Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2183 → Rev 2184

/CHANGELOG
12,7 → 12,7
- Add warning message on user status page (page closed => disconnection).
BUGS
- The users can change their password
- Removing an uamallowed domain is taken into account immediately
- managing uamallowed domain is operational again
SECU
- Fix vulnerabilities in the user part (1 SQL injection & 2 XSS).
- Remove ALCASAR version visible in the user part.
/conf/etc/alcasar-services
1,6 → 1,7
#icmp -
#ssh 22
#smtp 25
#http 80
#pop 110
#imap2 143
#imap3 220
/scripts/alcasar-condown.sh
4,27 → 4,24
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
 
# This script is launched after each logout
# Ce script est lancé à chaque déconnexion d'usager
# This script is launched by coova after each logout
# Ce script est lancé par coova à chaque déconnexion d'usager
 
# Debug : show all the coova parse variables. There are declared in /src/chilli.c
#echo "------------------------------------------------------------" >> /tmp/debug-condown.txt
#echo `date` >> /tmp/debug-condown.txt
#for i in LAYER3 DEV NET MASK ADDR USER_NAME NAS_IP_ADDRESS SERVICE_TYPE FRAMED_IP_ADDRESS FILTER_ID STATE CLASS CUI SESSION_TIMEOUT IDLE_TIMEOUT CALLING_STATION_ID CALLED_STATION_ID NAS_ID NAS_PORT_TYPE ACCT_SESSION_ID ACCT_INTERIM_INTERVAL WISPR_LOCATION_ID WISPR_LOCATION_NAME WISPR_BANDWIDTH_MAX_UP WISPR_BANDWIDTH_MAX_DOWN WISPR-SESSION_TERMINATE_TIME CHILLISPOT_MAX_INPUT_OCTETS CHILLISPOT_MAX_OUTPUT_OCTETS CHILLISPOT_MAX_TOTAL_OCTETS INPUT_OCTETS OUTPUT_OCTETS SESSION_TIME IDLE_TIME LOCATION OLD_LOCATION TERMINATE_CAUSE
#do
# echo "$i : ${!i}" >> /tmp/debug-condown.txt
#done
if [ -z $FRAMED_IP_ADDRESS ]
then
exit
fi
 
# Remove user from his IPSET (depending on FILTER_ID)
 
#FilterID : 12345678
#1-> profile1
#2-> profile2
#3-> profile3
#4-> warn_user (if imputability report has been generated)
#6-> WL
#7-> BL
#8-> HAVP
#FilterID Byte N° 0 to 7
#0-> profile1
#1-> profile2
#2-> profile3
#3-> warn_user (if imputability report has been generated)
#5-> WL
#6-> BL
#7-> HAVP
 
if [ ${FILTER_ID:7:1} -eq '1' ] #HAVP
then
44,7 → 41,7
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
68,7 → 65,7
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
92,7 → 89,7
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
118,7 → 115,7
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
127,3 → 124,14
 
ipset del $set $FRAMED_IP_ADDRESS
ipset del $set_proto $FRAMED_IP_ADDRESS
 
# Debug : show all the coova parse variables (+ $set + $set_proto).
# see "/src/chilli.c" for the complete list of parse variables
#echo "-----------------------------------------------" >> /tmp/debug-condown.txt
#echo `date` >> /tmp/debug-condown.txt
#for i in LAYER3 DEV NET MASK ADDR USER_NAME NAS_IP_ADDRESS SERVICE_TYPE FRAMED_IP_ADDRESS FILTER_ID STATE CLASS CUI SESSION_TIMEOUT IDLE_TIMEOUT CALLING_STATION_ID CALLED_STATION_ID NAS_ID NAS_PORT_TYPE ACCT_SESSION_ID ACCT_INTERIM_INTERVAL WISPR_LOCATION_ID WISPR_LOCATION_NAME WISPR_BANDWIDTH_MAX_UP WISPR_BANDWIDTH_MAX_DOWN WISPR-SESSION_TERMINATE_TIME CHILLISPOT_MAX_INPUT_OCTETS CHILLISPOT_MAX_OUTPUT_OCTETS CHILLISPOT_MAX_TOTAL_OCTETS INPUT_OCTETS OUTPUT_OCTETS SESSION_TIME IDLE_TIME LOCATION OLD_LOCATION TERMINATE_CAUSE
#do
# echo "$i : ${!i}" >> /tmp/debug-condown.txt
#done
#echo "set : $set" >> /tmp/debug-condown.txt
#echo "set_proto : $set_proto" >> /tmp/debug-condown.txt
/scripts/alcasar-conup.sh
4,22 → 4,19
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
 
# This script is launched after each successfull login
# Ce script est lancé à chaque connexion d'usager (authentification réussi)
# This script is launched by coova after each successfull login
# Ce script est lancé par coova à chaque connexion d'usager (authentification réussi)
 
# Debug : show all the coova parse variables. There are declared in /src/chilli.c
#echo "------------------------------------------------------------" >> /tmp/debug-conup.txt
#echo `date` >> /tmp/debug-conup.txt
#for i in LAYER3 DEV NET MASK ADDR USER_NAME NAS_IP_ADDRESS SERVICE_TYPE FRAMED_IP_ADDRESS FILTER_ID STATE CLASS CUI SESSION_TIMEOUT IDLE_TIMEOUT CALLING_STATION_ID CALLED_STATION_ID NAS_ID NAS_PORT_TYPE ACCT_SESSION_ID ACCT_INTERIM_INTERVAL WISPR_LOCATION_ID WISPR_LOCATION_NAME WISPR_BANDWIDTH_MAX_UP WISPR_BANDWIDTH_MAX_DOWN WISPR-SESSION_TERMINATE_TIME CHILLISPOT_MAX_INPUT_OCTETS CHILLISPOT_MAX_OUTPUT_OCTETS CHILLISPOT_MAX_TOTAL_OCTETS INPUT_OCTETS OUTPUT_OCTETS SESSION_TIME IDLE_TIME LOCATION OLD_LOCATION TERMINATE_CAUSE
#do
# echo "$i : ${!i}" >> /tmp/debug-conup.txt
#done
if [ -z $FRAMED_IP_ADDRESS ]
then
exit
fi
 
ipset del not_auth_yet $FRAMED_IP_ADDRESS
 
# Add user to the SET (depending on FILTER_ID)
# Add user to his IPSET (depending on FILTER_ID)
 
# FilterID bit N°0 to 7
# FilterID Byte N°0 to 7
#0-> profile1
#1-> profile2
#2-> profile3
46,7 → 43,7
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
70,7 → 67,7
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
94,7 → 91,7
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
120,7 → 117,7
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
128,3 → 125,15
 
ipset add $set $FRAMED_IP_ADDRESS
ipset add $set_proto $FRAMED_IP_ADDRESS
 
# Debug : show all the coova parse variables (+ $set + $set_proto).
# see "/src/chilli.c" for the complete list of parse variables
#echo "-----------------------------------------------" >> /tmp/debug-conup.txt
#echo `date` >> /tmp/debug-conup.txt
#for i in LAYER3 DEV NET MASK ADDR USER_NAME NAS_IP_ADDRESS SERVICE_TYPE FRAMED_IP_ADDRESS FILTER_ID STATE CLASS CUI SESSION_TIMEOUT IDLE_TIMEOUT CALLING_STATION_ID CALLED_STATION_ID NAS_ID NAS_PORT_TYPE ACCT_SESSION_ID ACCT_INTERIM_INTERVAL WISPR_LOCATION_ID WISPR_LOCATION_NAME WISPR_BANDWIDTH_MAX_UP WISPR_BANDWIDTH_MAX_DOWN WISPR-SESSION_TERMINATE_TIME CHILLISPOT_MAX_INPUT_OCTETS CHILLISPOT_MAX_OUTPUT_OCTETS CHILLISPOT_MAX_TOTAL_OCTETS INPUT_OCTETS OUTPUT_OCTETS SESSION_TIME IDLE_TIME LOCATION OLD_LOCATION TERMINATE_CAUSE
#do
# echo "$i : ${!i}" >> /tmp/debug-conup.txt
#done
#echo "set : $set" >> /tmp/debug-conup.txt
#echo "set_proto : $set_proto" >> /tmp/debug-conup.txt
 
/scripts/alcasar-iptables.sh
356,7 → 356,7
 
# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl
# Deny IPs of the SET bl_ip_blocked for the set havp_bl
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-proto-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
 
365,7 → 365,8
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p tcp --dport domain -j REJECT --reject-with tcp-reset
 
# Autorisation des retours de connexions légitimes
# Active le suivi de session
# Allow Conntrack
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Compute uamallowed IP (IP address of equipments connected between ALCASAR and Internet (DMZ, own servers, ...)
375,41 → 376,26
while read ip_allowed_line
do
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NFLOG --nflog-prefix "RULE IP-allowed -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
done < /usr/local/etc/alcasar-uamallowed
fi
 
# filtrage protocole par utilisateur (profile 1 : http, https)
# protocols filtering for users (profil 1 : http, https)
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
 
# filtrage protocole par utilisateur (profile 2 : http https pop3 pop3s imap imaps ftp sftp ssh)
# protocols filtering for users (profil 2 : http https pop3 pop3s imap imaps ftp sftp ssh)
 
#filtrage protocole par utilisateur (on autorise le HTTP pour tous)
#profile 1 : HTTP/S only
for proto in $(echo http https)
do
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-P1$proto -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-P1$proto -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_1 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j ACCEPT
done
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ftp,ftp-data,sftp,ssh -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports http,https,pop3,pop3s,imap,imaps,ssh -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
 
#profile 2 : HTTP/S, POP3S, IMAP/S, FTP, SSH/SFTP
for proto in $(echo http https pop3 pop3s imap imaps ftp sftp ssh)
do
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-P2$proto -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $proto -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-P2$proto -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_2 src -s $PRIVATE_NETWORK_MASK -p udp --dport $proto -m state --state NEW -j ACCEPT
done
 
# filtrage protocole par utilisateur (profile 3 : personnalisable via l'ACC)
# protocols filtering for users (profil 3 : customized with ACC)
#profile 3 personalisables via l'ACC
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-P3http -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ACCEPT
custom_tcp_protocols_list='';custom_udp_protocols_list=''
while read svc_line
do
svc_on=`echo $svc_line|cut -b1`
419,32 → 405,41
svc_port=`echo $svc_line|cut -d" " -f2`
if [ $svc_name = "icmp" ]
then
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p icmp -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
svc_icmp="on"
else
 
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-P3$svc_name -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-P3$svc_name -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
if [ "$custom_tcp_protocols_list" == "" ]
then
custom_tcp_protocols_list=$svc_port
else
custom_tcp_protocols_list=`echo $custom_tcp_protocols_list","$svc_port`
fi
udp_svc=`egrep "[[:space:]]$svc_port/udp" /etc/services|wc -l`
if [ $udp_svc = "1" ] # udp service exist
then
if [ "$custom_udp_protocols_list" == "" ]
then
custom_udp_protocols_list=$svc_port
else
custom_udp_protocols_list=`echo $custom_udp_protocols_list","$svc_port`
fi
fi
fi
fi
done < /usr/local/etc/alcasar-services
if [ "$custom_tcp_protocols_list" == "" ]
then
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -j REJECT
else
if [ "$svc_icmp" != "on" ]
then
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p icmp -j REJECT --reject-with icmp-proto-unreachable
fi
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p tcp -m multiport ! --dports $custom_tcp_protocols_list -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set proto_3 src -s $PRIVATE_NETWORK_MASK -p udp -m multiport ! --dports $custom_udp_protocols_list -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
fi
 
# Rejet explicite des autres protocoles pour P1, P2, P3 et les autres
# reject the others protocols for P1,P2, P3 and other
$IPTABLES -A FORWARD -i $TUNIF -m set ! --match-set proto_0 src -j NFLOG --nflog-prefix "RULE F_filterP1 -- REJECT "
$IPTABLES -A FORWARD -i $TUNIF -m set ! --match-set proto_0 src -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -m set ! --match-set proto_0 src -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set ! --match-set proto_0 src -p icmp -j REJECT
 
 
 
# Autorisation des connections sortant du LAN
# journalisation et autorisation des connections sortant du LAN
# Allow forward connections with log
#$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
 
453,7 → 448,8
#############################
# On laisse tout sortir sur toutes les cartes sauf celle qui est connectée sur l'extérieur
# Everything is allowed but traffic through outside network interface
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
#$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
$IPTABLES -A OUTPUT -j ACCEPT
 
# Si configéré, on autorise les requêtes DHCP
# Allow DHCP requests if configured
/web/acc/admin/protocols_filter.php
68,7 → 68,7
switch ($choix)
{
case 'new_port' :
if ((trim($_POST['add_port']) != "80") and ($_POST['add_port'] != "") and ($_POST['add_proto'] != "") and (is_numeric($_POST['add_port'])))
if (($_POST['add_port'] != "") and ($_POST['add_proto'] != "") and (is_numeric($_POST['add_port'])))
{
$_POST['add_proto'] = str_replace (CHR(32),"-",$_POST['add_proto']);
$tab=file(SERVICES_LIST);
131,7 → 131,7
}
fclose($pointeur);
}
exec ("sudo /usr/local/bin/alcasar-iptables.sh -on");
exec ("sudo /usr/local/bin/alcasar-iptables.sh");
break;
}
?>
/web/intercept.php
594,7 → 594,7
$domain = explode('"', $domain_allowed[0]);
// remove every '.' from the beginning of domain
$domain[1] = ltrim($domain[1], '.');
echo '<a href="http://'.trim($domain[1]).'">'.trim($domain_allowed[1]).'</a>';
echo '<a href="http://'.trim($domain[1]).'">'.trim($domain_allowed[1]).'</a> ';
}
}
}