Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1061 → Rev 1062

/scripts/sbin/alcasar-bypass.sh
24,7 → 24,7
;;
--on | -on)
# activation du contournement
for i in chilli squid dansguardian havp mysqld radiusd httpd freshclam dnsmasq
for i in chilli dansguardian havp mysqld radiusd httpd freshclam dnsmasq squid
do
if (pgrep $i) > /dev/null ; then /etc/init.d/$i stop ; fi
done
46,7 → 46,7
$SED "s?^#conf-dir=.*?conf-dir=/usr/local/share/dnsmasq-bl-enabled?g" /etc/dnsmasq-blackhole.conf
$SED "s?^#no-dhcp-interface=.*?no-dhcp-interface=eth1?g" /etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf
rm -f /etc/sysconfig/network-scripts/ifcfg-eth1
for i in chilli squid dansguardian havp mysqld radiusd httpd freshclam dnsmasq
for i in chilli dansguardian havp mysqld radiusd httpd freshclam dnsmasq squid
do
if ! (pgrep $i) > /dev/null ; then /etc/init.d/$i start ; fi
done
/scripts/alcasar-iptables-bypass.sh
18,7 → 18,14
INTIF="eth1"
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
public_ip_mask=`grep PUBLIC_IP= $conf_file|cut -d"=" -f2` # ALCASAR WAN IP address
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
SSH=${SSH:=off}
SSH_ADMIN_IP=`grep SSH_ADMIN_IP= $conf_file|cut -d"=" -f2`
SSH_ADMIN_IP=${SSH_ADMIN_IP:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
 
 
# On vide (flush) toutes les règles existantes
# Flush all existing rules
$IPTABLES -F
49,14 → 56,16
# Insertion de règles de blocage (Devel)
# Here, we add block rules (Devel)
if [ -s /usr/local/etc/alcasar-iptables-block ]; then
while read ip_blocked
do
echo "Network Address blocked : $ip_blocked"
$IPTABLES -A FORWARD -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
$IPTABLES -A FORWARD -d $ip_blocked -j REJECT
$IPTABLES -A FORWARD -s $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
$IPTABLES -A FORWARD -s $ip_blocked -j REJECT
done < /usr/local/etc/alcasar-iptables-block
while read ip_line
do
ip_on=`echo $ip_line|cut -b1`
if [ $ip_on != "#" ]
then
ip_blocked=`echo $ip_line|cut -d" " -f1`
$IPTABLES -A FORWARD -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
$IPTABLES -A FORWARD -d $ip_blocked -j REJECT
fi
done < /usr/local/etc/alcasar-iptables-block
fi
 
# SSHD rules if activate
64,11 → 73,17
then
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
fi
 
# Insertion de règles locales
# Here, we add local rules (i.e. VPN from Internet)
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
. /usr/local/etc/alcasar-iptables-local.sh
fi
 
# on autorise les requêtes dhcp
# accept dhcp
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
95,10 → 110,9
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert -- ACCEPT "
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT
 
# On autorise les flux entrant ntp, dns et ssh via INTIF
# On autorise les flux entrant ntp et dns via INTIF
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
 
# On autorise le retour des connexions entrante déjà acceptées
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/scripts/alcasar-iptables.sh
33,7 → 33,8
QOS=${QOS:=off}
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
SSH=${SSH:=off}
Admin_from_IP=${Admin_from_IP:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
SSH_ADMIN_IP=`grep SSH_ADMIN_IP= $conf_file|cut -d"=" -f2`
SSH_ADMIN_IP=${SSH_ADMIN_IP:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
LDAP=`grep LDAP= $conf_file|cut -d"=" -f2` # LDAP external server active (on/off)
LDAP=${LDAP:=off}
LDAP_IP=`grep LDAP_IP= $conf_file|cut -d"=" -f2` # WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
/scripts/alcasar-conf.sh
34,7 → 34,7
MAJ_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f1`
MIN_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f2|cut -c1`
UPD_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f3`
DOMAIN=`grep DOMAIN $CONF_FILE|cut -d"=" -f2`
DOMAIN=`grep DOMAIN $CONF_FILE|cut -d"=" -f2` 2>/dev/null # Error if (Version < 2.2) (no conf file)
DOMAIN=${DOMAIN:=localdomain}
DATE=`date '+%d %B %Y - %Hh%M'`
private_network_calc ()
69,7 → 69,7
[ -d $DIR_UPDATE ] && rm -rf $DIR_UPDATE
mkdir $DIR_UPDATE
# Sauvegarde de la base des usagers
/usr/local/sbin/alcasar-mysql.sh -dump
$DIR_SBIN/alcasar-mysql.sh -dump
cp /var/Save/base/`ls /var/Save/base|tail -1` $DIR_UPDATE
# Sauvegarde du logo
cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE
160,6 → 160,7
else
echo "SSH=off" >> $CONF_FILE
fi
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
echo "QOS=off" >> $CONF_FILE
echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
if [ `grep ^ldap /etc/raddb/sites-available/alcasar | wc -l` -eq "0" ]; then
167,6 → 168,7
else
echo "LDAP=on" >> $CONF_FILE
fi
echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
PROTOCOLS_FILTERING=`grep ^PROTO_FILTERING /usr/local/bin/alcasar-iptables.sh | cut -d"=" -f2`
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:="no"}
if [ $PROTOCOLS_FILTERING = "no" ]; then
183,6 → 185,8
fi
fi
# since V2.6
# SSH_ADMIN_FROM is redefined
$SED "s?^Admin_from_IP=.*?SSH_ADMIN_FROM=0.0.0.0/0.0.0.0?" $CONF_FILE
# macallowed is replaced with macauth
rm -f $DIR_UPDATE/etc/alcasar-macallowed
# DHCP mode can be "off/half/full"
/scripts/alcasar-urpmi.sh
68,7 → 68,7
if [ $Lang == "fr" ]
then
echo "La migration automatique d'ALCASAR ne peut pas être réalisée."
echo "Le système d'exploitation doit être remplacer"
echo "Le système d'exploitation doit être remplacé"
else
echo "The automatic update of ALCASAR can't be performed."
echo "The OS must be replaced"
80,7 → 80,7
then
echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
echo "2 - Installez Linux-Mageia2 (cf. doc d'installation)"
echo "3 - copiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancez l'installation d'ALCASAR"
echo "3 - copiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
else
echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
echo "2 - Install Linux-Mageia2 (cf. installation doc)"