Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 3044 → Rev 3046

/alcasar.sh
2174,6 → 2174,7
echo "SSH_LAN=22" >> $CONF_FILE
echo "SSH_WAN=0" >> $CONF_FILE
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
echo "INTERLAN=off" >> $CONF_FILE
echo "LDAP=off" >> $CONF_FILE
echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE
echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE
/scripts/alcasar-iptables-bypass.sh
35,6 → 35,8
SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1`
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"}
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" )
interlan=`grep ^INTERLAN= $CONF_FILE|cut -d"=" -f2`
interlan=${interlan:=off}
 
# On vide (flush) toutes les règles existantes
# Flush all existing rules
118,6 → 120,13
# Conntrack on forward
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# On autorise (ou pas) les utilisateurs à accéder au réseau situé entre ALCASAR et le routeur Internet
# Users are allowed (or not allowed) to access the network between ALCASAR and the Internet router
if [ "$interlan" != "on" ]
then
$IPTABLES -A FORWARD -i $TUNIF -d $public_ip_mask -j DROP
fi
 
# Insertion de règles de blocage
# Here, we add block rules
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then
/scripts/alcasar-iptables.sh
22,8 → 22,10
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24)
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # LAN IP address + prefix (192.168.182.0/24)
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
dhcp_on_extif="off"
if [[ "$public_ip_mask" == "dhcp" ]]
then
dhcp_on_extif="on"
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b"
public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN`
fi
57,6 → 59,8
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
interlan=`grep ^INTERLAN= $CONF_FILE|cut -d"=" -f2`
interlan=${interlan:=off}
 
# Allow requests to internal DNS if activated
if [ "$INT_DNS_ACTIVE" = "on" ]
323,14 → 327,14
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP
 
# Si configéré, on autorise les réponses DHCP
# Allow DHCP answers if configured
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
if [[ "$public_ip_mask" == "dhcp" ]]
# Si configuré, on autorise les réponses DHCP sur EXTIF
# If configured, DHCP responses are allowed on EXTIF
if [[ "$dhcp_on_extif" == "on" ]]
then
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 68 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 68 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 68 -j ACCEPT
fi
 
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation)
# Drop broadcast & multicast on EXTIF to avoid log
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
420,6 → 424,13
#############################
# FORWARD #
#############################
# On autorise (ou pas) les utilisateurs à accéder au réseau situé entre ALCASAR et le routeur Internet
# Users are allowed (or not allowed) to access the network between ALCASAR and the Internet router
if [ "$interlan" != "on" ]
then
$IPTABLES -A FORWARD -i $TUNIF -d $public_ip_mask -j DROP
fi
 
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl
# Deny IPs of the SET bl_ip_blocked for the set av_bl
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited
514,10 → 525,9
# We let everything out on INTIF (see following rules for the EXTIF)
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT
 
# Si configuré, on autorise les requêtes DHCP
# Allow DHCP requests if configured
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address
if [[ "$public_ip_mask" == "dhcp" ]]
# Si configuré, on autorise les requêtes DHCP sur EXTIF
# Allow DHCP requests on EXTIF if configured
if [[ "$dhcp_on_extif" == "on" ]]
then
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 67 -j ACCEPT
/web/acc/admin/network.php
1,6 → 1,5
<?php
# $Id$
 
// written by steweb57, Rexy, Tom HOUDAYER & Pierre RIVAULT
 
/********************
83,6 → 82,7
$l_ssh_from = "IP autorisée";
$l_ssh_wan_activate = "Activer SSH sur WAN";
$l_ssh_lan_activate = "Activer SSH sur LAN";
$l_interlan_title = "Autoriser l'accès au réseau situé entre ALCASAR et le routeur d'accès à Internet";
$l_cert_expiration = "Date d'expiration :";
$l_cert_commonname = "Nom commun :";
$l_cert_organization = "Organisation :";
151,6 → 151,7
$l_ssh_from = "IP autorizada";
$l_ssh_wan_activate = "Activar SSH on WAN";
$l_ssh_lan_activate = "Activar SSH on LAN";
$l_interlan_title = "Permitir el acceso a la red entre ALCASAR y el router de acceso a Internet";
$l_cert_expiration = "Fecha de vencimiento:";
$l_cert_commonname = "Common name:";
$l_cert_organization = "Organización:";
218,6 → 219,7
$l_ssh_from = "Authorized IP";
$l_ssh_wan_activate = "Activate SSH on WAN";
$l_ssh_lan_activate = "Activate SSH on LAN";
$l_interlan_title = "Authorize access to the network located between ALCASAR and Internet broadband router";
$l_cert_expiration = "Expiration date:";
$l_cert_commonname = "Common name:";
$l_cert_organization = "Organization:";
413,6 → 415,16
}
header('Location: '.$_SERVER['PHP_SELF']);
exit();
case 'interlan':
$CONF_FILE = CONF_FILE;
if (isset($_POST['interlan'])) {
exec('/bin/sed -i "s/^INTERLAN=.*/INTERLAN=on/g"'.$CONF_FILE);
} else {
exec('/bin/sed -i "s/^INTERLAN=.*/INTERLAN=off/g" '.$CONF_FILE);
}
exec('sudo /usr/local/bin/alcasar-iptables.sh');
header('Location: '.$_SERVER['PHP_SELF']);
exit();
}
 
// Network changes
1199,6 → 1211,17
</div>
<br>
<div class="panel">
<div class="panel-header"><?= $l_interlan_title ?></div>
<div class="panel-row">
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>">
<input type="hidden" name="choix" value="interlan">
<input type="checkbox" name="interlan" id="interlan" <?= ($conf['INTERLAN'] === 'on')? "checked": "" ?>><b><?= $l_interlan_title ?></b><br>
<input type="submit" onClick="document.getElementById('ldoverlay').style.display='block';" value="<?= $l_apply ?>"><br>
</form>
</div>
</div>
<br>
<div class="panel">
<div class="panel-header"><?= $l_ssh_title ?></div>
<table width="100%" cellspacing="0" cellpadding="5" border="1">
<tr>