firewall rules in 'ByPass' mode
 
CONF_FILE="/usr/local/etc/alcasar.conf"
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2`
25,12 → 25,17
public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN`
fi
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off)
SSH=${SSH:=off}
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2` # SSH LAN port
SSH_LAN=${SSH_LAN:=0}
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` # SSH WAN port
SSH_WAN=${SSH_WAN:=0}
SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f2`
SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"}
SSH_WAN_ADMIN_FROM=$([ "$SSH_WAN_ADMIN_FROM" == "0.0.0.0" ] && echo "0.0.0.0/0" || echo "$SSH_WAN_ADMIN_FROM" )
SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" )
 
 
# On vide (flush) toutes les règles existantes
# Flush all existing rules
$IPTABLES -F
58,29 → 63,21
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
 
# Insertion de règles de blocage (Devel)
# Here, we add block rules (Devel)
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then
while read ip_line
do
ip_on=`echo $ip_line|cut -b1`
if [ $ip_on != "#" ]
#############################
# INPUT #
#############################
# SSHD rules if activate
if [ $SSH_LAN -gt 0 ]
then
ip_blocked=`echo $ip_line|cut -d" " -f1`
$IPTABLES -A FORWARD -d $ip_blocked -j NFLOG --nflog-group 1 --nflog-prefix "RULE IP-blocked -- REJECT "
$IPTABLES -A FORWARD -d $ip_blocked -j REJECT
$IPTABLES -A INPUT -i $INTIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $INTIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -j ACCEPT
fi
done < /usr/local/etc/alcasar-ip-blocked
if [ $SSH_WAN -gt 0 ]
then
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -j ACCEPT
fi
 
# SSHD rules if activate
if [ $SSH = on ]
then
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
fi
# Insertion de règles locales
# Here, we add local rules (i.e. VPN from Internet)
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
95,23 → 92,16
# Drop broadcast & multicast
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
 
# On laisse passer les ICMP echo-request et echo-reply en provenance du LAN
# Allow ping (icmp N°0 & 8) from LAN
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT
# On autorise l'accès aux services internes
# Allow Internal access
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport domain -j ACCEPT # DNS
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT # Réponse ping # ping responce
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT # Requête ping # ping request
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # ACC
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT # ACC
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server
 
# On autorise les retours de connexions légitimes par FORWARD
# Conntrack on forward
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# On autorise les demandes de connexions sortantes
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE Transfert -- ACCEPT "
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT
 
# On autorise les flux entrant ntp et dns via INTIF
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT
 
# On autorise le retour des connexions entrante déjà acceptées
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
121,6 → 111,35
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
 
#############################
# FORWARD #
#############################
# On autorise les retours de connexions légitimes par FORWARD
# Conntrack on forward
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# Insertion de règles de blocage
# Here, we add block rules
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then
while read ip_line
do
ip_on=`echo $ip_line|cut -b1`
if [ $ip_on != "#" ]
then
ip_blocked=`echo $ip_line|cut -d" " -f1`
$IPTABLES -A FORWARD -d $ip_blocked -j NFLOG --nflog-group 1 --nflog-prefix "RULE IP-blocked -- REJECT "
$IPTABLES -A FORWARD -d $ip_blocked -j REJECT
fi
done < /usr/local/etc/alcasar-ip-blocked
fi
 
# On autorise les demandes de connexions sortantes
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE Transfert -- ACCEPT "
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT
 
#############################
# POSTROUTING #
#############################
# On active le masquage d'adresse par translation (NAT)
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
 
/scripts/alcasar-iptables.sh
20,7 → 20,7
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0)
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # LAN IP address + prefix (192.168.182.0/24)
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
if [[ "$public_ip_mask" == "dhcp" ]]
then
42,7 → 42,7
TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2` # SSH LAN port
SSH_LAN=${SSH_LAN:=0}
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` #ssh WAN port
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` # SSH WAN port
SSH_WAN=${SSH_WAN:=0}
SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f2`
SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"}
51,8 → 51,8
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" )
IPTABLES="/sbin/iptables"
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)
REHABILITED_IP="/etc/e2guardian/lists/exceptioniplist"
ALLOWED_SITES="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
75,7 → 75,6
done
fi
 
 
# Sauvegarde des SET des utilisateurs connectés si ils existent
# Saving SET of connected users if it exists
ipset list not_filtered 1>/dev/null 2>&1
132,11 → 131,9
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
 
 
#############################
# IPSET #
#############################
 
# destruction de tous les SET
# destroy all SET
ipset flush
154,7 → 151,7
ipset -! restore < $TMP_set_save
rm -f $TMP_set_save
# Suppression des ip réhabilitées / Removing of rehabilitated ip
for ip in $(cat $IP_REHABILITEES)
for ip in $(cat $REHABILITED_IP)
do
ipset -q del bl_ip_blocked $ip
done
161,7 → 158,7
 
# ipset for exception web sites (usefull for filtered users = av_bl)
ipset create site_direct hash:net hashsize 1024
for site in $(cat $SITE_DIRECT)
for site in $(cat $ALLOWED_SITES)
do
ipset add site_direct $site
done
225,13 → 222,9
done
rm -f $TMP_ip_gw_save
 
 
 
#############################
# PREROUTING #
#############################
 
 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules
# 8080 = ipset av_bl
317,11 → 310,9
done
fi
 
 
#############################
# INPUT #
#############################
 
# Tout passe sur loopback
# accept all on loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
405,7 → 396,7
if [ $SSH_WAN -gt 0 ]
then
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -j ACCEPT
fi
 
# Insertion de règles locales
432,7 → 423,6
#############################
# FORWARD #
#############################
 
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl
# Deny IPs of the SET bl_ip_blocked for the set av_bl
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
/web/acc/admin/services.php
155,18 → 155,6
function serviceExec($service, $action){
if (($action == "start")||($action == "stop")||($action == "restart")){
exec("sudo /usr/bin/systemctl $action ".escapeshellarg($service), $retval, $retstatus);
if ($service == "sshd"){
if ($action == "start"){
//exec("sudo /usr/bin/systemctl enable ".escapeshellarg($service));
file_put_contents(CONF_FILE, str_replace('SSH=off', 'SSH=on', file_get_contents(CONF_FILE))); // in order to keep that conf for SSH at next reboot
exec("sudo /usr/local/bin/alcasar-iptables.sh");
}
if ($action == "stop"){
//exec("sudo /usr/bin/systemctl disable ".escapeshellarg($service));
file_put_contents(CONF_FILE, str_replace('SSH=on', 'SSH=off', file_get_contents(CONF_FILE)));
exec("sudo /usr/local/bin/alcasar-iptables.sh");
}
}
return $retstatus;
} else {
return false;