Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1866 → Rev 1867

/scripts/alcasar-bl.sh
137,7 → 137,7
}
 
usage="Usage: alcasar-bl.sh { -cat_choice or --cat_choice } | { -download or --download } | { -adapt or --adapt } | { -reload or --reload }"
usage="Usage: alcasar-bl.sh { -cat_choice or --cat_choice } | { -download or --download } | { -adapt or --adapt } | { -reload or --reload } | { -update_cat or --update_cat } & categorie & url_rsync"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
225,7 → 225,7
fi
$SED "s/\.\{2,10\}/\./g" $PATH_FILE/domains $PATH_FILE/urls # correct some syntax errors
# extract ip addresses for iptables
awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/{print "add blacklist_ip_blocked " $0}' $PATH_FILE/domains > $FILE_ip_tmp
awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/{print "add bl_ip_blocked " $0}' $PATH_FILE/domains > $FILE_ip_tmp
# for dnsmask, remove IP addesses, accented characters and commented lines.
egrep -v "^([0-9]{1,3}\.){3}[0-9]{1,3}$" $PATH_FILE/domains > $FILE_tmp
$SED "/[äâëêïîöôüû]/d" $FILE_tmp
249,6 → 249,52
rm -rf $DIR_tmp
echo
;;
#mise a jour d'une categorie avec rsync
-update_cat | --update_cat)
if [ $# -ge 3 ]
then
echo -n "Updating $2 category ..."
 
PATH_FILE=$(find $DIR_DG_BL/ -type d -name $2) # retrieve directory name of the category
rsync -rv $3 $(dirname $PATH_FILE ) #rsync inside of the blacklist directory
# Creation of DNSMASQ and Iptables BL and WL
DOMAINE=$(basename $PATH_FILE)
$SED "s/\.\{2,10\}/\./g" $PATH_FILE/domains $PATH_FILE/urls # correct some syntax errors
# extract ip addresses for iptables
awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/{print "add bl_ip_blocked " $0}' $PATH_FILE/domains > $FILE_ip_tmp
# for dnsmask, remove IP addesses, accented characters and commented lines.
egrep -v "^([0-9]{1,3}\.){3}[0-9]{1,3}$" $PATH_FILE/domains > $FILE_tmp
$SED "/[äâëêïîöôüû]/d" $FILE_tmp
$SED "/^#.*/d" $FILE_tmp
black=`grep black $PATH_FILE/usage |wc -l`
if [ $black == "1" ]
then
# adapt to the dnsmasq syntax for the blacklist
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp
mv $FILE_tmp $DIR_DNS_BL/$DOMAINE.conf
mv $FILE_ip_tmp $DIR_IP_BL/$DOMAINE
/usr/bin/systemctl restart dnsmasq-blacklist
else
# adapt to the dnsmasq syntax for the whitelist
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp
mv $FILE_tmp $DIR_DNS_WL/$DOMAINE.conf
/usr/bin/systemctl restart dnsmasq-whitelist
fi
 
rm -f $FILE_tmp $FILE_ip_tmp
/usr/bin/systemctl restart dansguardian
/usr/local/bin/alcasar-iptables.sh
echo "MAJ RSYNC réussie"
else
echo "$usage"
fi
;;
# reload when categories are changed
-reload | --reload)
# for DG
279,3 → 325,4
esac
 
 
 
/scripts/alcasar-conup.sh
13,7 → 13,7
#do
# echo "$i : ${!i}" >> /tmp/debug-conup.txt
#done
ipset del user_not_connected_yet $FRAMED_IP_ADDRESS
ipset del not_auth_yet $FRAMED_IP_ADDRESS
# Add user to the SET (function of his filtering level)
case $FILTER_ID in
# HAVP
30,7 → 30,7
;;
# No filtering
*)
set="no_filtering_set"
set="not_filtered"
;;
esac
ipset add $set $FRAMED_IP_ADDRESS
/scripts/alcasar-iptables.sh
54,15 → 54,15
 
# Sauvegarde des SET des utilisateurs connectés si ils existent
# Saving SET of connected users if it exists
ipset list no_filtering_set 1>/dev/null 2>&1
ipset list not_filtered 1>/dev/null 2>&1
if [ $? -eq 0 ];
then
ipset save no_filtering_set > $TMP_users_set_save
ipset save not_filtered > $TMP_users_set_save
ipset save havp_set >> $TMP_users_set_save
ipset save havp_bl_set >> $TMP_users_set_save
ipset save havp_wl_set >> $TMP_users_set_save
ipset save user_not_connected_yet >> $TMP_users_set_save
ipset save ipset_users_list >> $TMP_users_set_save
ipset save not_auth_yet >> $TMP_users_set_save
ipset save users_list >> $TMP_users_set_save
fi
 
# loading of NetFlow probe (ipt_NETFLOW kernel module)
100,15 → 100,15
# destroy all SET
ipset destroy
 
ipset flush blacklist_ip_blocked
ipset destroy blacklist_ip_blocked
ipset flush whitelist_ip_allowed
ipset destroy whitelist_ip_allowed
ipset flush bl_ip_blocked
ipset destroy bl_ip_blocked
ipset flush wl_ip_allowed
ipset destroy wl_ip_allowed
###### BL set ###########
# Calcul de la taille / Compute the length
bl_set_length=$(($(wc -l $BL_IP_CAT/* | awk '{print $1}' | tail -n 1)+$(wc -l $BL_IP_OSSI | awk '{print $1}')))
# Chargement / loading
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save
echo "create bl_ip_blocked hash:net family inet hashsize 1024 maxelem $bl_set_length" > $TMP_set_save
for category in `ls -1 $BL_IP_CAT | cut -d '@' -f1`
do
cat $BL_IP_CAT/$category >> $TMP_set_save
119,7 → 119,7
# Suppression des ip réhabilitées / Removing of rehabilitated ip
for ip in $(cat $IP_REHABILITEES)
do
ipset del blacklist_ip_blocked $ip
ipset del bl_ip_blocked $ip
done
 
###### WL set ###########
126,7 → 126,7
# Calcul de la taille / Compute the length
wl_set_length=$(($(wc -l $DIR_WL_IP_ENABLED/* | awk '{print $1}' | tail -n 1)*3))
# Chargement Loading
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
echo "create wl_ip_allowed hash:net family inet hashsize 1024 maxelem $wl_set_length" > $TMP_set_save
#get ip-wl files from ACC
for ossi in `ls -1 $DIR_WL_IP_ENABLED`
do
142,19 → 142,19
ipset -! restore < $TMP_users_set_save
rm -f $TMP_users_set_save
else
ipset create no_filtering_set hash:net hashsize 1024
ipset create not_filtered hash:net hashsize 1024
ipset create havp_set hash:net hashsize 1024
ipset create havp_bl_set hash:net hashsize 1024
ipset create havp_wl_set hash:net hashsize 1024
#utilisé pour l'interception des utilisateurs non authentifiés au réseau
#used for intercepting users not connected to the network
ipset create user_not_connected_yet hash:net hashsize 1024
ipset create ipset_users_list list:set
ipset add ipset_users_list havp_set
ipset add ipset_users_list havp_wl_set
ipset add ipset_users_list havp_bl_set
ipset add ipset_users_list no_filtering_set
ipset add ipset_users_list user_not_connected_yet
ipset create not_auth_yet hash:net hashsize 1024
ipset create users_list list:set
ipset add users_list havp_set
ipset add users_list havp_wl_set
ipset add users_list havp_bl_set
ipset add users_list not_filtered
ipset add users_list not_auth_yet
fi
 
#############################
163,8 → 163,8
 
# Redirection des requetes DNS des utilisateurs non connectés dans le DNS-Blackhole
# Redirect users not connected DNS requests in DNS-Blackhole
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56
 
 
# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT
207,11 → 207,11
 
# Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Redirection HTTP des usagers 'havp_wl' cherchant à joindre les IP qui ne sont pas dans la WL vers ALCASAR (page 'accès interdit')
# Redirect HTTP of 'havp_wl' users who want IP not in the WL to ALCASAR ('access denied' page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set wl_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Redirection des requêtes HTTP sortantes des usagers 'havp_bl' vers DansGuardian
# Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy)
343,11 → 343,11
# FORWARD #
#############################
 
# Blocage des IPs du SET blacklist_ip_blocked pour le SET havp_bl_set
# Deny IPs of the SET blacklist_ip_blocked for the set havp_bl_set
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
# Blocage des IPs du SET bl_ip_blocked pour le SET havp_bl_set
# Deny IPs of the SET bl_ip_blocked for the set havp_bl_set
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set bl_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
 
# Rejet des requêtes DNS vers Internet
# Deny forward DNS
/scripts/alcasar-url_filter_wl.sh
57,7 → 57,7
echo "address=/$gg_dnsname/$forcesafesearch_server" >> $DNSMASQ_WL_CONF
done
$SED "/$forcesafesearch_server/d" $IP_WL
echo "add whitelist_ip_allowed $forcesafesearch_server" >> $IP_WL
echo "add wl_ip_allowed $forcesafesearch_server" >> $IP_WL
else
$SED "/google/d" $DNSMASQ_WL_CONF
rm $IP_WL
/scripts/alcasar-watchdog.sh
114,8 → 114,8
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $noresponse_ip|grep "Unicast reply"|wc -l`
if [[ $(expr $arp_reply) -eq 0 ]]
then
#on vide les ip inactifs de l'ipset user_not_connected_yet
ipset del user_not_connected_yet $noresponse_ip
#on vide les ip inactifs de l'ipset not_auth_yet
ipset del not_auth_yet $noresponse_ip
logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) can't be contact. Alcasar disconnects the user ($noresponse_user)."
/usr/sbin/chilli_query logout $noresponse_mac
if [[ $noresponse_user == $noresponse_mac ]] # for @mac auth equipments, we must remove the arp entry