/CHANGELOG |
---|
1,10 → 1,11 |
# $Id$ |
************ ALCASAR CHANGELOG *********** |
----------------------- 3.2 ---------------- |
----------------------- 3.1.2 ---------------- |
NEWS |
- An update can be fully performed via SSH |
- Linux Kernel (4.4.65) |
- Activate coova HTTPS interception (remove our DNS blackhole rules) |
ACC |
- download/upload inversion (logical traffic display) |
/VERSION |
---|
1,0 → 0,0 |
3.2b |
3.1.2b |
/alcasar.sh |
---|
1219,6 → 1219,9 |
#dhcpgateway none |
#dhcprelayagent none |
#dhcpgatewayport none |
sslkeyfile /etc/pki/tls/private/alcasar.key |
sslcertfile /etc/pki/tls/certs/alcasar.crt |
redirssl |
EOF |
# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0) |
echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers |
/scripts/alcasar-condown.sh |
---|
1,5 → 1,7 |
#!/bin/sh |
# |
# $Id$ |
# |
# alcasar-condown.sh |
# by Rexy |
# This script is distributed under the Gnu General Public License (GPL) |
7,125 → 9,45 |
# This script is launched by coova after each logout |
# Ce script est lancé par coova à chaque déconnexion d'usager |
if [ -z $FRAMED_IP_ADDRESS ] |
then |
exit |
if [ -z $FRAMED_IP_ADDRESS ]; then |
exit 1 |
fi |
# Remove user from his IPSET (depending on FILTER_ID) |
#FilterID Byte N° 0 to 7 |
#0-> profile1 |
#1-> profile2 |
#2-> profile3 |
#3-> warn_user (if imputability report has been generated) |
#5-> WL |
#6-> BL |
#7-> HAVP |
# FilterID Byte N°0 to 7 |
# 0: profile_1 (WEB) |
# 1: profile_2 (WEB + Mail + Remote access) |
# 2: profile_3 (Custom) |
# 3: warn_user (if imputability report has been generated) |
# 5: WL |
# 6: BL |
# 7: HAVP |
if [ ${FILTER_ID:7:1} -eq '1' ] #HAVP |
then |
set="havp" |
if [ ${FILTER_ID:0:1} -eq '1' ] |
then |
set_proto="proto_1"; |
fi |
if [ ${FILTER_ID:1:1} -eq '1' ] |
then |
set_proto="proto_2"; |
fi |
if [ ${FILTER_ID:2:1} -eq '1' ] |
then |
set_proto="proto_3"; |
fi |
if [ -z "$set_proto" ] |
then |
set_proto="proto_0"; |
fi |
if [ ${FILTER_ID:7:1} == '1' ]; then # HAVP |
set_filter="havp" |
elif [ ${FILTER_ID:6:1} == '1' ]; then # HAVP_BL |
set_filter="havp_bl" |
elif [ ${FILTER_ID:5:1} == '1' ]; then # HAVP_WL |
set_filter="havp_wl" |
else # NOT_FILTERED |
set_filter="not_filtered" |
fi |
if [ ${FILTER_ID:6:1} -eq '1' ] #HAVP_BL |
then |
set="havp_bl" |
if [ ${FILTER_ID:0:1} -eq '1' ] |
then |
set_proto="proto_1"; |
fi |
if [ ${FILTER_ID:1:1} -eq '1' ] |
then |
set_proto="proto_2"; |
fi |
if [ ${FILTER_ID:2:1} -eq '1' ] |
then |
set_proto="proto_3"; |
fi |
if [ -z "$set_proto" ] |
then |
set_proto="proto_0"; |
fi |
if [ ${FILTER_ID:0:1} == '1' ]; then # PROFILE 1 (WEB) |
set_proto="proto_1"; |
elif [ ${FILTER_ID:1:1} == '1' ]; then # PROFILE 2 (WEB + Mail + Remote access) |
set_proto="proto_2"; |
elif [ ${FILTER_ID:2:1} == '1' ]; then # PROFILE 3 (Custom) |
set_proto="proto_3"; |
else # PROFILE 0 (Not filtered) |
set_proto="proto_0"; |
fi |
if [ ${FILTER_ID:5:1} -eq '1' ] #HAVP_WL |
then |
set="havp_wl" |
if [ ${FILTER_ID:0:1} -eq '1' ] |
then |
set_proto="proto_1"; |
fi |
if [ ${FILTER_ID:1:1} -eq '1' ] |
then |
set_proto="proto_2"; |
fi |
if [ ${FILTER_ID:2:1} -eq '1' ] |
then |
set_proto="proto_3"; |
fi |
if [ -z "$set_proto" ] |
then |
set_proto="proto_0"; |
fi |
fi |
if [ -z "$set" ] #NOT_FILTERED |
then |
set="not_filtered" |
if [ ${FILTER_ID:0:1} -eq '1' ] |
then |
set_proto="proto_1"; |
fi |
if [ ${FILTER_ID:1:1} -eq '1' ] |
then |
set_proto="proto_2"; |
fi |
if [ ${FILTER_ID:2:1} -eq '1' ] |
then |
set_proto="proto_3"; |
fi |
if [ -z "$set_proto" ] |
then |
set_proto="proto_0"; |
fi |
fi |
ipset del $set $FRAMED_IP_ADDRESS |
ipset del $set_filter $FRAMED_IP_ADDRESS |
ipset del $set_proto $FRAMED_IP_ADDRESS |
# Debug : show all the coova parse variables (+ $set + $set_proto). |
# Debug : show all the coova parse variables (+ $set_filter + $set_proto). |
# see "/src/chilli.c" for the complete list of parse variables |
#echo "-----------------------------------------------" >> /tmp/debug-condown.txt |
#echo `date` >> /tmp/debug-condown.txt |
133,5 → 55,5 |
#do |
# echo "$i : ${!i}" >> /tmp/debug-condown.txt |
#done |
#echo "set : $set" >> /tmp/debug-condown.txt |
#echo "set_filter : $set_filter" >> /tmp/debug-condown.txt |
#echo "set_proto : $set_proto" >> /tmp/debug-condown.txt |
/scripts/alcasar-conup.sh |
---|
1,5 → 1,7 |
#!/bin/sh |
# |
# $Id$ |
# |
# alcasar-conup.sh |
# by Rexy |
# This script is distributed under the Gnu General Public License (GPL) |
7,126 → 9,45 |
# This script is launched by coova after each successfull login |
# Ce script est lancé par coova à chaque connexion d'usager (authentification réussi) |
if [ -z $FRAMED_IP_ADDRESS ] |
then |
exit |
if [ -z $FRAMED_IP_ADDRESS ]; then |
exit 1 |
fi |
ipset del not_auth_yet $FRAMED_IP_ADDRESS |
# Add user to his IPSET (depending on FILTER_ID) |
# FilterID Byte N°0 to 7 |
#0-> profile1 |
#1-> profile2 |
#2-> profile3 |
#3-> warn_user (if imputability report has been generated) |
#5-> WL |
#6-> BL |
#7-> HAVP |
# 0: profile_1 (WEB) |
# 1: profile_2 (WEB + Mail + Remote access) |
# 2: profile_3 (Custom) |
# 3: warn_user (if imputability report has been generated) |
# 5: WL |
# 6: BL |
# 7: HAVP |
if [ ${FILTER_ID:7:1} -eq '1' ] #HAVP |
then |
set="havp" |
if [ ${FILTER_ID:0:1} -eq '1' ] |
then |
set_proto="proto_1"; |
fi |
if [ ${FILTER_ID:1:1} -eq '1' ] |
then |
set_proto="proto_2"; |
fi |
if [ ${FILTER_ID:2:1} -eq '1' ] |
then |
set_proto="proto_3"; |
fi |
if [ -z "$set_proto" ] |
then |
set_proto="proto_0"; |
fi |
if [ ${FILTER_ID:7:1} == '1' ]; then # HAVP |
set_filter="havp" |
elif [ ${FILTER_ID:6:1} == '1' ]; then # HAVP_BL |
set_filter="havp_bl" |
elif [ ${FILTER_ID:5:1} == '1' ]; then # HAVP_WL |
set_filter="havp_wl" |
else # NOT_FILTERED |
set_filter="not_filtered" |
fi |
if [ ${FILTER_ID:6:1} -eq '1' ] #HAVP_BL |
then |
set="havp_bl" |
if [ ${FILTER_ID:0:1} -eq '1' ] |
then |
set_proto="proto_1"; |
fi |
if [ ${FILTER_ID:1:1} -eq '1' ] |
then |
set_proto="proto_2"; |
fi |
if [ ${FILTER_ID:2:1} -eq '1' ] |
then |
set_proto="proto_3"; |
fi |
if [ -z "$set_proto" ] |
then |
set_proto="proto_0"; |
fi |
if [ ${FILTER_ID:0:1} == '1' ]; then # PROFILE 1 (WEB) |
set_proto="proto_1"; |
elif [ ${FILTER_ID:1:1} == '1' ]; then # PROFILE 2 (WEB + Mail + Remote access) |
set_proto="proto_2"; |
elif [ ${FILTER_ID:2:1} == '1' ]; then # PROFILE 3 (Custom) |
set_proto="proto_3"; |
else # PROFILE 0 (Not filtered) |
set_proto="proto_0"; |
fi |
if [ ${FILTER_ID:5:1} -eq '1' ] #HAVP_WL |
then |
set="havp_wl" |
if [ ${FILTER_ID:0:1} -eq '1' ] |
then |
set_proto="proto_1"; |
fi |
if [ ${FILTER_ID:1:1} -eq '1' ] |
then |
set_proto="proto_2"; |
fi |
if [ ${FILTER_ID:2:1} -eq '1' ] |
then |
set_proto="proto_3"; |
fi |
if [ -z "$set_proto" ] |
then |
set_proto="proto_0"; |
fi |
fi |
if [ -z "$set" ] #NOT_FILTERED |
then |
set="not_filtered" |
if [ ${FILTER_ID:0:1} -eq '1' ] |
then |
set_proto="proto_1"; |
fi |
if [ ${FILTER_ID:1:1} -eq '1' ] |
then |
set_proto="proto_2"; |
fi |
if [ ${FILTER_ID:2:1} -eq '1' ] |
then |
set_proto="proto_3"; |
fi |
if [ -z "$set_proto" ] |
then |
set_proto="proto_0"; |
fi |
fi |
ipset add $set $FRAMED_IP_ADDRESS |
ipset add $set_filter $FRAMED_IP_ADDRESS |
ipset add $set_proto $FRAMED_IP_ADDRESS |
# Debug : show all the coova parse variables (+ $set + $set_proto). |
# Debug : show all the coova parse variables (+ $set_filter + $set_proto). |
# see "/src/chilli.c" for the complete list of parse variables |
#echo "-----------------------------------------------" >> /tmp/debug-conup.txt |
#echo `date` >> /tmp/debug-conup.txt |
134,6 → 55,6 |
#do |
# echo "$i : ${!i}" >> /tmp/debug-conup.txt |
#done |
#echo "set : $set" >> /tmp/debug-conup.txt |
#echo "set_filter : $set_filter" >> /tmp/debug-conup.txt |
#echo "set_proto : $set_proto" >> /tmp/debug-conup.txt |
/scripts/alcasar-iptables.sh |
---|
58,8 → 58,6 |
ipset save havp >> $TMP_users_set_save |
ipset save havp_bl >> $TMP_users_set_save |
ipset save havp_wl >> $TMP_users_set_save |
ipset save not_auth_yet >> $TMP_users_set_save |
ipset save users_list >> $TMP_users_set_save |
ipset save proto_0 >> $TMP_users_set_save |
ipset save proto_1 >> $TMP_users_set_save |
ipset save proto_2 >> $TMP_users_set_save |
143,15 → 141,6 |
ipset create havp hash:net hashsize 1024 |
ipset create havp_bl hash:net hashsize 1024 |
ipset create havp_wl hash:net hashsize 1024 |
#utilisé pour l'interception des utilisateurs non authentifiés au réseau |
#used for intercepting users not connected to the network |
ipset create not_auth_yet hash:net hashsize 1024 |
ipset create users_list list:set |
ipset add users_list havp |
ipset add users_list havp_wl |
ipset add users_list havp_bl |
ipset add users_list not_filtered |
ipset add users_list not_auth_yet |
#pour les filtrages de protocole par utilisateur |
ipset create proto_0 hash:net hashsize 1024 |
ipset create proto_1 hash:net hashsize 1024 |
163,11 → 152,6 |
# PREROUTING # |
############################# |
# Redirection des requetes DNS des utilisateurs non connectés dans le DNS-Blackhole |
# Redirect users not connected DNS requests in DNS-Blackhole |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56 |
# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT |
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules |
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10 |
/scripts/alcasar-macdown.sh |
---|
1,8 → 1,14 |
#!/bin/sh |
# |
# $Id$ |
# |
# Le script 'macdown' est appelé par coovachilli pendant le DHCP down (release) |
# Depuis la version 3.1 de ALCASAR, le système d'interception a changé. |
# Pour une adresse mac authorisée pour laquelle coovachilli effectue un DHCP release, l'@IP sera retiré de l'ipset 'not_filtered' |
#Le script 'macdown' est appelé par coovachilli pendant le DHCP down (release) |
#Depuis la version 3.1 de ALCASAR, le système d'interception a changé. |
#Pour une adresse mac authorisée pour laquelle coovachilli effectue un DHCP release, l'@IP sera retiré de l'ipset 'not_filtered' |
if [ -z $CALLING_STATION_ID ]; then |
exit 1 |
fi |
chilli_current_mac=$(chilli_query list | grep $CALLING_STATION_ID) |
is_connected=$(echo $chilli_current_mac | cut -d' ' -f5) |
10,123 → 16,42 |
current_name=$(echo $chilli_current_mac | cut -d' ' -f6) |
current_ip=$(echo $chilli_current_mac | cut -d' ' -f2) |
if [ $is_connected == "1" ] && [ $current_mac == $current_name ]; then |
#Lecture du Filter-Id de l'équipement authentifié afin de le retirer de son ipset |
PASSWD_FILE="/root/ALCASAR-passwords.txt" |
QUERY="SELECT value from radreply where username='$current_mac'" |
FILTER_ID=$(mysql -D radius -u root -p$(cat $PASSWD_FILE | grep "root /" | rev | cut -d' ' -f1 | rev)<<<"$QUERY" | tail -1) |
QUERY="SELECT value FROM radreply WHERE attribute='Filter-Id' AND username='$current_mac';" |
FILTER_ID=$(mysql -D radius -u root -p$(cat $PASSWD_FILE | grep "root /" | rev | cut -d' ' -f1 | rev) -e "$QUERY" -Ns) |
#Valeur de FILTER-ID : 12345678 |
#1-> profile1 |
#2-> profile2 |
#3-> profile3 |
#4-> warn_user (if imputability report has been generated) |
#6-> WL + HAVP |
#7-> BL + HAVP |
#8-> HAVP |
# FilterID Byte N°0 to 7 |
# 0: profile_1 (WEB) |
# 1: profile_2 (WEB + Mail + Remote access) |
# 2: profile_3 (Custom) |
# 3: warn_user (if imputability report has been generated) |
# 5: WL |
# 6: BL |
# 7: HAVP |
if [ ${FILTER_ID:7:1} -eq '1' ] #HAVP |
then |
set="havp" |
if [ ${FILTER_ID:0:1} -eq '1' ] |
then |
set_proto="proto_1"; |
fi |
if [ ${FILTER_ID:1:1} -eq '1' ] |
then |
set_proto="proto_2"; |
fi |
if [ ${FILTER_ID:2:1} -eq '1' ] |
then |
set_proto="proto_3"; |
fi |
if [ -z "$set_proto" ] |
then |
set_proto="proto_0"; |
fi |
if [ ${FILTER_ID:7:1} == '1' ]; then # HAVP |
set_filter="havp" |
elif [ ${FILTER_ID:6:1} == '1' ]; then # HAVP_BL |
set_filter="havp_bl" |
elif [ ${FILTER_ID:5:1} == '1' ]; then # HAVP_WL |
set_filter="havp_wl" |
else # NOT_FILTERED |
set_filter="not_filtered" |
fi |
if [ ${FILTER_ID:6:1} -eq '1' ] #HAVP_BL |
then |
set="havp_bl" |
if [ ${FILTER_ID:0:1} -eq '1' ] |
then |
set_proto="proto_1"; |
fi |
if [ ${FILTER_ID:1:1} -eq '1' ] |
then |
set_proto="proto_2"; |
fi |
if [ ${FILTER_ID:2:1} -eq '1' ] |
then |
set_proto="proto_3"; |
fi |
if [ -z "$set_proto" ] |
then |
set_proto="proto_0"; |
fi |
if [ ${FILTER_ID:0:1} == '1' ]; then # PROFILE 1 (WEB) |
set_proto="proto_1"; |
elif [ ${FILTER_ID:1:1} == '1' ]; then # PROFILE 2 (WEB + Mail + Remote access) |
set_proto="proto_2"; |
elif [ ${FILTER_ID:2:1} == '1' ]; then # PROFILE 3 (Custom) |
set_proto="proto_3"; |
else # PROFILE 0 (Not filtered) |
set_proto="proto_0"; |
fi |
if [ ${FILTER_ID:5:1} -eq '1' ] #HAVP_WL |
then |
set="havp_wl" |
if [ ${FILTER_ID:0:1} -eq '1' ] |
then |
set_proto="proto_1"; |
fi |
if [ ${FILTER_ID:1:1} -eq '1' ] |
then |
set_proto="proto_2"; |
fi |
if [ ${FILTER_ID:2:1} -eq '1' ] |
then |
set_proto="proto_3"; |
fi |
if [ -z "$set_proto" ] |
then |
set_proto="proto_0"; |
fi |
fi |
if [ -z "$set" ] #NOT_FILTERED |
then |
set="not_filtered" |
if [ ${FILTER_ID:0:1} -eq '1' ] |
then |
set_proto="proto_1"; |
fi |
if [ ${FILTER_ID:1:1} -eq '1' ] |
then |
set_proto="proto_2"; |
fi |
if [ ${FILTER_ID:2:1} -eq '1' ] |
then |
set_proto="proto_3"; |
fi |
if [ -z "$set_proto" ] |
then |
set_proto="proto_0"; |
fi |
fi |
ipset del $set $current_ip |
ipset del $set_filter $current_ip |
ipset del $set_proto $current_ip |
fi |
/scripts/alcasar-macup.sh |
---|
1,8 → 1,14 |
#!/bin/sh |
# |
# $Id$ |
# |
# Le script 'macup' est appelé par coovachilli lorsqu'il attribut une @IP à une @MAC. |
# Depuis la version 3.1 de ALCASAR, le système d'interception a changé. On doit traiter les authorisations par adresse MAC en amont |
# Pour une adresse mac authorisée, nous stockons sont @IP dans l'ipset 'not_filtered' |
#Le script 'macup' est appelé par coovachilli lorsqu'il attribut une @IP à une @MAC. |
#Depuis la version 3.1 de ALCASAR, le système d'interception a changé. On doit traiter les authorisations par adresse MAC en amont |
#Pour une adresse mac authorisée, nous stockons sont @IP dans l'ipset 'not_filtered' |
if [ -z $CALLING_STATION_ID ]; then |
exit 1 |
fi |
chilli_current_mac=$(chilli_query list | grep $CALLING_STATION_ID) |
is_connected=$(echo $chilli_current_mac | cut -d' ' -f5) |
11,129 → 17,42 |
current_ip=$(echo $chilli_current_mac | cut -d' ' -f2) |
if [ $is_connected == "1" ] && [ $current_mac == $current_name ]; then |
#Lecture du filter-id dans la DB radius afin de placer l'équipement réseau dans le bon ipset |
#Un équipement autorisé "à chaud" sera placé dans l'ipset 'not_filtered' + pas de filtrage de protocole (proto_0) |
PASSWD_FILE="/root/ALCASAR-passwords.txt" |
QUERY="SELECT value from radreply where username='$current_mac'" |
FILTER_ID=$(mysql -D radius -u root -p$(cat $PASSWD_FILE | grep "root /" | rev | cut -d' ' -f1 | rev)<<<"$QUERY" | tail -1) |
QUERY="SELECT value FROM radreply WHERE attribute='Filter-Id' AND username='$current_mac';" |
FILTER_ID=$(mysql -D radius -u root -p$(cat $PASSWD_FILE | grep "root /" | rev | cut -d' ' -f1 | rev) -e "$QUERY" -Ns) |
#Suppression de l'utilisateur de l'ipset not_auth_yet (au cas où) |
ipset del not_auth_yet $current_ip |
# FilterID Byte N°0 to 7 |
# 0: profile_1 (WEB) |
# 1: profile_2 (WEB + Mail + Remote access) |
# 2: profile_3 (Custom) |
# 3: warn_user (if imputability report has been generated) |
# 5: WL |
# 6: BL |
# 7: HAVP |
#Valeur de FILTER-ID : 12345678 |
#1-> profile1 |
#2-> profile2 |
#3-> profile3 |
#4-> warn_user (if imputability report has been generated) |
#6-> WL + HAVP |
#7-> BL + HAVP |
#8-> HAVP |
if [ ${FILTER_ID:7:1} -eq '1' ] #HAVP |
then |
set="havp" |
if [ ${FILTER_ID:0:1} -eq '1' ] |
then |
set_proto="proto_1"; |
fi |
if [ ${FILTER_ID:1:1} -eq '1' ] |
then |
set_proto="proto_2"; |
fi |
if [ ${FILTER_ID:2:1} -eq '1' ] |
then |
set_proto="proto_3"; |
fi |
if [ -z "$set_proto" ] |
then |
set_proto="proto_0"; |
fi |
if [ ${FILTER_ID:7:1} == '1' ]; then # HAVP |
set_filter="havp" |
elif [ ${FILTER_ID:6:1} == '1' ]; then # HAVP_BL |
set_filter="havp_bl" |
elif [ ${FILTER_ID:5:1} == '1' ]; then # HAVP_WL |
set_filter="havp_wl" |
else # NOT_FILTERED |
set_filter="not_filtered" |
fi |
if [ ${FILTER_ID:6:1} -eq '1' ] #HAVP_BL |
then |
set="havp_bl" |
if [ ${FILTER_ID:0:1} -eq '1' ] |
then |
set_proto="proto_1"; |
fi |
if [ ${FILTER_ID:1:1} -eq '1' ] |
then |
set_proto="proto_2"; |
fi |
if [ ${FILTER_ID:2:1} -eq '1' ] |
then |
set_proto="proto_3"; |
fi |
if [ -z "$set_proto" ] |
then |
set_proto="proto_0"; |
fi |
if [ ${FILTER_ID:0:1} == '1' ]; then # PROFILE 1 (WEB) |
set_proto="proto_1"; |
elif [ ${FILTER_ID:1:1} == '1' ]; then # PROFILE 2 (WEB + Mail + Remote access) |
set_proto="proto_2"; |
elif [ ${FILTER_ID:2:1} == '1' ]; then # PROFILE 3 (Custom) |
set_proto="proto_3"; |
else # PROFILE 0 (Not filtered) |
set_proto="proto_0"; |
fi |
if [ ${FILTER_ID:5:1} -eq '1' ] #HAVP_WL |
then |
set="havp_wl" |
if [ ${FILTER_ID:0:1} -eq '1' ] |
then |
set_proto="proto_1"; |
fi |
if [ ${FILTER_ID:1:1} -eq '1' ] |
then |
set_proto="proto_2"; |
fi |
if [ ${FILTER_ID:2:1} -eq '1' ] |
then |
set_proto="proto_3"; |
fi |
if [ -z "$set_proto" ] |
then |
set_proto="proto_0"; |
fi |
fi |
if [ -z "$set" ] #NOT_FILTERED |
then |
set="not_filtered" |
if [ ${FILTER_ID:0:1} -eq '1' ] |
then |
set_proto="proto_1"; |
fi |
if [ ${FILTER_ID:1:1} -eq '1' ] |
then |
set_proto="proto_2"; |
fi |
if [ ${FILTER_ID:2:1} -eq '1' ] |
then |
set_proto="proto_3"; |
fi |
if [ -z "$set_proto" ] |
then |
set_proto="proto_0"; |
fi |
fi |
ipset add $set $current_ip |
ipset add $set_filter $current_ip |
ipset add $set_proto $current_ip |
fi |
/web/index.php |
---|
33,21 → 33,20 |
exit('Error opening the file '.CONF_FILE); |
} |
while (!feof($file_conf)) { |
$tampon = fgets($file_conf, 4096); |
if ((strpos($tampon, '=') !== false) && (substr($tampon, 0, 1) !== '#')) { |
$tmp = explode('=', $tampon); |
$buffer = fgets($file_conf, 4096); |
if ((strpos($buffer, '=') !== false) && (substr($buffer, 0, 1) !== '#')) { |
$tmp = explode('=', $buffer); |
$conf[$tmp[0]] = trim($tmp[1]); |
} |
} |
fclose($file_conf); |
$organisme = trim($conf["ORGANISM"]); |
$hostname = trim($conf["HOSTNAME"]).'.'.trim($conf["DOMAIN"]); |
$organisme = $conf["ORGANISM"]; |
$hostname = $conf["HOSTNAME"].'.'.$conf["DOMAIN"]; |
$network_pb = False; # "alcasar-watchdog.sh" changes this value if a network issue is detected |
$diagnostic = "can't contact the default router"; # "alcasar-watchdog.sh" changes this value if a network issue is detected |
$cert_add = "http://$hostname/certs"; |
$direct_access = False; |
$display_menu=False; |
$remote_ip = preg_match('#^([0-9]{1,3}\.){3}[0-9]{1,3}$#', $_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : ""; |
$tab = array();$user = array(); |
$connection_history = ""; |
66,7 → 65,6 |
# Test if it's a direct connexion to ALCASAR |
if (isset($_SERVER['HTTP_HOST']) && (($_SERVER['HTTP_HOST'] === $_SERVER['SERVER_ADDR']) || ($_SERVER['HTTP_HOST'] === 'alcasar') || ($_SERVER['HTTP_HOST'] === $hostname) || ($_SERVER['HTTP_HOST'] === $organisme))) { |
$direct_access = true; |
exec("sudo /usr/sbin/ipset del not_auth_yet $remote_ip"); # del user of the ipset "not_auth_yet" to not loop |
} |
# Function to adapt time connexion in seconds to H,M,S |
80,17 → 78,16 |
} |
# if user need to be warned |
if(isset($_GET['warn']) && isset($_GET['url'])) |
{ |
$direct_access = False; |
if (isset($_GET['warn']) && isset($_GET['url'])) { |
$direct_access = false; |
} |
if ((isset ($user[4])) && ($user[4] != "0")){ # the user is authenticated |
if(isset($_GET['redirect'])) # if user has been warned, we redirect him to his website |
{ |
if ((isset($user[4])) && ($user[4] != "0")) { # the user is authenticated |
if (isset($_GET['redirect'])) { # if user has been warned, we redirect him to his website |
header('Location: '.$_GET['url'], true, 307); |
exit; |
exit(); |
} |
# we retrieve his three last connections |
if ((is_file("./acc/manager/lib/sql/drivers/mysql/functions.php"))&&(is_file("/etc/freeradius-web/config.php"))){ |
include_once("/etc/freeradius-web/config.php"); |
111,24 → 108,12 |
} |
} |
} |
else # the user isn't authenticated |
{ |
exec("sudo /usr/sbin/ipset list not_auth_yet | grep $remote_ip | wc -l 2>&1", $ipset_not_auth_yet); |
if(!$direct_access && $ipset_not_auth_yet[0] == '0'){ # it's the first stage of the interception |
$display_menu = True; # Display menu for user not_auth_yet |
if (!isset($_SERVER['HTTPS'])){ # In HTTP, the user is redirected on it's home page. In HTTPS, it's on the default page (see $redirect_link) |
$redirect_link = $_SERVER['HTTP_HOST']; |
} |
else { # the user isn't authenticated |
if (isset($_GET['url'])) { # it's the second stage (when user has clicked on the button "open a connection") |
$redir = 'http://'.$_GET['url']; |
header("Location: $redir", true, 307); |
exit(); |
} |
if(isset($_GET['url'])){ # it's the second stage (when user has clicked on the button "open a connection") |
exec("sudo /usr/sbin/ipset add not_auth_yet $remote_ip"); # Add user in the ipset "not_auth_yet" (DNS requests not intercepted) |
$redir = "http://".$_GET['url']; |
header("Location: $redir",TRUE,307); |
exit; |
} |
if ($ipset_not_auth_yet[0] == '1'){ # if user not_auth_yet still here (index.php), we force DNS resquest. |
echo "<script>window.location.reload(true)</script>"; # force DNS request |
} |
} |
# Choice of language |
if($Language == 'fr'){ |
409,8 → 394,8 |
$l_uam_domain = "Authorized websites : "; |
} |
$l_title = ($direct_access ? $l_access_welcome : ($network_pb ? $l_access_unavailable : $l_access_denied)); |
$l_explain = ($direct_access ? $l_explain_acc_access : ($network_pb ? $l_explain_net_pb : $l_explain_access_deny)); |
$l_title = ($direct_access ? $l_access_welcome : ($network_pb ? $l_access_unavailable : $l_access_denied)); |
$l_explain = ($direct_access ? $l_explain_acc_access : ($network_pb ? $l_explain_net_pb : $l_explain_access_deny)); |
# set the icons |
$img_rep = "/images/"; |
445,12 → 430,6 |
header("Cache-Control: post-check=0, pre-check=0", false); |
header("Pragma: no-cache"); |
exec("sudo /usr/sbin/ipset list not_filtered | grep $remote_ip | wc -l 2>&1", $ipset_not_filtered); |
# if user is in "ipset_not_filtered" then he must refresh its dns cache (we are in the interception process) |
if (!$direct_access && !$display_menu && ($ipset_not_filtered[0] == '1') && (!$network_pb) && (!isset($_GET['warn']))) { |
echo '<!doctype html><html><head><script>window.location.reload(true)</script></head><body></body></html>'; # force DNS request |
} |
?> |
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> |
<html> |
468,7 → 447,7 |
</head> |
<body onload="valoriserDiv5(text_conn);"> |
<?php |
if ($direct_access || $display_menu){ |
if ($direct_access){ |
echo " |
<div id=\"cadre_titre\" class=\"titre_controle\"> |
<p id=\"acces_controle\" class=\"titre_controle\">$l_title</p>"; |
499,7 → 478,7 |
<div id="box_url"> |
<?php |
// Search blacklist categories |
if ((!$direct_access) && (!$display_menu) && (!$network_pb) && (!isset($_GET['warn']))) { |
if ((!$direct_access) && (!$network_pb) && (!isset($_GET['warn']))) { |
$pattern = str_replace('www.', '', $_SERVER['HTTP_HOST']); |
exec('grep -Re ' . escapeshellarg('^'.$pattern.'$') . " /etc/dansguardian/lists/blacklists/*/domains | cut -d'/' -f6", $output); |
$lists = []; |
538,9 → 517,9 |
$sms_div=''; |
$sms_div_over=''; |
} |
if ($direct_access || $display_menu){ |
if (!$network_pb){ |
echo " |
if ($direct_access) { |
if (!$network_pb) { |
echo " |
<div class=\"box_menu\" id=\"box_conn\" onmouseover=\"valoriserDiv5(text_conn);\"> |
<span>$l_logout</span> |
<img src=\"$img_rep$img_internet\"> |
554,7 → 533,7 |
$domainAllowedHtml .= '<p>'.$l_uam_domain.'<br><ul>'; |
foreach ($tab as $line) { |
if (trim($line) !== '') { // the line isn't empty |
$domain_allowed = explode("#", $line); |
$domain_allowed = explode('#', $line); |
if (trim($domain_allowed[1]) !== '') { |
$domain = explode('"', $domain_allowed[0]); |
// remove every '.' from the beginning of domain |