Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2230 → Rev 2234

/scripts/alcasar-condown.sh
1,5 → 1,7
#!/bin/sh
 
#
# $Id$
#
# alcasar-condown.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
7,125 → 9,45
# This script is launched by coova after each logout
# Ce script est lancé par coova à chaque déconnexion d'usager
 
if [ -z $FRAMED_IP_ADDRESS ]
then
exit
if [ -z $FRAMED_IP_ADDRESS ]; then
exit 1
fi
 
# Remove user from his IPSET (depending on FILTER_ID)
 
#FilterID Byte N° 0 to 7
#0-> profile1
#1-> profile2
#2-> profile3
#3-> warn_user (if imputability report has been generated)
#5-> WL
#6-> BL
#7-> HAVP
# FilterID Byte N°0 to 7
# 0: profile_1 (WEB)
# 1: profile_2 (WEB + Mail + Remote access)
# 2: profile_3 (Custom)
# 3: warn_user (if imputability report has been generated)
# 5: WL
# 6: BL
# 7: HAVP
 
if [ ${FILTER_ID:7:1} -eq '1' ] #HAVP
then
set="havp"
if [ ${FILTER_ID:0:1} -eq '1' ]
then
set_proto="proto_1";
fi
 
if [ ${FILTER_ID:1:1} -eq '1' ]
then
set_proto="proto_2";
fi
if [ ${FILTER_ID:2:1} -eq '1' ]
then
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
if [ ${FILTER_ID:7:1} == '1' ]; then # HAVP
set_filter="havp"
elif [ ${FILTER_ID:6:1} == '1' ]; then # HAVP_BL
set_filter="havp_bl"
elif [ ${FILTER_ID:5:1} == '1' ]; then # HAVP_WL
set_filter="havp_wl"
else # NOT_FILTERED
set_filter="not_filtered"
fi
 
if [ ${FILTER_ID:6:1} -eq '1' ] #HAVP_BL
then
set="havp_bl"
if [ ${FILTER_ID:0:1} -eq '1' ]
then
set_proto="proto_1";
fi
 
if [ ${FILTER_ID:1:1} -eq '1' ]
then
set_proto="proto_2";
fi
if [ ${FILTER_ID:2:1} -eq '1' ]
then
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
if [ ${FILTER_ID:0:1} == '1' ]; then # PROFILE 1 (WEB)
set_proto="proto_1";
elif [ ${FILTER_ID:1:1} == '1' ]; then # PROFILE 2 (WEB + Mail + Remote access)
set_proto="proto_2";
elif [ ${FILTER_ID:2:1} == '1' ]; then # PROFILE 3 (Custom)
set_proto="proto_3";
else # PROFILE 0 (Not filtered)
set_proto="proto_0";
fi
 
if [ ${FILTER_ID:5:1} -eq '1' ] #HAVP_WL
then
set="havp_wl"
if [ ${FILTER_ID:0:1} -eq '1' ]
then
set_proto="proto_1";
fi
 
if [ ${FILTER_ID:1:1} -eq '1' ]
then
set_proto="proto_2";
fi
if [ ${FILTER_ID:2:1} -eq '1' ]
then
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
fi
 
 
 
if [ -z "$set" ] #NOT_FILTERED
then
set="not_filtered"
if [ ${FILTER_ID:0:1} -eq '1' ]
then
set_proto="proto_1";
fi
 
if [ ${FILTER_ID:1:1} -eq '1' ]
then
set_proto="proto_2";
fi
if [ ${FILTER_ID:2:1} -eq '1' ]
then
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
fi
 
 
ipset del $set $FRAMED_IP_ADDRESS
ipset del $set_filter $FRAMED_IP_ADDRESS
ipset del $set_proto $FRAMED_IP_ADDRESS
 
# Debug : show all the coova parse variables (+ $set + $set_proto).
# Debug : show all the coova parse variables (+ $set_filter + $set_proto).
# see "/src/chilli.c" for the complete list of parse variables
#echo "-----------------------------------------------" >> /tmp/debug-condown.txt
#echo `date` >> /tmp/debug-condown.txt
133,5 → 55,5
#do
# echo "$i : ${!i}" >> /tmp/debug-condown.txt
#done
#echo "set : $set" >> /tmp/debug-condown.txt
#echo "set_filter : $set_filter" >> /tmp/debug-condown.txt
#echo "set_proto : $set_proto" >> /tmp/debug-condown.txt
/scripts/alcasar-conup.sh
1,5 → 1,7
#!/bin/sh
 
#
# $Id$
#
# alcasar-conup.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
7,126 → 9,45
# This script is launched by coova after each successfull login
# Ce script est lancé par coova à chaque connexion d'usager (authentification réussi)
 
if [ -z $FRAMED_IP_ADDRESS ]
then
exit
if [ -z $FRAMED_IP_ADDRESS ]; then
exit 1
fi
 
ipset del not_auth_yet $FRAMED_IP_ADDRESS
 
# Add user to his IPSET (depending on FILTER_ID)
 
# FilterID Byte N°0 to 7
#0-> profile1
#1-> profile2
#2-> profile3
#3-> warn_user (if imputability report has been generated)
#5-> WL
#6-> BL
#7-> HAVP
# 0: profile_1 (WEB)
# 1: profile_2 (WEB + Mail + Remote access)
# 2: profile_3 (Custom)
# 3: warn_user (if imputability report has been generated)
# 5: WL
# 6: BL
# 7: HAVP
 
if [ ${FILTER_ID:7:1} -eq '1' ] #HAVP
then
set="havp"
if [ ${FILTER_ID:0:1} -eq '1' ]
then
set_proto="proto_1";
fi
 
if [ ${FILTER_ID:1:1} -eq '1' ]
then
set_proto="proto_2";
fi
if [ ${FILTER_ID:2:1} -eq '1' ]
then
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
if [ ${FILTER_ID:7:1} == '1' ]; then # HAVP
set_filter="havp"
elif [ ${FILTER_ID:6:1} == '1' ]; then # HAVP_BL
set_filter="havp_bl"
elif [ ${FILTER_ID:5:1} == '1' ]; then # HAVP_WL
set_filter="havp_wl"
else # NOT_FILTERED
set_filter="not_filtered"
fi
 
if [ ${FILTER_ID:6:1} -eq '1' ] #HAVP_BL
then
set="havp_bl"
if [ ${FILTER_ID:0:1} -eq '1' ]
then
set_proto="proto_1";
fi
 
if [ ${FILTER_ID:1:1} -eq '1' ]
then
set_proto="proto_2";
fi
if [ ${FILTER_ID:2:1} -eq '1' ]
then
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
if [ ${FILTER_ID:0:1} == '1' ]; then # PROFILE 1 (WEB)
set_proto="proto_1";
elif [ ${FILTER_ID:1:1} == '1' ]; then # PROFILE 2 (WEB + Mail + Remote access)
set_proto="proto_2";
elif [ ${FILTER_ID:2:1} == '1' ]; then # PROFILE 3 (Custom)
set_proto="proto_3";
else # PROFILE 0 (Not filtered)
set_proto="proto_0";
fi
 
if [ ${FILTER_ID:5:1} -eq '1' ] #HAVP_WL
then
set="havp_wl"
if [ ${FILTER_ID:0:1} -eq '1' ]
then
set_proto="proto_1";
fi
 
if [ ${FILTER_ID:1:1} -eq '1' ]
then
set_proto="proto_2";
fi
if [ ${FILTER_ID:2:1} -eq '1' ]
then
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
fi
 
 
 
if [ -z "$set" ] #NOT_FILTERED
then
set="not_filtered"
if [ ${FILTER_ID:0:1} -eq '1' ]
then
set_proto="proto_1";
fi
 
if [ ${FILTER_ID:1:1} -eq '1' ]
then
set_proto="proto_2";
fi
if [ ${FILTER_ID:2:1} -eq '1' ]
then
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
fi
 
ipset add $set $FRAMED_IP_ADDRESS
ipset add $set_filter $FRAMED_IP_ADDRESS
ipset add $set_proto $FRAMED_IP_ADDRESS
 
# Debug : show all the coova parse variables (+ $set + $set_proto).
# Debug : show all the coova parse variables (+ $set_filter + $set_proto).
# see "/src/chilli.c" for the complete list of parse variables
#echo "-----------------------------------------------" >> /tmp/debug-conup.txt
#echo `date` >> /tmp/debug-conup.txt
134,6 → 55,6
#do
# echo "$i : ${!i}" >> /tmp/debug-conup.txt
#done
#echo "set : $set" >> /tmp/debug-conup.txt
#echo "set_filter : $set_filter" >> /tmp/debug-conup.txt
#echo "set_proto : $set_proto" >> /tmp/debug-conup.txt
 
/scripts/alcasar-iptables.sh
58,8 → 58,6
ipset save havp >> $TMP_users_set_save
ipset save havp_bl >> $TMP_users_set_save
ipset save havp_wl >> $TMP_users_set_save
ipset save not_auth_yet >> $TMP_users_set_save
ipset save users_list >> $TMP_users_set_save
ipset save proto_0 >> $TMP_users_set_save
ipset save proto_1 >> $TMP_users_set_save
ipset save proto_2 >> $TMP_users_set_save
143,15 → 141,6
ipset create havp hash:net hashsize 1024
ipset create havp_bl hash:net hashsize 1024
ipset create havp_wl hash:net hashsize 1024
#utilisé pour l'interception des utilisateurs non authentifiés au réseau
#used for intercepting users not connected to the network
ipset create not_auth_yet hash:net hashsize 1024
ipset create users_list list:set
ipset add users_list havp
ipset add users_list havp_wl
ipset add users_list havp_bl
ipset add users_list not_filtered
ipset add users_list not_auth_yet
#pour les filtrages de protocole par utilisateur
ipset create proto_0 hash:net hashsize 1024
ipset create proto_1 hash:net hashsize 1024
163,11 → 152,6
# PREROUTING #
#############################
 
# Redirection des requetes DNS des utilisateurs non connectés dans le DNS-Blackhole
# Redirect users not connected DNS requests in DNS-Blackhole
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56
 
# Marquage des paquets qui tentent d'accéder directement à un serveur sans authentification en mode proxy pour pouvoir les rejeter en INPUT
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
/scripts/alcasar-macdown.sh
1,8 → 1,14
#!/bin/sh
#
# $Id$
#
# Le script 'macdown' est appelé par coovachilli pendant le DHCP down (release)
# Depuis la version 3.1 de ALCASAR, le système d'interception a changé.
# Pour une adresse mac authorisée pour laquelle coovachilli effectue un DHCP release, l'@IP sera retiré de l'ipset 'not_filtered'
 
#Le script 'macdown' est appelé par coovachilli pendant le DHCP down (release)
#Depuis la version 3.1 de ALCASAR, le système d'interception a changé.
#Pour une adresse mac authorisée pour laquelle coovachilli effectue un DHCP release, l'@IP sera retiré de l'ipset 'not_filtered'
if [ -z $CALLING_STATION_ID ]; then
exit 1
fi
 
chilli_current_mac=$(chilli_query list | grep $CALLING_STATION_ID)
is_connected=$(echo $chilli_current_mac | cut -d' ' -f5)
10,123 → 16,42
current_name=$(echo $chilli_current_mac | cut -d' ' -f6)
current_ip=$(echo $chilli_current_mac | cut -d' ' -f2)
 
 
if [ $is_connected == "1" ] && [ $current_mac == $current_name ]; then
#Lecture du Filter-Id de l'équipement authentifié afin de le retirer de son ipset
PASSWD_FILE="/root/ALCASAR-passwords.txt"
QUERY="SELECT value from radreply where username='$current_mac'"
FILTER_ID=$(mysql -D radius -u root -p$(cat $PASSWD_FILE | grep "root /" | rev | cut -d' ' -f1 | rev)<<<"$QUERY" | tail -1)
QUERY="SELECT value FROM radreply WHERE attribute='Filter-Id' AND username='$current_mac';"
FILTER_ID=$(mysql -D radius -u root -p$(cat $PASSWD_FILE | grep "root /" | rev | cut -d' ' -f1 | rev) -e "$QUERY" -Ns)
 
#Valeur de FILTER-ID : 12345678
#1-> profile1
#2-> profile2
#3-> profile3
#4-> warn_user (if imputability report has been generated)
#6-> WL + HAVP
#7-> BL + HAVP
#8-> HAVP
# FilterID Byte N°0 to 7
# 0: profile_1 (WEB)
# 1: profile_2 (WEB + Mail + Remote access)
# 2: profile_3 (Custom)
# 3: warn_user (if imputability report has been generated)
# 5: WL
# 6: BL
# 7: HAVP
 
if [ ${FILTER_ID:7:1} -eq '1' ] #HAVP
then
set="havp"
if [ ${FILTER_ID:0:1} -eq '1' ]
then
set_proto="proto_1";
fi
 
if [ ${FILTER_ID:1:1} -eq '1' ]
then
set_proto="proto_2";
fi
if [ ${FILTER_ID:2:1} -eq '1' ]
then
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
if [ ${FILTER_ID:7:1} == '1' ]; then # HAVP
set_filter="havp"
elif [ ${FILTER_ID:6:1} == '1' ]; then # HAVP_BL
set_filter="havp_bl"
elif [ ${FILTER_ID:5:1} == '1' ]; then # HAVP_WL
set_filter="havp_wl"
else # NOT_FILTERED
set_filter="not_filtered"
fi
 
 
if [ ${FILTER_ID:6:1} -eq '1' ] #HAVP_BL
then
set="havp_bl"
if [ ${FILTER_ID:0:1} -eq '1' ]
then
set_proto="proto_1";
fi
 
if [ ${FILTER_ID:1:1} -eq '1' ]
then
set_proto="proto_2";
fi
if [ ${FILTER_ID:2:1} -eq '1' ]
then
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
if [ ${FILTER_ID:0:1} == '1' ]; then # PROFILE 1 (WEB)
set_proto="proto_1";
elif [ ${FILTER_ID:1:1} == '1' ]; then # PROFILE 2 (WEB + Mail + Remote access)
set_proto="proto_2";
elif [ ${FILTER_ID:2:1} == '1' ]; then # PROFILE 3 (Custom)
set_proto="proto_3";
else # PROFILE 0 (Not filtered)
set_proto="proto_0";
fi
 
if [ ${FILTER_ID:5:1} -eq '1' ] #HAVP_WL
then
set="havp_wl"
if [ ${FILTER_ID:0:1} -eq '1' ]
then
set_proto="proto_1";
fi
 
if [ ${FILTER_ID:1:1} -eq '1' ]
then
set_proto="proto_2";
fi
if [ ${FILTER_ID:2:1} -eq '1' ]
then
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
fi
 
 
 
if [ -z "$set" ] #NOT_FILTERED
then
set="not_filtered"
if [ ${FILTER_ID:0:1} -eq '1' ]
then
set_proto="proto_1";
fi
 
if [ ${FILTER_ID:1:1} -eq '1' ]
then
set_proto="proto_2";
fi
if [ ${FILTER_ID:2:1} -eq '1' ]
then
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
fi
 
 
ipset del $set $current_ip
ipset del $set_filter $current_ip
ipset del $set_proto $current_ip
 
fi
 
/scripts/alcasar-macup.sh
1,8 → 1,14
#!/bin/sh
#
# $Id$
#
# Le script 'macup' est appelé par coovachilli lorsqu'il attribut une @IP à une @MAC.
# Depuis la version 3.1 de ALCASAR, le système d'interception a changé. On doit traiter les authorisations par adresse MAC en amont
# Pour une adresse mac authorisée, nous stockons sont @IP dans l'ipset 'not_filtered'
 
#Le script 'macup' est appelé par coovachilli lorsqu'il attribut une @IP à une @MAC.
#Depuis la version 3.1 de ALCASAR, le système d'interception a changé. On doit traiter les authorisations par adresse MAC en amont
#Pour une adresse mac authorisée, nous stockons sont @IP dans l'ipset 'not_filtered'
if [ -z $CALLING_STATION_ID ]; then
exit 1
fi
 
chilli_current_mac=$(chilli_query list | grep $CALLING_STATION_ID)
is_connected=$(echo $chilli_current_mac | cut -d' ' -f5)
11,129 → 17,42
current_ip=$(echo $chilli_current_mac | cut -d' ' -f2)
 
 
 
if [ $is_connected == "1" ] && [ $current_mac == $current_name ]; then
#Lecture du filter-id dans la DB radius afin de placer l'équipement réseau dans le bon ipset
#Un équipement autorisé "à chaud" sera placé dans l'ipset 'not_filtered' + pas de filtrage de protocole (proto_0)
PASSWD_FILE="/root/ALCASAR-passwords.txt"
QUERY="SELECT value from radreply where username='$current_mac'"
FILTER_ID=$(mysql -D radius -u root -p$(cat $PASSWD_FILE | grep "root /" | rev | cut -d' ' -f1 | rev)<<<"$QUERY" | tail -1)
QUERY="SELECT value FROM radreply WHERE attribute='Filter-Id' AND username='$current_mac';"
FILTER_ID=$(mysql -D radius -u root -p$(cat $PASSWD_FILE | grep "root /" | rev | cut -d' ' -f1 | rev) -e "$QUERY" -Ns)
 
#Suppression de l'utilisateur de l'ipset not_auth_yet (au cas où)
ipset del not_auth_yet $current_ip
# FilterID Byte N°0 to 7
# 0: profile_1 (WEB)
# 1: profile_2 (WEB + Mail + Remote access)
# 2: profile_3 (Custom)
# 3: warn_user (if imputability report has been generated)
# 5: WL
# 6: BL
# 7: HAVP
 
#Valeur de FILTER-ID : 12345678
#1-> profile1
#2-> profile2
#3-> profile3
#4-> warn_user (if imputability report has been generated)
#6-> WL + HAVP
#7-> BL + HAVP
#8-> HAVP
 
if [ ${FILTER_ID:7:1} -eq '1' ] #HAVP
then
set="havp"
if [ ${FILTER_ID:0:1} -eq '1' ]
then
set_proto="proto_1";
fi
 
if [ ${FILTER_ID:1:1} -eq '1' ]
then
set_proto="proto_2";
fi
if [ ${FILTER_ID:2:1} -eq '1' ]
then
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
if [ ${FILTER_ID:7:1} == '1' ]; then # HAVP
set_filter="havp"
elif [ ${FILTER_ID:6:1} == '1' ]; then # HAVP_BL
set_filter="havp_bl"
elif [ ${FILTER_ID:5:1} == '1' ]; then # HAVP_WL
set_filter="havp_wl"
else # NOT_FILTERED
set_filter="not_filtered"
fi
 
 
if [ ${FILTER_ID:6:1} -eq '1' ] #HAVP_BL
then
set="havp_bl"
if [ ${FILTER_ID:0:1} -eq '1' ]
then
set_proto="proto_1";
fi
 
if [ ${FILTER_ID:1:1} -eq '1' ]
then
set_proto="proto_2";
fi
if [ ${FILTER_ID:2:1} -eq '1' ]
then
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
if [ ${FILTER_ID:0:1} == '1' ]; then # PROFILE 1 (WEB)
set_proto="proto_1";
elif [ ${FILTER_ID:1:1} == '1' ]; then # PROFILE 2 (WEB + Mail + Remote access)
set_proto="proto_2";
elif [ ${FILTER_ID:2:1} == '1' ]; then # PROFILE 3 (Custom)
set_proto="proto_3";
else # PROFILE 0 (Not filtered)
set_proto="proto_0";
fi
 
if [ ${FILTER_ID:5:1} -eq '1' ] #HAVP_WL
then
set="havp_wl"
if [ ${FILTER_ID:0:1} -eq '1' ]
then
set_proto="proto_1";
fi
 
if [ ${FILTER_ID:1:1} -eq '1' ]
then
set_proto="proto_2";
fi
if [ ${FILTER_ID:2:1} -eq '1' ]
then
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
fi
 
 
 
if [ -z "$set" ] #NOT_FILTERED
then
set="not_filtered"
if [ ${FILTER_ID:0:1} -eq '1' ]
then
set_proto="proto_1";
fi
 
if [ ${FILTER_ID:1:1} -eq '1' ]
then
set_proto="proto_2";
fi
if [ ${FILTER_ID:2:1} -eq '1' ]
then
set_proto="proto_3";
fi
 
if [ -z "$set_proto" ]
then
set_proto="proto_0";
fi
fi
 
 
ipset add $set $current_ip
ipset add $set_filter $current_ip
ipset add $set_proto $current_ip
 
fi