/alcasar.sh |
---|
10,7 → 10,7 |
# ALCASAR is based on a stripped Mandriva (LSB) with the following open source softwares : |
# ALCASAR est architecturé autour d'une distribution Linux Mandriva minimaliste et les logiciels libres suivants : |
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, mondo, mindi, dialupadmin, awstat, ntpd, openssl, dnsmasq, havp, libclamav and firewalleyes |
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, mondo, mindi, awstat, ntpd, openssl, dnsmasq, havp, libclamav and firewalleyes |
# Options : |
# -i or --install |
29,7 → 29,6 |
# param_squid : Configuration du proxy squid en mode 'cache' |
# param_dansguardian : Configuration de l'analyseur de contenu DansGuardian |
# antivirus : Installation havp + libclamav |
# firewall : Mise en place des règles du parefeu et de l'interface WEB FirewallEyes |
# param_awstats : Configuration de l'interface des statistiques de consultation WEB |
# dnsmasq : Configuration du serveur de noms et du serveur dhcp de secours |
# BL : Configuration de la BlackList |
308,7 → 307,7 |
classe_sup=`expr $classe + 1` |
private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup` # dernier octet de l'@ de réseau |
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # @ compatible hosts.allow et hosts.deny (ex.: 192.168.182.) |
PRIVATE_MASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # masque réseau de consultation (ex.: 255.255.255.0) |
PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # masque réseau de consultation (ex.: 255.255.255.0) |
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_IP_MASK | cut -d"=" -f2` # @ broadcast réseau de consultation (ex.: 192.168.182.255) |
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup` # dernier octet de l'@ de broadcast |
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # @ip du portail (côté réseau de consultation) |
324,11 → 323,11 |
PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2` |
PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK |cut -d"=" -f2` # prefixe du réseau (ex. 24) |
PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2` |
echo "- WAN IP address ($EXTIF) :\t$PUBLIC_IP/$PUBLIC_PREFIX" >> $FIC_PARAM |
echo "- Gateway IP address :\t$PUBLIC_GATEWAY" >> $FIC_PARAM |
echo "- DNS servers :\t$DNS1 and $DNS2" >> $FIC_PARAM |
echo "- LAN IP address ($INTIF) :\t$PRIVATE_IP_MASK" >> $FIC_PARAM |
echo "- Dynamic IP addresses (DHCP) :\tfrom $PRIVATE_DYN_FIRST_IP to $PRIVATE_DYN_LAST_IP" >> $FIC_PARAM |
echo -e "- WAN IP address ($EXTIF) :\t$PUBLIC_IP/$PUBLIC_PREFIX" >> $FIC_PARAM |
echo -e "- Gateway IP address :\t\t$PUBLIC_GATEWAY" >> $FIC_PARAM |
echo -e "- DNS servers :\t\t\t$DNS1 and $DNS2" >> $FIC_PARAM |
echo -e "- LAN IP address ($INTIF) :\t$PRIVATE_IP_MASK" >> $FIC_PARAM |
echo -e "- Dynamic IP addresses (DHCP) :\tfrom $PRIVATE_DYN_FIRST_IP to $PRIVATE_DYN_LAST_IP" >> $FIC_PARAM |
echo "#### ALCASAR Network parameters ####" > $DIR_DEST_ETC/alcasar-network |
echo "# Lauch the script 'alcasar-network.sh' after your changes" >> $DIR_DEST_ETC/alcasar-network |
echo "# Lancez le script 'alcasar-network.sh' après vos modifications" >> $DIR_DEST_ETC/alcasar-network |
375,7 → 374,7 |
DEVICE=$INTIF |
BOOTPROTO=static |
IPADDR=$PRIVATE_IP |
NETMASK=$PRIVATE_MASK |
NETMASK=$PRIVATE_NETMASK |
ONBOOT=yes |
METRIC=10 |
NOZEROCONF=yes |
400,7 → 399,7 |
server 2.fr.pool.ntp.org |
server 127.127.1.0 # local clock si NTP internet indisponible ... |
fudge 127.127.1.0 stratum 10 |
restrict $PRIVATE_NETWORK mask $PRIVATE_MASK nomodify notrap |
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap |
restrict 127.0.0.1 |
driftfile /var/lib/ntp/drift |
logfile /var/log/ntp.log |
411,7 → 410,7 |
[ -e /etc/hosts.allow.default ] || cp /etc/hosts.allow /etc/hosts.allow.default |
cat <<EOF > /etc/hosts.allow |
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP |
sshd: $PRIVATE_NETWORK_SHORT |
sshd: ALL |
ntpd: $PRIVATE_NETWORK_SHORT |
EOF |
[ -e /etc/host.deny.default ] || cp /etc/hosts.deny /etc/hosts.deny.default |
418,6 → 417,13 |
cat <<EOF > /etc/hosts.deny |
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) & |
EOF |
# Firewall config |
$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau) |
# création du fichier d'exception au filtrage |
touch $DIR_DEST_ETC/alcasar-filter-exceptions |
# le script $DIR_DEST_BIN/alcasar-iptables.sh est lancé à la fin (pour ne pas perturber une mise à jour via ssh) |
} # End of network () |
################################################################## |
539,7 → 545,6 |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
# Allow from $SRC_ADMIN |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
554,7 → 559,6 |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
# Allow from $SRC_ADMIN |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
569,7 → 573,6 |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
# Allow from $SRC_ADMIN |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
584,7 → 587,6 |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
# Allow from $SRC_ADMIN |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
600,7 → 602,6 |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
# Allow from $SRC_ADMIN |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
952,24 → 953,6 |
} |
################################################################################## |
## Fonction firewall ## |
## - adaptation des scripts du parefeu ## |
## - mise en place des règles et sauvegarde pour un lancement automatique ## |
################################################################################## |
firewall () |
{ |
$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
$SED "s?^PRIVATE_NETWORK_MASK=.*?PRIVATE_NETWORK_MASK=\"$PRIVATE_NETWORK_MASK\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
$SED "s?^PRIVATE_IP=.*?PRIVATE_IP=\"$PRIVATE_IP\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
$SED "s?^DNSSERVERS=.*?DNSSERVERS=\"$DNS1,$DNS2\"?g" $DIR_DEST_BIN/alcasar-iptables.sh |
chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau) |
# création du fichier d'exception au filtrage |
touch $DIR_DEST_ETC/alcasar-filter-exceptions |
# le script $DIR_DEST_BIN/alcasar-iptables.sh est lancé à la fin (pour ne pas perturber une mise à jour via ssh) |
} # End of firewall () |
################################################################################## |
## param_ulogd function ## |
## - Ulog config for multi-log files ## |
################################################################################## |
1079,7 → 1062,7 |
server=$DNS1 |
server=$DNS2 |
# le servive DHCP est configuré mais n'est exploité que pour le "bypass" |
dhcp-range=$PRIVATE_DYN_FIRST_IP,$PRIVATE_DYN_LAST_IP,$PRIVATE_MASK,12h |
dhcp-range=$PRIVATE_DYN_FIRST_IP,$PRIVATE_DYN_LAST_IP,$PRIVATE_NETMASK,12h |
#dhcp-option=3,1.2.3.4 |
#dhcp-option=option:router,1.2.3.4 |
#dhcp-option=42,0.0.0.0 |
1261,8 → 1244,9 |
[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default |
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config |
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config |
# sshd écoute côté LAN |
# sshd écoute côté LAN et WAN |
$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config |
$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config |
# sshd n'est pas lancé automatiquement au démarrage |
/sbin/chkconfig --del sshd |
echo "SSH=off" >> $DIR_DEST_ETC/alcasar-network |
1514,7 → 1498,7 |
else |
mode="install" |
fi |
for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus firewall param_ulogd param_awstats param_dnsmasq BL cron post_install |
for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_awstats param_dnsmasq BL cron post_install |
do |
$func |
echo "*** 'debug' : end of function $func ***"; read a |
/CHANGELOG |
---|
1,7 → 1,9 |
# $Id$ |
************ CHANGELOG *********** |
---- 2.1a ---- |
- add automatic network parameters update script (/usr/local/sbin/alcasar-network.sh + /usr/local/etc/alcasar-network) |
---- 2.1 ---- |
- mise en conformité du parefeu avec les préco ANSSI (politiques à DROP + sysctrl) |
- amélioration de la fonction bastion en limitant la charge sur l'interface externe (thanks to CPN) |
- amélioration de la gestion des RPM 'wget' au lieu de 'curl' et changement de repository en 'live' |
/scripts/alcasar-iptables-bypass.sh |
---|
3,22 → 3,19 |
# script d'initialisation des regles du parefeu en mode ByPass |
# Rexy - 3abtux |
# version 2.0 - 12/2010 |
# changelog : |
# + Prise en compte de regles locales |
# + prise en compte optionnelle d'un fichier iptables 'personnel' permettant de bloquer certains flux/services |
# + suppression du broadcast et du multicast sur les interfaces |
# + adaptation dnsmasq |
private_ip_mask=`grep PRIVATE_IP /usr/local/etc/alcasar-network|cut -d"=" -f2` |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0) |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24) |
IPTABLES="/sbin/iptables" |
EXTIF="eth0" |
INTIF="eth1" |
PRIVATE_NETWORK_MASK="192.168.182.0/24" |
PRIVATE_IP="192.168.182.1" |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24) |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
# On vide (flush) toutes les règles existantes |
# Flush all existing rules |
$IPTABLES -F |
$IPTABLES -t nat -F |
$IPTABLES -F INPUT |
26,6 → 23,7 |
$IPTABLES -F OUTPUT |
# On indique les politiques par défaut |
# Default policies |
$IPTABLES -P INPUT DROP |
$IPTABLES -P FORWARD DROP |
$IPTABLES -P OUTPUT ACCEPT |
34,25 → 32,24 |
$IPTABLES -t nat -P OUTPUT ACCEPT |
# On efface toutes les chaînes qui ne sont pas par défaut dans les tables filter et nat |
# Flush non default rules on filter and nat tables |
$IPTABLES -X |
$IPTABLES -t nat -X |
# On autorise tout sur loopback |
# accept all on loopback |
$IPTABLES -A INPUT -i lo -j ACCEPT |
# on autorise les requêtes dhcp |
# accept dhcp |
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT |
# Règles d'antispoofing |
$IPTABLES -A INPUT -i $INTIF ! -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof1 -- DENY " |
$IPTABLES -A INPUT -i $INTIF ! -s $PRIVATE_NETWORK_MASK -j DROP |
$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j ULOG --ulog-prefix "RULE Antispoof2 -- DENY " |
$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -j DROP |
# On drop le broadcast et le multicasat sur les interfaces (sans Log) |
# On drop le broadcast et le multicast sur les interfaces (sans Log) |
# Drop broadcast & multicast |
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP |
# On autorise le ping dans les deux sens (icmp N°0 & 8) en provenance du LAN |
# On laisse passer les ICMP echo-request et echo-reply en provenance du LAN |
# Allow ping (icmp N°0 & 8) from LAN |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT |
61,7 → 58,8 |
. /usr/local/etc/alcasar-iptables-local.sh |
fi |
# On autorise en FORWARD les connexions déjà établies |
# On autorise les retours de connexions légitimes par FORWARD |
# Conntrack on forward |
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT |
# On autorise les demandes de connexions sortantes |
/scripts/alcasar-iptables.sh |
---|
9,16 → 9,22 |
# 3 for exterior access attempts. |
# The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script |
private_ip_mask=`grep PRIVATE_IP /usr/local/etc/alcasar-network|cut -d"=" -f2` |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0) |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24) |
dns1=`grep DNS1 /usr/local/etc/alcasar-network|cut -d"=" -f2` # first public DNS server |
dns2=`grep DNS2 /usr/local/etc/alcasar-network|cut -d"=" -f2` # second public DNS server |
IPTABLES="/sbin/iptables" |
PROTO_FILTERING="no" |
DNS_FILTERING="no" |
QOS="no" |
EXTIF="eth0" |
EXTIF="eth0" |
INTIF="eth1" |
TUNIF="tun0" |
PRIVATE_NETWORK_MASK="192.168.182.0/24" |
PRIVATE_IP="192.168.182.1" |
DNSSERVERS="208.67.220.220,208.67.222.222" |
TUNIF="tun0" # listen card for chilli daemon |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24) |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses |
# Effacement des règles existantes |
# Flush all existing rules |
77,17 → 83,6 |
# Drop broadcast & multicast |
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP |
# On laisse passer les ICMP echo-request et echo-reply en provenance du LAN |
# Allow ping (icmp N°0 & 8) from LAN |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT |
# Insertion de règles locales |
# Here, we add local rules (i.e. ssh from Internet) |
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then |
. /usr/local/etc/alcasar-iptables-local.sh |
fi |
# Rejet des tentatives de création de tunnels DNS (même pour les utilisateurs authentifiés) |
# Deny forward DNS (even for authenticated users ...) |
$IPTABLES -A FORWARD -i $TUNIF -p udp --dport domain -j REJECT --reject-with icmp-port-unreachable |
166,18 → 161,36 |
$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -m state --state NEW -j ACCEPT |
########################################################################################### |
# Direct input from local network (dns, ntp, https, http, ssh and 3990 (user disconnect) # |
########################################################################################### |
################################################################################################# |
# Direct input from local network (icmp, dns, ntp, https, http, ssh and 3990 (user disconnect) # |
################################################################################################# |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT # ping reply |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT # ping request |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # dnsmasq without forward |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT # dnsmasq with blackhole |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport https -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT" |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT |
# SSHD rules if activate |
ssh_active=`grep SSH /usr/local/etc/alcasar-network|cut -d"=" -f2` |
if [ $ssh_active = "on" ] |
then |
Admin_from_IP="0.0.0.0/0.0.0.0" # Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0 = de n'importe où ! ) |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT" |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT |
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT" |
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW,ESTABLISHED -j ACCEPT |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT |
fi |
# Insertion de règles locales |
# Here, we add local rules (i.e. ssh from Internet) |
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then |
. /usr/local/etc/alcasar-iptables-local.sh |
fi |
# On autorise les retours de connexions légitimes par INPUT |
# Conntrack on INPUT |
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
/scripts/alcasar-conf.sh |
---|
38,7 → 38,7 |
/usr/local/sbin/alcasar-mysql.sh -dump |
cp /var/Save/base/`ls /var/Save/base|tail -1` $DIR_UPDATE |
# Sauvegarde du nom d'organisme |
echo `cat /root/ALCASAR-parameters.txt|grep Organisme|cut -d":" -f2|tr -d " "` > $DIR_UPDATE/organisme |
echo `cat /root/ALCASAR-parameters.txt|grep Organism|cut -d":" -f2|tr -d " "` > $DIR_UPDATE/organisme |
# Sauvegarde du logo |
cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE |
# Sauvegarde des fichiers exploités par dansguardian |
116,6 → 116,8 |
# On active/désactive le filtrage de protocoles |
active_filter=`cat $DIR_UPDATE/alcasar-iptables.sh|grep ^FILTERING|cut -d"=" -f2` |
$SED "s/^FILTERING=.*/FILTERING=$active_filter/g" $DIR_BIN/alcasar-iptables.sh |
# On applique les paramètres réseau |
... |
# Effacement du répertoire d'update |
rm -rf $DIR_UPDATE |
;; |
/scripts/etc/alcasar-iptables-local.sh |
---|
7,18 → 7,10 |
# + autorisation de l'ICMP vers eth0 |
# + autorisation de SSH par eth0 |
Admin_from_IP="0.0.0.0/0.0.0.0" # Une @IP fixe peut-être fournie pour affiner le filtrage : 192.168.1.0/24 { 0.0.0.0/0.0.0.0 } = de n'importe où ! |
# On autorise le ping dans les deux sens (echo & request) (icmp N°0 & 8) en provenance de l'extérieur |
#$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 0 -j ACCEPT |
#$IPTABLES -A INPUT -i $EXTIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT |
# Règles permettant d'autoriser l'administration à distance ( modifier également /etc/ssh/sshd_config et /etc/hosts.allow ) |
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT" |
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport ssh -s $Admin_from_IP -m state --state NEW,ESTABLISHED -j ACCEPT |
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT |
# Fin du script des règles du parefeu |
/scripts/sbin/alcasar-network.sh |
---|
8,7 → 8,9 |
# Installation des paramètres réseau d'ALCASAR |
# ******* Global ******* |
DIR_DEST_ETC="/usr/local/etc" # répertoire des fichiers de conf |
DIR_DEST_ETC="/usr/local/etc" # alcasar conf files folder |
DIR_DEST_BIN="/usr/local/bin/" # alcasar scripts folder |
DIR_WEB="/var/www/html" # alcasar control center |
FIC_PARAM="/root/ALCASAR-parameters.txt" |
HOSTNAME="alcasar" |
DOMAIN="localdomain" # domaine local |
17,22 → 19,22 |
SED="/bin/sed -i" |
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/[012]?[0-9]\b" |
PRIVATE_IP_MASK=`cat $DIR_DEST_ETC/alcasar-network|grep PRIVATE_IP|cut -d"=" -f2` |
PRIVATE_IP_MASK=`grep PRIVATE_IP $DIR_DEST_ETC/alcasar-network|cut -d"=" -f2` |
check=$(echo $PRIVATE_IP_MASK | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
echo "Syntax error for PRIVATE_IP ($PRIVATE_IP)" |
echo "Syntax error for PRIVATE_IP_MASK ($PRIVATE_IP_MASK)" |
exit 0 |
fi |
PUBLIC_IP_MASK=`cat $DIR_DEST_ETC/alcasar-network|grep PUBLIC_IP|cut -d"=" -f2` |
PUBLIC_IP_MASK=`grep PUBLIC_IP $DIR_DEST_ETC/alcasar-network|cut -d"=" -f2` |
check=$(echo $PUBLIC_IP_MASK | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
echo "Syntax error for PUBLIC_IP ($PUBLIC_IP)" |
echo "Syntax error for PUBLIC_IP_MASK ($PUBLIC_IP_MASK)" |
exit 0 |
fi |
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b" |
PUBLIC_GATEWAY=`cat $DIR_DEST_ETC/alcasar-network|grep GW|cut -d"=" -f2` |
PUBLIC_GATEWAY=`grep GW $DIR_DEST_ETC/alcasar-network|cut -d"=" -f2` |
check=$(echo $PUBLIC_GATEWAY | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
39,18 → 41,18 |
echo "Syntax error for the Gateway IP ($PUBLIC_GATEWAY)" |
exit 0 |
fi |
DNS1=`cat $DIR_DEST_ETC/alcasar-network|grep DNS1|cut -d"=" -f2` |
DNS1=`grep DNS1 $DIR_DEST_ETC/alcasar-network|cut -d"=" -f2` |
check=$(echo $PUBLIC_GATEWAY | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
echo "Syntax error for the IP address of the first DNS server ($EXT_GATEWAY)" |
echo "Syntax error for the IP address of the first DNS server ($DNS1)" |
exit 0 |
fi |
DNS2=`cat $DIR_DEST_ETC/alcasar-network|grep DNS2|cut -d"=" -f2` |
DNS2=`grep DNS2 $DIR_DEST_ETC/alcasar-network|cut -d"=" -f2` |
check=$(echo $PUBLIC_GATEWAY | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
echo "Syntax error for the IP address of the second DNS server ($EXT_GATEWAY)" |
echo "Syntax error for the IP address of the second DNS server ($DNS2)" |
exit 0 |
fi |
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2` # @ réseau de consultation (ex.: 192.168.182.0) |
60,17 → 62,50 |
classe_sup=`expr $classe + 1` |
private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup` # dernier octet de l'@ de réseau |
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # @ compatible hosts.allow et hosts.deny (ex.: 192.168.182.) |
PRIVATE_MASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # masque réseau de consultation (ex.: 255.255.255.0) |
PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # masque réseau de consultation (ex.: 255.255.255.0) |
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_IP_MASK | cut -d"=" -f2` # @ broadcast réseau de consultation (ex.: 192.168.182.255) |
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup` # dernier octet de l'@ de broadcast |
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # @ip du portail (côté réseau de consultation) |
PRIVATE_DYN_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 2` # @ip du portail (côté réseau de consultation) |
PRIVATE_DYN_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # @ip du portail (côté réseau de consultation) |
PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1` # @IP du portail (côté Internet) |
PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2` # masque réseau côté Internet (ex.: 255.255.255.0) |
# Change in ALCASAR-parameters |
$SED "s?^- WAN IP.*?- WAN IP address ($EXTIF) :\t$PUBLIC_IP_MASK?g" $FIC_PARAM |
$SED "s?^- Gateway.*?- Gateway IP addess :\t$PUBLIC_GATEWAY?g" $FIC_PARAM |
$SED "s?^- DNS servers.*?- DNS servers :\t$DNS1 and $DNS2?g" $FIC_PARAM |
$SED "s?^- Gateway.*?- Gateway IP addess :\t\t$PUBLIC_GATEWAY?g" $FIC_PARAM |
$SED "s?^- DNS servers.*?- DNS servers :\t\t\t$DNS1 and $DNS2?g" $FIC_PARAM |
$SED "s?^- LAN IP.*?- LAN IP address ($INTIF) :\t$PRIVATE_IP_MASK?g" $FIC_PARAM |
$SED "s?^- Dynamic.*?- Dynamic IP addresses (DHCP) :\tfrom $PRIVATE_DYN_FIRST_IP to $PRIVATE_DYN_LAST_IP?g" $FIC_PARAM |
# Change in ... |
# Networt Cards config |
$SED "s?^IPADDR=.*?IPADDR=$PUBLIC_IP?" /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
$SED "s?^NETMASK=.*?NETMASK=$PUBLIC_NETMASK?" /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
$SED "s?^GATEWAY=.*?GATEWAY=$PUBLIC_GATEWAY?" /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
$SED "s?^IPADDR=.*?IPADDR=$PRIVATE_IP?" /etc/sysconfig/network-scripts/ifcfg-$INTIF |
$SED "s?^NETMASK=.*?NETMASK=$PRIVATE_NETMASK?" /etc/sysconfig/network-scripts/ifcfg-$INTIF |
# NTP server |
$SED "s?^restrict.*?restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap\nrestrict 127.0.0.1?" /etc/ntp.conf |
$SED "s?^ntpd:.*?ntpd: $PRIVATE_NETWORK_SHORT?" /etc/hosts.allow |
# Alcasar control center |
FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf` |
$SED "s?^\$private_ip =.*?\$private_ip = \"$PRIVATE_IP\";?g" $DIR_WEB/index.php |
$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf |
$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL |
#... |
# Start / Stop SSH Daemon |
ssh_active=`grep SSH $DIR_DEST_ETC/alcasar-network|cut -d"=" -f2` |
if [ $ssh_active = "on" ] |
then |
/sbin/chkconfig --add sshd |
else |
/sbin/chkconfig --del sshd |
fi |
$DIR_DEST_BIN/alcasar-iptables.sh |
/scripts/sbin/alcasar-uninstall.sh |
---|
114,11 → 114,6 |
fi |
sleep 1 |
#firewall |
echo -en "\n- firewall(1) : " |
[ -e /etc/sysconfig/iptables ] && rm -f /etc/sysconfig/iptables && echo -n "1" |
sleep 1 |
#param_ulogd |
echo -en "\n- ulogd(2) : " |
if [ -e /etc/init.d/ulogd.default ] |
178,7 → 173,7 |
sleep 1 |
# network |
echo -en "\n- network(7) : " |
echo -en "\n- network(8) : " |
hostname localhost |
/sbin/ifdown eth0 |
[ -e /etc/sysconfig/network-scripts/default-ifcfg-eth0 ] && mv /etc/sysconfig/network-scripts/default-ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0 && echo -n "1, " |
187,7 → 182,8 |
[ -e /etc/sysconfig/network-scripts/ifcfg-eth1 ] && rm -f /etc/sysconfig/network-scripts/ifcfg-eth1 && echo -n "4, " |
[ -e /etc/ntp.conf.default ] && mv /etc/ntp.conf.default /etc/ntp.conf && echo -n "5, " |
[ -e /etc/hosts.allow.default ] && mv /etc/hosts.allow.default /etc/hosts.allow && echo -n "6, " |
[ -e /etc/hosts.deny.default ] && mv /etc/hosts.deny.default /etc/hosts.deny && echo -n "7" |
[ -e /etc/hosts.deny.default ] && mv /etc/hosts.deny.default /etc/hosts.deny && echo -n "7, " |
[ -e /etc/sysconfig/iptables ] && rm -f /etc/sysconfig/iptables && echo -n "8" |
echo |
/sbin/ifup eth0 |
sleep 1 |
/web/acc/admin/network.php |
---|
109,10 → 109,12 |
if ($action == "start"){ |
exec("sudo /sbin/chkconfig --add $service"); |
file_put_contents(ALCASAR_NETWORK, str_replace('SSH=off', 'SSH=on', file_get_contents(ALCASAR_NETWORK))); |
exec ("sudo /usr/local/bin/alcasar-iptables.sh"); |
} |
if ($action == "stop"){ |
exec("sudo /sbin/chkconfig --del $service"); |
file_put_contents(ALCASAR_NETWORK, str_replace('SSH=on', 'SSH=off', file_get_contents(ALCASAR_NETWORK))); |
exec ("sudo /usr/local/bin/alcasar-iptables.sh"); |
} |
} |
return $retstatus; |