/CHANGELOG |
---|
6,7 → 6,7 |
- mail registration service |
CHANGES |
- Add a third RPM repository (http://ftp.free.fr) |
- Improve firewall local rules |
- Improve firewall local rules & firewall rules in bypass mode |
- Add SMTP to the list of openned ports (for filtered users) |
- Adapt user page when HTTPS is enabled with an official certificate (Thanks to Alexandre VEZIN) |
ACC |
13,7 → 13,7 |
- Avoid password preload text in password forms |
- Improve "let's encrypt" & "Internet connexion" forms |
- Add an overlay with spinner on all submit forms (Thanks to Alexandre VEZIN) |
- SSH : admin can disable it on EXTIF (WAN). Admin can change the listen port (Thanks to Alexandre VEZIN) |
- SSH : admin can secure it on INTIF & EXTIF : change the default port & set en "admin_from" IP (Thanks to Alexandre VEZIN) |
BUGS |
- Adapt "alcasar-network.sh" when ALCASAR is in DHCP mode |
- Adapt "alcasar-watchdog.sh" when ALCASAR is in multiWAN mode |
/alcasar.sh |
---|
115,7 → 115,7 |
system_testing() |
{ |
# Test of Mageia version |
# extract the current Mageia version and hardware architecture (i586 ou X64) |
# extract the current Mageia version and hardware architecture (X86_64) |
fic=`cat /etc/product.id` |
unknown_os=0 |
old="$IFS" |
2171,8 → 2171,8 |
# ALCASAR conf file |
echo "HTTPS_LOGIN=off" >> $CONF_FILE |
echo "HTTPS_CHILLI=off" >> $CONF_FILE |
echo "SSH=off" >> $CONF_FILE |
echo "SSH_WAN=22" >> $CONF_FILE |
echo "SSH_LAN=22" >> $CONF_FILE |
echo "SSH_WAN=0" >> $CONF_FILE |
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE |
echo "LDAP=off" >> $CONF_FILE |
echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE |
/scripts/alcasar-conf.sh |
---|
192,14 → 192,6 |
$DIR_BIN/alcasar-bl.sh -reload |
# admin profile update (admin + manager + backup) |
$DIR_BIN/alcasar-profil.sh --list |
# Start / Stop SSH Daemon |
ssh_active=`grep "^SSH=" $CONF_FILE|cut -d"=" -f2` |
if [ $ssh_active = "on" ] |
then |
/usr/bin/systemctl -q enable sshd.service |
else |
/usr/bin/systemctl -q disable sshd.service |
fi |
# Apply changes between versions |
## V5.4 --> V5.5 ## |
[ -e $DIR_ETC/alcasar-iptables-local.sh ] && cp $DIR_ETC/alcasar-iptables-local.sh $DIR_ETC/alcasar-iptables-local.sh.old && cp $CURRENT_DIR/conf/etc/alcasar-iptables-local.sh $DIR_ETC/ # new rule for SMTP output flows |
503,22 → 495,6 |
fi |
# Email user registration |
$DIR_BIN/alcasar-mail-install.sh |
# Start / Stop SSH Daemon |
ssh_active=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` |
if [ $ssh_active = "on" ] |
then |
/usr/bin/systemctl enable sshd.service |
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage |
then |
/usr/bin/systemctl start sshd.service |
fi |
else |
/usr/bin/systemctl disable sshd.service |
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage |
then |
/usr/bin/systemctl stop sshd.service |
fi |
fi |
# Start / Stop LDAP authentification |
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage |
then |
/scripts/alcasar-daemon.sh |
---|
9,8 → 9,6 |
# See /etc/cron.d/alcasar-daemon-watchdog for config the time |
conf_file="/usr/local/etc/alcasar.conf" |
SSH=`grep ^SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off) |
SSH=${SSH:=off} |
SMS=`grep ^SMS= $conf_file|cut -d"=" -f2` # SMS active (on/off) |
SMS=${SMS:=off} |
LDAP=`grep ^LDAP= $conf_file|cut -d"=" -f2` # ldap active (on/off) |
63,12 → 61,7 |
nb_srv=0 |
for service in $SERVICES; do |
if [ $service == 'sshd' ]; then |
if [ $SSH != "ON" ] && [ $SSH != "on" ] && [ $SSH != "On" ]; then |
nb_available_srv=$((nb_available_srv-1)) |
continue |
fi |
elif [ $service == 'gammu-smsd' ]; then |
if [ $service == 'gammu-smsd' ]; then |
if [ $SMS != "ON" ] && [ $SMS != "on" ] && [ $SMS != "On" ]; then |
nb_available_srv=$((nb_available_srv-1)) |
continue |
/scripts/alcasar-iptables-bypass.sh |
---|
5,8 → 5,8 |
# by Rexy - 3abtux |
# This script is distributed under the Gnu General Public License (GPL) |
# applique les regles du parefeu en mode ByPass |
# put the firewall rules in 'ByPass' mode |
# Applique les regles du parefeu en mode ByPass |
# Set the firewall rules in 'ByPass' mode |
CONF_FILE="/usr/local/etc/alcasar.conf" |
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2` |
25,12 → 25,17 |
public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN` |
fi |
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1` |
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off) |
SSH=${SSH:=off} |
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2` |
SSH_ADMIN_FROM=${SSH_ADMIN_FROM:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side) |
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2` # SSH LAN port |
SSH_LAN=${SSH_LAN:=0} |
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` # SSH WAN port |
SSH_WAN=${SSH_WAN:=0} |
SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f2` |
SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"} |
SSH_WAN_ADMIN_FROM=$([ "$SSH_WAN_ADMIN_FROM" == "0.0.0.0" ] && echo "0.0.0.0/0" || echo "$SSH_WAN_ADMIN_FROM" ) |
SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1` |
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"} |
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" ) |
# On vide (flush) toutes les règles existantes |
# Flush all existing rules |
$IPTABLES -F |
58,29 → 63,21 |
$IPTABLES -A OUTPUT -o lo -j ACCEPT |
$IPTABLES -A INPUT -i lo -j ACCEPT |
# Insertion de règles de blocage (Devel) |
# Here, we add block rules (Devel) |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then |
while read ip_line |
do |
ip_on=`echo $ip_line|cut -b1` |
if [ $ip_on != "#" ] |
then |
ip_blocked=`echo $ip_line|cut -d" " -f1` |
$IPTABLES -A FORWARD -d $ip_blocked -j NFLOG --nflog-group 1 --nflog-prefix "RULE IP-blocked -- REJECT " |
$IPTABLES -A FORWARD -d $ip_blocked -j REJECT |
fi |
done < /usr/local/etc/alcasar-ip-blocked |
fi |
############################# |
# INPUT # |
############################# |
# SSHD rules if activate |
if [ $SSH = on ] |
if [ $SSH_LAN -gt 0 ] |
then |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT" |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT" |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT |
$IPTABLES -A INPUT -i $INTIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -m conntrack --ctstate NEW -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT" |
$IPTABLES -A INPUT -i $INTIF -s $SSH_LAN_ADMIN_FROM -d $PRIVATE_IP -p tcp --dport $SSH_LAN -j ACCEPT |
fi |
if [ $SSH_WAN -gt 0 ] |
then |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT" |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -j ACCEPT |
fi |
# Insertion de règles locales |
# Here, we add local rules (i.e. VPN from Internet) |
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then |
95,23 → 92,16 |
# Drop broadcast & multicast |
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP |
# On laisse passer les ICMP echo-request et echo-reply en provenance du LAN |
# Allow ping (icmp N°0 & 8) from LAN |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT |
# On autorise l'accès aux services internes |
# Allow Internal access |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport domain -j ACCEPT # DNS |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT # Réponse ping # ping responce |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT # Requête ping # ping request |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # ACC |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT # ACC |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server |
# On autorise les retours de connexions légitimes par FORWARD |
# Conntrack on forward |
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT |
# On autorise les demandes de connexions sortantes |
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE Transfert -- ACCEPT " |
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT |
# On autorise les flux entrant ntp et dns via INTIF |
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT |
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT |
# On autorise le retour des connexions entrante déjà acceptées |
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
121,6 → 111,35 |
$IPTABLES -A INPUT -p tcp -j REJECT --reject-with tcp-reset |
$IPTABLES -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable |
############################# |
# FORWARD # |
############################# |
# On autorise les retours de connexions légitimes par FORWARD |
# Conntrack on forward |
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT |
# Insertion de règles de blocage |
# Here, we add block rules |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then |
while read ip_line |
do |
ip_on=`echo $ip_line|cut -b1` |
if [ $ip_on != "#" ] |
then |
ip_blocked=`echo $ip_line|cut -d" " -f1` |
$IPTABLES -A FORWARD -d $ip_blocked -j NFLOG --nflog-group 1 --nflog-prefix "RULE IP-blocked -- REJECT " |
$IPTABLES -A FORWARD -d $ip_blocked -j REJECT |
fi |
done < /usr/local/etc/alcasar-ip-blocked |
fi |
# On autorise les demandes de connexions sortantes |
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j NFLOG --nflog-group 1 --nflog-prefix "RULE Transfert -- ACCEPT " |
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT |
############################# |
# POSTROUTING # |
############################# |
# On active le masquage d'adresse par translation (NAT) |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE |
/scripts/alcasar-iptables.sh |
---|
20,7 → 20,7 |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0) |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24) |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24) |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # LAN IP address + prefix (192.168.182.0/24) |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address |
if [[ "$public_ip_mask" == "dhcp" ]] |
then |
42,7 → 42,7 |
TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips |
SSH_LAN=`grep ^SSH_LAN= $CONF_FILE|cut -d"=" -f2` # SSH LAN port |
SSH_LAN=${SSH_LAN:=0} |
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` #ssh WAN port |
SSH_WAN=`grep ^SSH_WAN= $CONF_FILE|cut -d"=" -f2` # SSH WAN port |
SSH_WAN=${SSH_WAN:=0} |
SSH_WAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f2` |
SSH_WAN_ADMIN_FROM=${SSH_WAN_ADMIN_FROM:="0.0.0.0"} |
51,8 → 51,8 |
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"} |
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" ) |
IPTABLES="/sbin/iptables" |
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP |
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users) |
REHABILITED_IP="/etc/e2guardian/lists/exceptioniplist" |
ALLOWED_SITES="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users) |
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2` |
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2` |
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2` |
75,7 → 75,6 |
done |
fi |
# Sauvegarde des SET des utilisateurs connectés si ils existent |
# Saving SET of connected users if it exists |
ipset list not_filtered 1>/dev/null 2>&1 |
132,11 → 131,9 |
$IPTABLES -t nat -P POSTROUTING ACCEPT |
$IPTABLES -t nat -P OUTPUT ACCEPT |
############################# |
# IPSET # |
############################# |
# destruction de tous les SET |
# destroy all SET |
ipset flush |
154,7 → 151,7 |
ipset -! restore < $TMP_set_save |
rm -f $TMP_set_save |
# Suppression des ip réhabilitées / Removing of rehabilitated ip |
for ip in $(cat $IP_REHABILITEES) |
for ip in $(cat $REHABILITED_IP) |
do |
ipset -q del bl_ip_blocked $ip |
done |
161,7 → 158,7 |
# ipset for exception web sites (usefull for filtered users = av_bl) |
ipset create site_direct hash:net hashsize 1024 |
for site in $(cat $SITE_DIRECT) |
for site in $(cat $ALLOWED_SITES) |
do |
ipset add site_direct $site |
done |
225,13 → 222,9 |
done |
rm -f $TMP_ip_gw_save |
############################# |
# PREROUTING # |
############################# |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT |
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules |
# 8080 = ipset av_bl |
317,11 → 310,9 |
done |
fi |
############################# |
# INPUT # |
############################# |
# Tout passe sur loopback |
# accept all on loopback |
$IPTABLES -A INPUT -i lo -j ACCEPT |
405,7 → 396,7 |
if [ $SSH_WAN -gt 0 ] |
then |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW --syn -j NFLOG --nflog-group 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT" |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -m conntrack --ctstate NEW -j ACCEPT |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_WAN_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport $SSH_WAN -j ACCEPT |
fi |
# Insertion de règles locales |
432,7 → 423,6 |
############################# |
# FORWARD # |
############################# |
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl |
# Deny IPs of the SET bl_ip_blocked for the set av_bl |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited |
/web/acc/admin/services.php |
---|
155,18 → 155,6 |
function serviceExec($service, $action){ |
if (($action == "start")||($action == "stop")||($action == "restart")){ |
exec("sudo /usr/bin/systemctl $action ".escapeshellarg($service), $retval, $retstatus); |
if ($service == "sshd"){ |
if ($action == "start"){ |
//exec("sudo /usr/bin/systemctl enable ".escapeshellarg($service)); |
file_put_contents(CONF_FILE, str_replace('SSH=off', 'SSH=on', file_get_contents(CONF_FILE))); // in order to keep that conf for SSH at next reboot |
exec("sudo /usr/local/bin/alcasar-iptables.sh"); |
} |
if ($action == "stop"){ |
//exec("sudo /usr/bin/systemctl disable ".escapeshellarg($service)); |
file_put_contents(CONF_FILE, str_replace('SSH=on', 'SSH=off', file_get_contents(CONF_FILE))); |
exec("sudo /usr/local/bin/alcasar-iptables.sh"); |
} |
} |
return $retstatus; |
} else { |
return false; |