Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 3098 → Rev 3099

/alcasar.sh
2,7 → 2,7
# $Id$
 
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, dnsmasq, unbound, gammu, clamav, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, clamav, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
# contact : info@alcasar.net
 
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
27,7 → 27,6
# ulogd : Log system in userland (match NFLOG target of iptables)
# nfsen : Configuration of Netflow grapher (nfsen) & netflow collector (nfcapd)
# unbound : Name server configuration
# dnsmasq : Name server configuration (for whitelist ipset support)
# vnstat : Little network stat daemon
# BL : Adaptation of Toulouse University BlackList : split into 3 BL (for unbound, for e2guardian and for Netfilter)
# cron : Logs export + watchdog + connexion statistics
1497,40 → 1496,6
$SED "s?^ReadWritePaths=.*?ReadWritePaths=/var/log?g" /etc/systemd/system/vnstat.service
} # End of vnstat()
 
###################################################################
## "dnsmasq" ##
## - creation of the conf files of dnsmasq (whitelist for ipset )##
###################################################################
dnsmasq()
{
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
[ -e /etc/dnsmasq.conf.default ] || mv /etc/dnsmasq.conf /etc/dnsmasq.conf.default
# dnsmasq listen on udp 55 ("dnsmasq with whitelist")
cat << EOF > /etc/dnsmasq-whitelist.conf
# Configuration file for "dnsmasq with whitelist"
# ADD Toulouse university whitelist domains
pid-file=/run/dnsmasq-whitelist.pid
listen-address=127.0.0.1
port=55
no-dhcp-interface=lo
bind-interfaces
cache-size=1024
domain-needed
expand-hosts
bogus-priv
filterwin2k
ipset=/#/wl_ip_allowed # dynamically add the resolv IP address in the Firewall rules
server=$DNS1
server=$DNS2
EOF
 
# Don't run dnsmasq service. Create dnsmasq-whitelist unit
systemctl disable dnsmasq.service
cp -f /lib/systemd/system/dnsmasq.service /etc/systemd/system/dnsmasq-whitelist.service
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /etc/systemd/system/dnsmasq-whitelist.service
$SED "s?^PIDFile=.*?PIDFile=/run/dnsmasq-whitelist.pid?g" /etc/systemd/system/dnsmasq-whitelist.service
} # End of dnsmasq()
 
#########################################################
## "unbound" ##
## - create the conf files for 4 unbound services ##
1657,6 → 1622,7
# Configuration file for whitelist unbound
cat << EOF > /etc/unbound/unbound-whitelist.conf
server:
module-config: "ipset validator iterator"
verbosity: 1
hide-version: yes
hide-identity: yes
1665,13 → 1631,14
define-tag: "whitelist"
local-zone: "." transparent
local-zone-tag: "." "whitelist"
include: /etc/unbound/conf.d/common/forward-zone.conf
include: /etc/unbound/conf.d/common/local-forward/*
include: /etc/unbound/conf.d/common/local-dns/*
include: /etc/unbound/conf.d/whitelist/*
include: /usr/local/share/unbound-wl-enabled/*
forward-zone:
name: "."
forward-addr: 127.0.0.1@55
username: ""
ipset:
name-v4: "wl_ip_allowed"
EOF
 
# Configuration file for $INTIF of blackhole unbound
1705,7 → 1672,7
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/unbound -d -c /etc/unbound/unbound-$list.conf?g" /etc/systemd/system/unbound-$list.service
$SED "s?^PIDFile=.*?PIDFile=/run/unbound-$list.pid?g" /etc/systemd/system/unbound-$list.service
done
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service dnsmasq-whitelist.service?g" /etc/systemd/system/unbound-whitelist.service
$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /etc/systemd/system/unbound-whitelist.service
} # End of unbound()
 
##################################################
1823,7 → 1790,7
EOF
cat <<EOF > /etc/cron.d/alcasar-watchdog
# 'alcasar-watchdog.sh' : run the "watchdog" (every 10')
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with dnsmasq-whitelist hook (every sunday at 0:05 am)
# 'alcasar-flush_ipset_wl.sh' : empty the IPSET of the whitelisted IP loaded dynamically with unbound-whitelist hook (every sunday at 0:05 am)
# 'alcasar-watchdog.sh --disconnect-permanent-users' : disconnect users with attribute "Alcasar-Status-Page-Must-Stay-Open" (daily --> see "cron.daily")
# 'alcasar-watchdog-hl.sh' : (optionnaly) remove the IP 0.0.0.0 from chilli cache memory
*/10 * * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
2232,7 → 2199,7
done
/usr/bin/systemctl daemon-reload
# processes started at boot time (Systemctl)
for i in alcasar-network mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
for i in alcasar-network mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
do
/usr/bin/systemctl -q enable $i.service
done
2477,7 → 2444,7
fi
mode="update"
fi
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat dnsmasq unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt mail_service post_install
for func in init network CA ACC time_server init_db freeradius chilli e2guardian antivirus ulogd nfsen vnstat unbound dhcpd BL cron fail2ban gammu_smsd msec letsencrypt mail_service post_install
do
$func
if [ $DEBUG_ALCASAR == "on" ]