Subversion Repositories ALCASAR

Rev

Rev 2588 | Rev 2591 | Go to most recent revision | Only display areas with differences | Regard whitespace | Details | Blame | Last modification | View Log

Rev 2588 Rev 2589
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 2588 2018-08-14 10:54:21Z rexy $
2
#  $Id: alcasar.sh 2589 2018-08-14 21:15:56Z rexy $
3
 
3
 
4
# alcasar.sh
4
# alcasar.sh
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6
# This script is distributed under the Gnu General Public License (GPL)
6
# This script is distributed under the Gnu General Public License (GPL)
7
#  team@alcasar.net
7
#  team@alcasar.net
8
 
8
 
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
9
# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
10
# Ce programme est un logiciel libre ; This software is free and open source
10
# Ce programme est un logiciel libre ; This software is free and open source
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
11
# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
12
# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
13
# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
14
# Voir la Licence Publique Générale GNU pour plus de détails.
15
 
15
 
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
16
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
17
# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
18
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
19
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
20
 
20
 
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
21
# Coovachilli, freeradius, mariaDB, lighttpd, netfilter, e2guardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
22
 
22
 
23
# Options :
23
# Options :
24
#       -i or --install
24
#       -i or --install
25
#       -u or --uninstall
25
#       -u or --uninstall
26
 
26
 
27
# Functions :
27
# Functions :
28
#       testing                 : connectivity tests, free space test and mageia version test
28
#       testing                 : connectivity tests, free space test and mageia version test
29
#       init                    : Installation of RPM and scripts
29
#       init                    : Installation of RPM and scripts
30
#       network                 : Network parameters
30
#       network                 : Network parameters
31
#       ACC                             : ALCASAR Control Center installation
31
#       ACC                             : ALCASAR Control Center installation
32
#       CA                              : Certification Authority initialization
32
#       CA                              : Certification Authority initialization
33
#       time_server             : NTPd configuration
33
#       time_server             : NTPd configuration
34
#       init_db                 : Initilization of radius database managed with MariaDB
34
#       init_db                 : Initilization of radius database managed with MariaDB
35
#       freeradius              : FreeRadius initialisation
35
#       freeradius              : FreeRadius initialisation
36
#       chilli                  : coovachilli initialisation (+authentication page)
36
#       chilli                  : coovachilli initialisation (+authentication page)
37
#       e2guardian              : E2Guardian filtering HTTP proxy configuration
37
#       e2guardian              : E2Guardian filtering HTTP proxy configuration
38
#       antivirus               : HAVP + libclamav configuration
38
#       antivirus               : HAVP + libclamav configuration
39
#       tinyproxy               : little proxy for user filtered with "WL + antivirus" and "antivirus"
39
#       tinyproxy               : little proxy for user filtered with "WL + antivirus" and "antivirus"
40
#       ulogd                   : log system in userland (match NFLOG target of iptables)
40
#       ulogd                   : log system in userland (match NFLOG target of iptables)
41
#       nfsen                   : Configuration of Nfsen Netflow grapher
41
#       nfsen                   : Configuration of Nfsen Netflow grapher
42
#       dnsmasq                 : Name server configuration
42
#       dnsmasq                 : Name server configuration
43
#       vnstat                  : little network stat daemon
43
#       vnstat                  : little network stat daemon
44
#       BL                              : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter)
44
#       BL                              : Adaptation of Toulouse University BlackList : split into 3 BL (for Dnsmasq, for e2guardian and for Netfilter)
45
#       cron                    : Logs export + watchdog + connexion statistics
45
#       cron                    : Logs export + watchdog + connexion statistics
46
#       fail2ban                : Fail2ban IDS installation and configuration
46
#       fail2ban                : Fail2ban IDS installation and configuration
47
#       gammu_smsd              : Autoregister addon via SMS (gammu-smsd)
47
#       gammu_smsd              : Autoregister addon via SMS (gammu-smsd)
48
#       msec                    : Mandriva security package configuration
48
#       msec                    : Mandriva security package configuration
49
#       letsencrypt             : Let's Encrypt client
49
#       letsencrypt             : Let's Encrypt client
50
#       post_install    : Security, log rotation, etc.
50
#       post_install    : Security, log rotation, etc.
51
 
51
 
52
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR       # Debug mode = wait (hit key) after each function
52
DEBUG_ALCASAR='off'; export DEBUG_ALCASAR       # Debug mode = wait (hit key) after each function
53
DATE=`date '+%d %B %Y - %Hh%M'`
53
DATE=`date '+%d %B %Y - %Hh%M'`
54
DATE_SHORT=`date '+%d/%m/%Y'`
54
DATE_SHORT=`date '+%d/%m/%Y'`
55
Lang=`echo $LANG|cut -c 1-2`
55
Lang=`echo $LANG|cut -c 1-2`
56
mode="install"
56
mode="install"
57
# ******* Files parameters - paramètres fichiers *********
57
# ******* Files parameters - paramètres fichiers *********
58
DIR_INSTALL=`pwd`                                               # current directory
58
DIR_INSTALL=`pwd`                                               # current directory
59
DIR_CONF="$DIR_INSTALL/conf"                    # install directory (with conf files)
59
DIR_CONF="$DIR_INSTALL/conf"                    # install directory (with conf files)
60
DIR_SCRIPTS="$DIR_INSTALL/scripts"              # install directory (with script files)
60
DIR_SCRIPTS="$DIR_INSTALL/scripts"              # install directory (with script files)
61
DIR_BLACKLIST="$DIR_INSTALL/blacklist"  # install directory (with blacklist files)
61
DIR_BLACKLIST="$DIR_INSTALL/blacklist"  # install directory (with blacklist files)
62
DIR_SAVE="/var/Save"                                    # backup directory (traceability_log, user_db, security_log)
62
DIR_SAVE="/var/Save"                                    # backup directory (traceability_log, user_db, security_log)
63
DIR_WEB="/var/www/html"                                 # directory of Lighttpd
63
DIR_WEB="/var/www/html"                                 # directory of Lighttpd
64
DIR_DG="/etc/e2guardian"                                # directory of E2Guardian
64
DIR_DG="/etc/e2guardian"                                # directory of E2Guardian
65
DIR_ACC="$DIR_WEB/acc"                                  # directory of the 'ALCASAR Control Center'
65
DIR_ACC="$DIR_WEB/acc"                                  # directory of the 'ALCASAR Control Center'
66
DIR_DEST_BIN="/usr/local/bin"                   # directory of ALCASAR scripts
66
DIR_DEST_BIN="/usr/local/bin"                   # directory of ALCASAR scripts
67
DIR_DEST_ETC="/usr/local/etc"                   # directory of ALCASAR conf files
67
DIR_DEST_ETC="/usr/local/etc"                   # directory of ALCASAR conf files
68
DIR_DEST_SHARE="/usr/local/share"               # directory of share files used by ALCASAR (dnsmasq for instance)
68
DIR_DEST_SHARE="/usr/local/share"               # directory of share files used by ALCASAR (dnsmasq for instance)
69
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"  # central ALCASAR conf file
69
CONF_FILE="$DIR_DEST_ETC/alcasar.conf"  # central ALCASAR conf file
70
PASSWD_FILE="/root/ALCASAR-passwords.txt"       # text file with the passwords and shared secrets
70
PASSWD_FILE="/root/ALCASAR-passwords.txt"       # text file with the passwords and shared secrets
71
# ******* DBMS parameters - paramètres SGBD ********
71
# ******* DBMS parameters - paramètres SGBD ********
72
DB_RADIUS="radius"                                              # database name used by FreeRadius server
72
DB_RADIUS="radius"                                              # database name used by FreeRadius server
73
DB_USER="radius"                                                # user name allows to request the users database
73
DB_USER="radius"                                                # user name allows to request the users database
74
DB_GAMMU="gammu"                                                # database name used by Gammu-smsd
74
DB_GAMMU="gammu"                                                # database name used by Gammu-smsd
75
# ******* Network parameters - paramètres réseau *******
75
# ******* Network parameters - paramètres réseau *******
76
HOSTNAME="alcasar"                                              # default hostname
76
HOSTNAME="alcasar"                                              # default hostname
77
DOMAIN="localdomain"                                    # default local domain
77
DOMAIN="localdomain"                                    # default local domain
78
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`          # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
78
EXTIF=`/usr/sbin/ip route|grep default|head -n1|cut -d" " -f5`          # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
79
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`      # INTIF is connected to the consultation network
79
INTIF=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF\|tun0"|head -n1|cut -d" " -f2|tr -d ":"`      # INTIF is connected to the consultation network
80
MTU="1500"
80
MTU="1500"
81
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"      # Default ALCASAR IP address
81
DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"      # Default ALCASAR IP address
82
# ****** Paths - chemin des commandes *******
82
# ****** Paths - chemin des commandes *******
83
SED="/bin/sed -i"
83
SED="/bin/sed -i"
84
# ****************** End of global parameters *********************
84
# ****************** End of global parameters *********************
85
 
85
 
86
license ()
86
license ()
87
{
87
{
88
        if [ $Lang == "fr" ]
88
        if [ $Lang == "fr" ]
89
        then
89
        then
90
                cat $DIR_INSTALL/gpl-warning.fr.txt | more
90
                cat $DIR_INSTALL/gpl-warning.fr.txt | more
91
        else
91
        else
92
                cat $DIR_INSTALL/gpl-warning.txt | more
92
                cat $DIR_INSTALL/gpl-warning.txt | more
93
        fi
93
        fi
94
        response=0
94
        response=0
95
        PTN='^[oOyYnN]$'
95
        PTN='^[oOyYnN]$'
96
        until [[ $(expr $response : $PTN) -gt 0 ]]
96
        until [[ $(expr $response : $PTN) -gt 0 ]]
97
        do
97
        do
98
                if [ $Lang == "fr" ]
98
                if [ $Lang == "fr" ]
99
                        then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
99
                        then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
100
                        else echo -n "Do you accept the terms of this license (Y/n)? : "
100
                        else echo -n "Do you accept the terms of this license (Y/n)? : "
101
                fi
101
                fi
102
                read response
102
                read response
103
        done
103
        done
104
        if [ "$response" = "n" ] || [ "$response" = "N" ]
104
        if [ "$response" = "n" ] || [ "$response" = "N" ]
105
        then
105
        then
106
                exit 1
106
                exit 1
107
        fi
107
        fi
108
}
108
}
109
 
109
 
110
header_install ()
110
header_install ()
111
{
111
{
112
        clear
112
        clear
113
        echo "-----------------------------------------------------------------------------"
113
        echo "-----------------------------------------------------------------------------"
114
        echo "                     ALCASAR V$VERSION Installation"
114
        echo "                     ALCASAR V$VERSION Installation"
115
        echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
115
        echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
116
        echo "-----------------------------------------------------------------------------"
116
        echo "-----------------------------------------------------------------------------"
117
}
117
}
118
 
118
 
119
########################################################
119
########################################################
120
##                  Function "testing"                ##
120
##                  Function "testing"                ##
121
## - Test Mageia version                              ##
121
## - Test Mageia version                              ##
122
## - Test ALCASAR version (if already installed)      ##
122
## - Test ALCASAR version (if already installed)      ##
123
## - Test free space on /var  (>10G)                  ##
123
## - Test free space on /var  (>10G)                  ##
124
## - Test Internet access                             ##
124
## - Test Internet access                             ##
125
########################################################
125
########################################################
126
testing ()
126
testing ()
127
{
127
{
128
# Test of Mageia version
128
# Test of Mageia version
129
# extract the current Mageia version and hardware architecture (i586 ou X64)
129
# extract the current Mageia version and hardware architecture (i586 ou X64)
130
        fic=`cat /etc/product.id`
130
        fic=`cat /etc/product.id`
131
        unknown_os=0
131
        unknown_os=0
132
        old="$IFS"
132
        old="$IFS"
133
        IFS=","
133
        IFS=","
134
        set $fic
134
        set $fic
135
        for i in $*
135
        for i in $*
136
        do
136
        do
137
                if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
137
                if [ "`echo $i|grep distribution|cut -d'=' -f1`" == "distribution" ]
138
                        then
138
                        then
139
                        DISTRIBUTION=`echo $i|cut -d"=" -f2`
139
                        DISTRIBUTION=`echo $i|cut -d"=" -f2`
140
                        unknown_os=`expr $unknown_os + 1`
140
                        unknown_os=`expr $unknown_os + 1`
141
                fi
141
                fi
142
                if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
142
                if [ "`echo $i|grep version|cut -d'=' -f1`" == "version" ]
143
                        then
143
                        then
144
                        CURRENT_VERSION=`echo $i|cut -d"=" -f2`
144
                        CURRENT_VERSION=`echo $i|cut -d"=" -f2`
145
                        unknown_os=`expr $unknown_os + 1`
145
                        unknown_os=`expr $unknown_os + 1`
146
                fi
146
                fi
147
                if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
147
                if [ "`echo $i|grep arch|cut -d'=' -f1`" == "arch" ]
148
                        then
148
                        then
149
                        ARCH=`echo $i|cut -d"=" -f2`
149
                        ARCH=`echo $i|cut -d"=" -f2`
150
                        unknown_os=`expr $unknown_os + 1`
150
                        unknown_os=`expr $unknown_os + 1`
151
                fi
151
                fi
152
        done
152
        done
153
        if [ "$ARCH" == "i586" ]
153
        if [ "$ARCH" == "i586" ]
154
                then
154
                then
155
                if [ $Lang == "fr" ]
155
                if [ $Lang == "fr" ]
156
                        then echo -n "Votre architecture matérielle doit être en 64bits"
156
                        then echo -n "Votre architecture matérielle doit être en 64bits"
157
                        else echo -n "You hardware architecture must be 64bits"
157
                        else echo -n "You hardware architecture must be 64bits"
158
                fi
158
                fi
159
                exit 1
159
                exit 1
160
        fi
160
        fi
161
        IFS="$old"
161
        IFS="$old"
162
# Test if ALCASAR is already installed
162
# Test if ALCASAR is already installed
163
        if [ -e $CONF_FILE ]
163
        if [ -e $CONF_FILE ]
164
        then
164
        then
165
                current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
165
                current_version=`grep ^VERSION= $CONF_FILE | cut -d"=" -f2`
166
                if [ $Lang == "fr" ]
166
                if [ $Lang == "fr" ]
167
                        then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
167
                        then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
168
                        else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
168
                        else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
169
                fi
169
                fi
170
                response=0
170
                response=0
171
                PTN='^[12]$'
171
                PTN='^[12]$'
172
                until [[ $(expr $response : $PTN) -gt 0 ]]
172
                until [[ $(expr $response : $PTN) -gt 0 ]]
173
                do
173
                do
174
                        if [ $Lang == "fr" ]
174
                        if [ $Lang == "fr" ]
175
                        then
175
                        then
176
                                echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
176
                                echo -n "Tapez '1' pour une mise à jour; Tapez '2' pour une réinstallation : "
177
                        else
177
                        else
178
                                echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
178
                                echo -n "Hit '1' for an update; Hit '2' for a reinstallation : "
179
                        fi
179
                        fi
180
                        read response
180
                        read response
181
                done
181
                done
182
                if [ "$response" = "2" ]
182
                if [ "$response" = "2" ]
183
                then
183
                then
184
                        rm -f /var/tmp/alcasar-conf*
184
                        rm -f /var/tmp/alcasar-conf*
185
                else
185
                else
186
# Retrieve former NICname
186
# Retrieve former NICname
187
                        EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-`  # EXTernal InterFace
187
                        EXTIF_saved=`grep ^EXTIF= $CONF_FILE | cut -d'=' -f2-`  # EXTernal InterFace
188
                        INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-`  # INTernal InterFace
188
                        INTIF_saved=`grep ^INTIF= $CONF_FILE | cut -d'=' -f2-`  # INTernal InterFace
189
                        [ $(/usr/sbin/ip link | grep -c " $EXTIF_saved:") -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
189
                        [ $(/usr/sbin/ip link | grep -c " $EXTIF_saved:") -ne 0 ] && EXTIF=$EXTIF_saved || echo "Warning: Network card \"$EXTIF_saved\" is not connected, so \"$EXTIF\" will be used for external network."
190
                        [ $(/usr/sbin/ip link | grep -c " $INTIF_saved:") -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
190
                        [ $(/usr/sbin/ip link | grep -c " $INTIF_saved:") -ne 0 ] && INTIF=$INTIF_saved || echo "Warning: Network card \"$INTIF_saved\" is not connected, so \"$INTIF\" will be used for internal network."
191
# Create the current conf file
191
# Create the current conf file
192
                        $DIR_SCRIPTS/alcasar-conf.sh --create
192
                        $DIR_SCRIPTS/alcasar-conf.sh --create
193
                        mode="update"
193
                        mode="update"
194
                fi
194
                fi
195
        fi
195
        fi
196
        if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]]
196
        if [[ ( $unknown_os != 3 ) || ("$DISTRIBUTION" != "Mageia" ) || ( "$CURRENT_VERSION" != "6" ) ]]
197
                then
197
                then
198
                if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
198
                if [ -e /var/tmp/alcasar-conf.tar.gz ] # update
199
                        then
199
                        then
200
                        echo
200
                        echo
201
                        if [ $Lang == "fr" ]
201
                        if [ $Lang == "fr" ]
202
                                then
202
                                then
203
                                echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
203
                                echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
204
                                echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
204
                                echo "1 - Effectuez une sauvegarde des fichiers de traçabilité et de la base des usagers via l'ACC"
205
                                echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)"
205
                                echo "2 - Installez Linux-Mageia 6.0 (64bits) et ALCASAR (cf. doc d'installation)"
206
                                echo "3 - Importez votre base des usagers"
206
                                echo "3 - Importez votre base des usagers"
207
                        else
207
                        else
208
                                echo "The automatic update of ALCASAR can't be performed."
208
                                echo "The automatic update of ALCASAR can't be performed."
209
                                echo "1 - Save your traceability files and the user database"
209
                                echo "1 - Save your traceability files and the user database"
210
                                echo "2 - Install Linux-Mageia 6 (64bits) & ALCASAR (cf. installation doc)"
210
                                echo "2 - Install Linux-Mageia 6 (64bits) & ALCASAR (cf. installation doc)"
211
                                echo "3 - Import your users database"
211
                                echo "3 - Import your users database"
212
                        fi
212
                        fi
213
                else
213
                else
214
                        if [ $Lang == "fr" ]
214
                        if [ $Lang == "fr" ]
215
                                then
215
                                then
216
                                echo "L'installation d'ALCASAR ne peut pas être réalisée."
216
                                echo "L'installation d'ALCASAR ne peut pas être réalisée."
217
                        else
217
                        else
218
                                echo "The installation of ALCASAR can't be performed."
218
                                echo "The installation of ALCASAR can't be performed."
219
                        fi
219
                        fi
220
                fi
220
                fi
221
                echo
221
                echo
222
                if [ $Lang == "fr" ]
222
                if [ $Lang == "fr" ]
223
                        then
223
                        then
224
                        echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
224
                        echo "Le système d'exploitation doit être remplacé (Mageia6-64bits)"
225
                else
225
                else
226
                        echo "The OS must be replaced (Mageia6-64bits)"
226
                        echo "The OS must be replaced (Mageia6-64bits)"
227
                fi
227
                fi
228
                exit 0
228
                exit 0
229
        fi
229
        fi
230
        if [ ! -d /var/log/netflow/porttracker ]
230
        if [ ! -d /var/log/netflow/porttracker ]
231
                then
231
                then
232
# Test free space on /var
232
# Test free space on /var
233
                free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
233
                free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
234
                if [ $free_space -lt 10 ]
234
                if [ $free_space -lt 10 ]
235
                        then
235
                        then
236
                        if [ $Lang == "fr" ]
236
                        if [ $Lang == "fr" ]
237
                                then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
237
                                then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
238
                                else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
238
                                else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
239
                        fi
239
                        fi
240
                exit 0
240
                exit 0
241
                fi
241
                fi
242
        fi
242
        fi
243
        if [ $Lang == "fr" ]
243
        if [ $Lang == "fr" ]
244
                then echo -n "Tests des paramètres réseau : "
244
                then echo -n "Tests des paramètres réseau : "
245
                else echo -n "Network parameters tests: "
245
                else echo -n "Network parameters tests: "
246
        fi
246
        fi
247
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
247
# Remove conf file if NIC is not plugged (ie : GSM/WIFI/Bt dongles)
248
        cd /etc/sysconfig/network-scripts/
248
        cd /etc/sysconfig/network-scripts/
249
        IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
249
        IF_INTERFACES=`ls ifcfg-*|cut -d"-" -f2|grep -v "^lo"|cut -d"*" -f1`
250
        for i in $IF_INTERFACES
250
        for i in $IF_INTERFACES
251
        do
251
        do
252
                if [ $(/usr/sbin/ip link | grep -c " $i:") -eq 0 ]; then
252
                if [ $(/usr/sbin/ip link | grep -c " $i:") -eq 0 ]; then
253
                        rm -f ifcfg-$i
253
                        rm -f ifcfg-$i
254
 
254
 
255
                        if [ $Lang == "fr" ]
255
                        if [ $Lang == "fr" ]
256
                                then echo "Suppression : ifcfg-$i"
256
                                then echo "Suppression : ifcfg-$i"
257
                                else echo "Deleting: ifcfg-$i"
257
                                else echo "Deleting: ifcfg-$i"
258
                        fi
258
                        fi
259
                fi
259
                fi
260
        done
260
        done
261
        cd $DIR_INSTALL
261
        cd $DIR_INSTALL
262
        echo -n "."
262
        echo -n "."
263
# Test Ethernet NIC links state
263
# Test Ethernet NIC links state
264
        DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "|grep -v "^w"`
264
        DOWN_IF=`/usr/sbin/ip link|grep "NO-CARRIER"|cut -d":" -f2|tr -d " "|grep -v "^w"`
265
        for i in $DOWN_IF
265
        for i in $DOWN_IF
266
        do
266
        do
267
                echo $i
267
                echo $i
268
                if [ $Lang == "fr" ]
268
                if [ $Lang == "fr" ]
269
                then
269
                then
270
                        echo "Échec"
270
                        echo "Échec"
271
                        echo "Le lien réseau de la carte $i n'est pas actif."
271
                        echo "Le lien réseau de la carte $i n'est pas actif."
272
                        echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
272
                        echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
273
                else
273
                else
274
                        echo "Failed"
274
                        echo "Failed"
275
                        echo "The link state of $i interface is down."
275
                        echo "The link state of $i interface is down."
276
                        echo "Make sure that this network card is connected to a switch or an A.P."
276
                        echo "Make sure that this network card is connected to a switch or an A.P."
277
                fi
277
                fi
278
                exit 0
278
                exit 0
279
        done
279
        done
280
        echo -n "."
280
        echo -n "."
281
# Test EXTIF config files
281
# Test EXTIF config files
282
        PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
282
        PUBLIC_IP_MASK=`ip addr show $EXTIF|grep "inet "|cut -d" " -f6`
283
        PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
283
        PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1`
284
        PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
284
        PUBLIC_GATEWAY=`ip route list|grep $EXTIF|grep ^default|cut -d" " -f3`
285
        if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
285
        if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
286
        then
286
        then
287
                if [ $Lang == "fr" ]
287
                if [ $Lang == "fr" ]
288
                then
288
                then
289
                        echo "Échec"
289
                        echo "Échec"
290
                        echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
290
                        echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
291
                        echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
291
                        echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
292
                        echo "Appliquez les changements : 'systemctl restart network'"
292
                        echo "Appliquez les changements : 'systemctl restart network'"
293
                else
293
                else
294
                        echo "Failed"
294
                        echo "Failed"
295
                        echo "The Internet connected network card ($EXTIF) isn't well configured."
295
                        echo "The Internet connected network card ($EXTIF) isn't well configured."
296
                        echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
296
                        echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
297
                        echo "Apply the new configuration 'systemctl restart network'"
297
                        echo "Apply the new configuration 'systemctl restart network'"
298
                fi
298
                fi
299
                echo "DEVICE=$EXTIF"
299
                echo "DEVICE=$EXTIF"
300
                echo "IPADDR="
300
                echo "IPADDR="
301
                echo "NETMASK="
301
                echo "NETMASK="
302
                echo "GATEWAY="
302
                echo "GATEWAY="
303
                echo "DNS1="
303
                echo "DNS1="
304
                echo "DNS2="
304
                echo "DNS2="
305
                echo "ONBOOT=yes"
305
                echo "ONBOOT=yes"
306
                exit 0
306
                exit 0
307
        fi
307
        fi
308
        echo -n "."
308
        echo -n "."
309
# Test if default GW is set on EXTIF (router or ISP provider equipment)
309
# Test if default GW is set on EXTIF (router or ISP provider equipment)
310
        if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
310
        if [ `ip route list|grep $EXTIF|grep -c ^default` -ne "1" ] ; then
311
                if [ $Lang == "fr" ]
311
                if [ $Lang == "fr" ]
312
                then
312
                then
313
                        echo "Échec"
313
                        echo "Échec"
314
                        echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
314
                        echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
315
                        echo "Réglez ce problème puis relancez ce script."
315
                        echo "Réglez ce problème puis relancez ce script."
316
                else
316
                else
317
                        echo "Failed"
317
                        echo "Failed"
318
                        echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
318
                        echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
319
                        echo "Resolv this problem, then restart this script."
319
                        echo "Resolv this problem, then restart this script."
320
                fi
320
                fi
321
                exit 0
321
                exit 0
322
        fi
322
        fi
323
        echo -n "."
323
        echo -n "."
324
# Test if default GW is alive
324
# Test if default GW is alive
325
        arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
325
        arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY|grep response|cut -d" " -f2`
326
        if [ $(expr $arp_reply) -eq 0 ]
326
        if [ $(expr $arp_reply) -eq 0 ]
327
                then
327
                then
328
                if [ $Lang == "fr" ]
328
                if [ $Lang == "fr" ]
329
                then
329
                then
330
                        echo "Échec"
330
                        echo "Échec"
331
                        echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
331
                        echo "Le routeur de sortie ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
332
                        echo "Réglez ce problème puis relancez ce script."
332
                        echo "Réglez ce problème puis relancez ce script."
333
                else
333
                else
334
                        echo "Failed"
334
                        echo "Failed"
335
                        echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
335
                        echo "The Internet gateway or the ISP equipment ($PUBLIC_GATEWAY) doesn't answered."
336
                        echo "Resolv this problem, then restart this script."
336
                        echo "Resolv this problem, then restart this script."
337
                fi
337
                fi
338
                exit 0
338
                exit 0
339
        fi
339
        fi
340
        echo -n "."
340
        echo -n "."
341
# Test Internet connectivity
341
# Test Internet connectivity
342
        rm -rf /tmp/con_ok.html
342
        rm -rf /tmp/con_ok.html
343
        /usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
343
        /usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
344
        if [ ! -e /tmp/con_ok.html ]
344
        if [ ! -e /tmp/con_ok.html ]
345
        then
345
        then
346
                if [ $Lang == "fr" ]
346
                if [ $Lang == "fr" ]
347
                then
347
                then
348
                        echo "La tentative de connexion vers Internet a échoué (google.fr)."
348
                        echo "La tentative de connexion vers Internet a échoué (google.fr)."
349
                        echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
349
                        echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
350
                        echo "Vérifiez la validité des adresses IP des DNS."
350
                        echo "Vérifiez la validité des adresses IP des DNS."
351
                else
351
                else
352
                        echo "The Internet connection try failed (google.fr)."
352
                        echo "The Internet connection try failed (google.fr)."
353
                        echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
353
                        echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
354
                        echo "Verify the DNS IP addresses"
354
                        echo "Verify the DNS IP addresses"
355
                fi
355
                fi
356
                exit 0
356
                exit 0
357
        fi
357
        fi
358
        rm -rf /tmp/con_ok.html
358
        rm -rf /tmp/con_ok.html
359
        echo ". : ok"
359
        echo ". : ok"
360
} # end of testing ()
360
} # end of testing ()
361
 
361
 
362
#######################################################################
362
#######################################################################
363
##                    Function "init"                                ##
363
##                    Function "init"                                ##
364
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
364
## - Creation of ALCASAR conf file "/usr/local/etc/alcasar.conf      ##
365
## - Creation of random password for GRUB, mariadb (admin and user)  ##
365
## - Creation of random password for GRUB, mariadb (admin and user)  ##
366
#######################################################################
366
#######################################################################
367
init ()
367
init ()
368
{
368
{
369
        if [ "$mode" != "update" ]
369
        if [ "$mode" != "update" ]
370
        then
370
        then
371
# On affecte le nom d'organisme
371
# On affecte le nom d'organisme
372
                header_install
372
                header_install
373
                ORGANISME=!
373
                ORGANISME=!
374
                PTN='^[a-zA-Z0-9-]*$'
374
                PTN='^[a-zA-Z0-9-]*$'
375
                until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
375
                until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
376
                do
376
                do
377
                        if [ $Lang == "fr" ]
377
                        if [ $Lang == "fr" ]
378
                                then echo -n "Entrez le nom de votre organisme : "
378
                                then echo -n "Entrez le nom de votre organisme : "
379
                                else echo -n "Enter the name of your organism : "
379
                                else echo -n "Enter the name of your organism : "
380
                        fi
380
                        fi
381
                        read ORGANISME
381
                        read ORGANISME
382
                        if [ "$ORGANISME" == "" ]
382
                        if [ "$ORGANISME" == "" ]
383
                                then
383
                                then
384
                                ORGANISME=!
384
                                ORGANISME=!
385
                        fi
385
                        fi
386
                done
386
                done
387
        fi
387
        fi
388
# On crée aléatoirement les mots de passe et les secrets partagés
388
# On crée aléatoirement les mots de passe et les secrets partagés
389
# We create random passwords and shared secrets
389
# We create random passwords and shared secrets
390
        rm -f $PASSWD_FILE
390
        rm -f $PASSWD_FILE
391
        echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
391
        echo "#####  ALCASAR ($ORGANISME) security passwords  #####" > $PASSWD_FILE
392
        grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
392
        grub2pwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`
393
        pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
393
        pbkdf2=`( echo $grub2pwd ; echo $grub2pwd ) | \
394
                LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
394
                LC_ALL=C /usr/bin/grub2-mkpasswd-pbkdf2 | \
395
                grep -v '[eE]nter password:' | \
395
                grep -v '[eE]nter password:' | \
396
                sed -e "s/PBKDF2 hash of your password is //"`
396
                sed -e "s/PBKDF2 hash of your password is //"`
397
        echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
397
        echo "GRUB2_PASSWORD=$pbkdf2" > /boot/grub2/user.cfg
398
        [ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
398
        [ -e /root/grub.default ] || cp /etc/grub.d/10_linux /root/grub.default
399
        cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
399
        cp -f $DIR_CONF/grub-10_linux /etc/grub.d/10_linux  # Request password only on menu editing attempts (not when selecting an entry)
400
        chmod 0600 /boot/grub2/user.cfg
400
        chmod 0600 /boot/grub2/user.cfg
401
        echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
401
        echo "# Login name and password to protect GRUB2 boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
402
        echo "GRUB2_user=root" >> $PASSWD_FILE
402
        echo "GRUB2_user=root" >> $PASSWD_FILE
403
        echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
403
        echo "GRUB2_password=$grub2pwd" >> $PASSWD_FILE
404
        mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
404
        mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
405
        echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
405
        echo "# Login name and Password of MariaDB administrator:" >> $PASSWD_FILE
406
        echo "db_root=$mysqlpwd" >> $PASSWD_FILE
406
        echo "db_root=$mysqlpwd" >> $PASSWD_FILE
407
        radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
407
        radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
408
        echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
408
        echo "# Login name and password of MariaDB user:" >> $PASSWD_FILE
409
        echo "db_user=$DB_USER" >> $PASSWD_FILE
409
        echo "db_user=$DB_USER" >> $PASSWD_FILE
410
        echo "db_password=$radiuspwd" >> $PASSWD_FILE
410
        echo "db_password=$radiuspwd" >> $PASSWD_FILE
411
        secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
411
        secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
412
        echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
412
        echo "# Shared secret between the script 'intercept.php' and coova-chilli:" >> $PASSWD_FILE
413
        echo "secret_uam=$secretuam" >> $PASSWD_FILE
413
        echo "secret_uam=$secretuam" >> $PASSWD_FILE
414
        secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
414
        secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c16`
415
        echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
415
        echo "# Shared secret between coova-chilli and FreeRadius:" >> $PASSWD_FILE
416
        echo "secret_radius=$secretradius" >> $PASSWD_FILE
416
        echo "secret_radius=$secretradius" >> $PASSWD_FILE
417
        chmod 640 $PASSWD_FILE
417
        chmod 640 $PASSWD_FILE
418
#  copy scripts in in /usr/local/bin
418
#  copy scripts in in /usr/local/bin
419
        cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
419
        cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
420
#  copy conf files in /usr/local/etc
420
#  copy conf files in /usr/local/etc
421
        cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
421
        cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown -R root:apache $DIR_DEST_ETC ; chmod 770 $DIR_DEST_ETC ; chmod 660 $DIR_DEST_ETC/alcasar*
422
        $SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
422
        $SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_BIN/alcasar-mysql.sh
423
# generate central conf file
423
# generate central conf file
424
        cat <<EOF > $CONF_FILE
424
        cat <<EOF > $CONF_FILE
425
##########################################
425
##########################################
426
##                                      ##
426
##                                      ##
427
##          ALCASAR Parameters          ##
427
##          ALCASAR Parameters          ##
428
##                                      ##
428
##                                      ##
429
##########################################
429
##########################################
430
 
430
 
431
INSTALL_DATE=$DATE
431
INSTALL_DATE=$DATE
432
VERSION=$VERSION
432
VERSION=$VERSION
433
ORGANISM=$ORGANISME
433
ORGANISM=$ORGANISME
434
HOSTNAME=$HOSTNAME
434
HOSTNAME=$HOSTNAME
435
DOMAIN=$DOMAIN
435
DOMAIN=$DOMAIN
436
EOF
436
EOF
437
        chmod o-rwx $CONF_FILE
437
        chmod o-rwx $CONF_FILE
438
} # End of init ()
438
} # End of init ()
439
 
439
 
440
#########################################################
440
#########################################################
441
##                    Function "network"               ##
441
##                    Function "network"               ##
442
## - Define the several network address                ##
442
## - Define the several network address                ##
443
## - Define the DNS naming                             ##
443
## - Define the DNS naming                             ##
444
## - INTIF parameters (consultation network)           ##
444
## - INTIF parameters (consultation network)           ##
445
## - Write "/etc/hosts" file                           ##
445
## - Write "/etc/hosts" file                           ##
446
## - write "hosts.allow" & "hosts.deny" files          ##
446
## - write "hosts.allow" & "hosts.deny" files          ##
447
#########################################################
447
#########################################################
448
network ()
448
network ()
449
{
449
{
450
        header_install
450
        header_install
451
        if [ "$mode" != "update" ]
451
        if [ "$mode" != "update" ]
452
                then
452
                then
453
                if [ $Lang == "fr" ]
453
                if [ $Lang == "fr" ]
454
                        then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
454
                        then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
455
                        else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
455
                        else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
456
                fi
456
                fi
457
                response=0
457
                response=0
458
                PTN='^[oOyYnN]$'
458
                PTN='^[oOyYnN]$'
459
                until [[ $(expr $response : $PTN) -gt 0 ]]
459
                until [[ $(expr $response : $PTN) -gt 0 ]]
460
                do
460
                do
461
                        if [ $Lang == "fr" ]
461
                        if [ $Lang == "fr" ]
462
                                then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
462
                                then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
463
                                else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
463
                                else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
464
                        fi
464
                        fi
465
                        read response
465
                        read response
466
                done
466
                done
467
                if [ "$response" = "n" ] || [ "$response" = "N" ]
467
                if [ "$response" = "n" ] || [ "$response" = "N" ]
468
                then
468
                then
469
                        PRIVATE_IP_MASK="0"
469
                        PRIVATE_IP_MASK="0"
470
                        PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
470
                        PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'
471
                        until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
471
                        until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
472
                        do
472
                        do
473
                                if [ $Lang == "fr" ]
473
                                if [ $Lang == "fr" ]
474
                                        then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
474
                                        then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
475
                                        else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
475
                                        else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
476
                                fi
476
                                fi
477
                                read PRIVATE_IP_MASK
477
                                read PRIVATE_IP_MASK
478
                        done
478
                        done
479
                else
479
                else
480
                                PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
480
                                PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
481
                fi
481
                fi
482
        else
482
        else
483
                PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
483
                PRIVATE_IP_MASK=`grep ^PRIVATE_IP= conf/etc/alcasar.conf|cut -d"=" -f2`
484
                rm -rf conf/etc/alcasar.conf
484
                rm -rf conf/etc/alcasar.conf
485
        fi
485
        fi
486
# Define LAN side global parameters
486
# Define LAN side global parameters
487
        hostnamectl set-hostname $HOSTNAME.$DOMAIN
487
        hostnamectl set-hostname $HOSTNAME.$DOMAIN
488
        PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`                               # private network address (ie.: 192.168.182.0)
488
        PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`                               # private network address (ie.: 192.168.182.0)
489
        private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`                                  # last octet of LAN address
489
        private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f4`                                  # last octet of LAN address
490
        PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`                               # private network mask (ie.: 255.255.255.0)
490
        PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`                               # private network mask (ie.: 255.255.255.0)
491
        PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`                                 # network prefix (ie. 24)
491
        PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`                                 # network prefix (ie. 24)
492
        PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`                                              # ALCASAR private ip address (consultation LAN side)
492
        PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`                                              # ALCASAR private ip address (consultation LAN side)
493
        if [ $PRIVATE_IP == $PRIVATE_NETWORK ]                                                          # when entering network address instead of ip address
493
        if [ $PRIVATE_IP == $PRIVATE_NETWORK ]                                                          # when entering network address instead of ip address
494
                then
494
                then
495
                PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
495
                PRIVATE_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`
496
                PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
496
                PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
497
        fi
497
        fi
498
        private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`                                            # last octet of LAN address
498
        private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4`                                            # last octet of LAN address
499
        PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`          # second network address (ex.: 192.168.182.2)
499
        PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1`          # second network address (ex.: 192.168.182.2)
500
        PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX                                           # ie.: 192.168.182.0/24
500
        PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX                                           # ie.: 192.168.182.0/24
501
        classe=$((PRIVATE_PREFIX/8))                                                                    # ie.: 2=classe B, 3=classe C
501
        classe=$((PRIVATE_PREFIX/8))                                                                    # ie.: 2=classe B, 3=classe C
502
        PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.                          # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
502
        PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.                          # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
503
        PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`                        # private network broadcast (ie.: 192.168.182.255)
503
        PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`                        # private network broadcast (ie.: 192.168.182.255)
504
        private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`                              # last octet of LAN broadcast
504
        private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f4`                              # last octet of LAN broadcast
505
        PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
505
        PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
506
        PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`      # last network address (ex.: 192.168.182.254)
506
        PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`      # last network address (ex.: 192.168.182.254)
507
        PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'`      # MAC address of INTIF
507
        PRIVATE_MAC=`/usr/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'`      # MAC address of INTIF
508
# Define Internet parameters
508
# Define Internet parameters
509
        if [ "$mode" != "update" ]
509
        if [ "$mode" != "update" ]
510
        then
510
        then
511
                DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`   # 1st DNS server
511
                DNS1=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS1='| cut -d"=" -f2`   # 1st DNS server
512
                DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`  # 2nd DNS server
512
                DNS2=`cat /etc/sysconfig/network-scripts/ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`  # 2nd DNS server
513
        else
513
        else
514
                DNS1=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS1=' | cut -d"=" -f2`  # 1st DNS server
514
                DNS1=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS1=' | cut -d"=" -f2`  # 1st DNS server
515
                DNS2=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`  # 2nd DNS server
515
                DNS2=`cat /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF | grep '^DNS2=' | cut -d"=" -f2`  # 2nd DNS server
516
        fi
516
        fi
517
        if [ "$DNS1" == "" ]
517
        if [ "$DNS1" == "" ]
518
        then
518
        then
519
                if [ $Lang == "fr" ]
519
                if [ $Lang == "fr" ]
520
                then
520
                then
521
                        echo "L'adresse IP des serveurs DNS ne sont pas corrects"
521
                        echo "L'adresse IP des serveurs DNS ne sont pas corrects"
522
                        echo "Vérifiez la configuration de la carte réseau externe ($EXTIF)"
522
                        echo "Vérifiez la configuration de la carte réseau externe ($EXTIF)"
523
                else
523
                else
524
                        echo "The IP address of DNS servers are not set correctly"
524
                        echo "The IP address of DNS servers are not set correctly"
525
                        echo "Check the extern network card configuration ($EXTIF)"
525
                        echo "Check the extern network card configuration ($EXTIF)"
526
                fi
526
                fi
527
                exit 0
527
                exit 0
528
        fi
528
        fi
529
        DNS1=${DNS1:=208.67.220.220}
529
        DNS1=${DNS1:=208.67.220.220}
530
        DNS2=${DNS2:=208.67.222.222}
530
        DNS2=${DNS2:=208.67.222.222}
531
        PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
531
        PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2`
532
        PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
532
        PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`
533
        PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
533
        PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`
534
# Write network parameters in the conf file
534
# Write network parameters in the conf file
535
        echo "EXTIF=$EXTIF" >> $CONF_FILE
535
        echo "EXTIF=$EXTIF" >> $CONF_FILE
536
        echo "INTIF=$INTIF" >> $CONF_FILE
536
        echo "INTIF=$INTIF" >> $CONF_FILE
537
        ######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
537
        ######## Récupération des interfaces du ou des réseaux de consultation supplémentaires #################
538
        INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
538
        INTERFACES=`/usr/sbin/ip link|grep '^[[:digit:]]:'|grep -v "^lo\|$EXTIF\|tun0"|cut -d " " -f2|tr -d ":"`
539
        for i in $INTERFACES
539
        for i in $INTERFACES
540
        do
540
        do
541
                SUB=`echo ${i:0:2}`
541
                SUB=`echo ${i:0:2}`
542
                if [ $SUB = "wl" ]
542
                if [ $SUB = "wl" ]
543
                        then WIFIF=$i
543
                        then WIFIF=$i
544
                elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
544
                elif [ "$i" != "$INTIF" ] && [ $SUB != "ww" ]
545
                        then LANIF=$i
545
                        then LANIF=$i
546
                fi
546
                fi
547
        done
547
        done
548
        if [ -n "$WIFIF" ]
548
        if [ -n "$WIFIF" ]
549
                then echo "WIFIF=$WIFIF" >> $CONF_FILE
549
                then echo "WIFIF=$WIFIF" >> $CONF_FILE
550
        elif [ -n "$LANIF" ]
550
        elif [ -n "$LANIF" ]
551
                then echo "LANIF=$LANIF" >> $CONF_FILE
551
                then echo "LANIF=$LANIF" >> $CONF_FILE
552
        fi
552
        fi
553
        #########################################################################################################
553
        #########################################################################################################
554
        IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
554
        IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2` # test static or dynamic
555
        if [ $IP_SETTING == "dhcp" ]
555
        if [ $IP_SETTING == "dhcp" ]
556
                then
556
                then
557
                echo "PUBLIC_IP=dhcp" >> $CONF_FILE
557
                echo "PUBLIC_IP=dhcp" >> $CONF_FILE
558
                echo "GW=dhcp" >> $CONF_FILE
558
                echo "GW=dhcp" >> $CONF_FILE
559
        else
559
        else
560
                echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
560
                echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
561
                echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
561
                echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
562
        fi
562
        fi
563
        echo "DNS1=$DNS1" >> $CONF_FILE
563
        echo "DNS1=$DNS1" >> $CONF_FILE
564
        echo "DNS2=$DNS2" >> $CONF_FILE
564
        echo "DNS2=$DNS2" >> $CONF_FILE
565
        echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
565
        echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
566
        echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
566
        echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
567
        echo "DHCP=on" >> $CONF_FILE
567
        echo "DHCP=on" >> $CONF_FILE
568
        echo "EXT_DHCP_IP=none" >> $CONF_FILE
568
        echo "EXT_DHCP_IP=none" >> $CONF_FILE
569
        echo "RELAY_DHCP_IP=none" >> $CONF_FILE
569
        echo "RELAY_DHCP_IP=none" >> $CONF_FILE
570
        echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
570
        echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
571
        echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
571
        echo "INT_DNS_DOMAIN=none" >> $CONF_FILE
572
        echo "INT_DNS_IP=none" >> $CONF_FILE
572
        echo "INT_DNS_IP=none" >> $CONF_FILE
573
        echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
573
        echo "INT_DNS_ACTIVE=off" >> $CONF_FILE
574
# network default
574
# network default
575
        [ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
575
        [ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default
576
        cat <<EOF > /etc/sysconfig/network
576
        cat <<EOF > /etc/sysconfig/network
577
NETWORKING=yes
577
NETWORKING=yes
578
FORWARD_IPV4=true
578
FORWARD_IPV4=true
579
EOF
579
EOF
580
# write "/etc/hosts"
580
# write "/etc/hosts"
581
        [ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
581
        [ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default
582
        cat <<EOF > /etc/hosts
582
        cat <<EOF > /etc/hosts
583
127.0.0.1       localhost
583
127.0.0.1       localhost
584
$PRIVATE_IP     $HOSTNAME
584
$PRIVATE_IP     $HOSTNAME
585
EOF
585
EOF
586
# write EXTIF (Internet) config
586
# write EXTIF (Internet) config
587
        [ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
587
        [ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
588
        if [ $IP_SETTING == "dhcp" ]
588
        if [ $IP_SETTING == "dhcp" ]
589
                then
589
                then
590
                cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
590
                cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
591
DEVICE=$EXTIF
591
DEVICE=$EXTIF
592
BOOTPROTO=dhcp
592
BOOTPROTO=dhcp
593
DNS1=127.0.0.1
593
DNS1=127.0.0.1
594
PEERDNS=no
594
PEERDNS=no
595
RESOLV_MODS=yes
595
RESOLV_MODS=yes
596
ONBOOT=yes
596
ONBOOT=yes
597
NOZEROCONF=yes
597
NOZEROCONF=yes
598
METRIC=10
598
METRIC=10
599
MII_NOT_SUPPORTED=yes
599
MII_NOT_SUPPORTED=yes
600
IPV6INIT=no
600
IPV6INIT=no
601
IPV6TO4INIT=no
601
IPV6TO4INIT=no
602
ACCOUNTING=no
602
ACCOUNTING=no
603
USERCTL=no
603
USERCTL=no
604
MTU=$MTU
604
MTU=$MTU
605
EOF
605
EOF
606
                else
606
                else
607
                cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
607
                cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
608
DEVICE=$EXTIF
608
DEVICE=$EXTIF
609
BOOTPROTO=static
609
BOOTPROTO=static
610
IPADDR=$PUBLIC_IP
610
IPADDR=$PUBLIC_IP
611
NETMASK=$PUBLIC_NETMASK
611
NETMASK=$PUBLIC_NETMASK
612
GATEWAY=$PUBLIC_GATEWAY
612
GATEWAY=$PUBLIC_GATEWAY
613
DNS1=127.0.0.1
613
DNS1=127.0.0.1
614
RESOLV_MODS=yes
614
RESOLV_MODS=yes
615
ONBOOT=yes
615
ONBOOT=yes
616
METRIC=10
616
METRIC=10
617
NOZEROCONF=yes
617
NOZEROCONF=yes
618
MII_NOT_SUPPORTED=yes
618
MII_NOT_SUPPORTED=yes
619
IPV6INIT=no
619
IPV6INIT=no
620
IPV6TO4INIT=no
620
IPV6TO4INIT=no
621
ACCOUNTING=no
621
ACCOUNTING=no
622
USERCTL=no
622
USERCTL=no
623
MTU=$MTU
623
MTU=$MTU
624
EOF
624
EOF
625
        fi
625
        fi
626
# write INTIF (consultation LAN) in normal mode
626
# write INTIF (consultation LAN) in normal mode
627
        cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
627
        cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
628
DEVICE=$INTIF
628
DEVICE=$INTIF
629
BOOTPROTO=static
629
BOOTPROTO=static
630
ONBOOT=yes
630
ONBOOT=yes
631
NOZEROCONF=yes
631
NOZEROCONF=yes
632
MII_NOT_SUPPORTED=yes
632
MII_NOT_SUPPORTED=yes
633
IPV6INIT=no
633
IPV6INIT=no
634
IPV6TO4INIT=no
634
IPV6TO4INIT=no
635
ACCOUNTING=no
635
ACCOUNTING=no
636
USERCTL=no
636
USERCTL=no
637
EOF
637
EOF
638
        cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
638
        cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
639
# write INTIF in bypass mode (see "alcasar-bypass.sh")
639
# write INTIF in bypass mode (see "alcasar-bypass.sh")
640
        cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
640
        cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
641
DEVICE=$INTIF
641
DEVICE=$INTIF
642
BOOTPROTO=static
642
BOOTPROTO=static
643
IPADDR=$PRIVATE_IP
643
IPADDR=$PRIVATE_IP
644
NETMASK=$PRIVATE_NETMASK
644
NETMASK=$PRIVATE_NETMASK
645
ONBOOT=yes
645
ONBOOT=yes
646
METRIC=10
646
METRIC=10
647
NOZEROCONF=yes
647
NOZEROCONF=yes
648
MII_NOT_SUPPORTED=yes
648
MII_NOT_SUPPORTED=yes
649
IPV6INIT=no
649
IPV6INIT=no
650
IPV6TO4INIT=no
650
IPV6TO4INIT=no
651
ACCOUNTING=no
651
ACCOUNTING=no
652
USERCTL=no
652
USERCTL=no
653
EOF
653
EOF
654
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
654
######### Config WIFIF (consultation WIFI) ou LANIF (consultation LAN) in normal mode #################
655
        if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
655
        if [ -n "$WIFIF" ] && [ "$WIFIF" != "$INTIF" ]
656
        then
656
        then
657
                cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
657
                cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$WIFIF
658
DEVICE=$WIFIF
658
DEVICE=$WIFIF
659
BOOTPROTO=static
659
BOOTPROTO=static
660
ONBOOT=yes
660
ONBOOT=yes
661
NOZEROCONF=yes
661
NOZEROCONF=yes
662
MII_NOT_SUPPORTED=yes
662
MII_NOT_SUPPORTED=yes
663
IPV6INIT=no
663
IPV6INIT=no
664
IPV6TO4INIT=no
664
IPV6TO4INIT=no
665
ACCOUNTING=no
665
ACCOUNTING=no
666
USERCTL=no
666
USERCTL=no
667
EOF
667
EOF
668
        elif [ -n "$LANIF" ]
668
        elif [ -n "$LANIF" ]
669
        then
669
        then
670
                cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
670
                cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$LANIF
671
DEVICE=$LANIF
671
DEVICE=$LANIF
672
BOOTPROTO=static
672
BOOTPROTO=static
673
ONBOOT=yes
673
ONBOOT=yes
674
NOZEROCONF=yes
674
NOZEROCONF=yes
675
MII_NOT_SUPPORTED=yes
675
MII_NOT_SUPPORTED=yes
676
IPV6INIT=no
676
IPV6INIT=no
677
IPV6TO4INIT=no
677
IPV6TO4INIT=no
678
ACCOUNTING=no
678
ACCOUNTING=no
679
USERCTL=no
679
USERCTL=no
680
EOF
680
EOF
681
        fi
681
        fi
682
        #########################################################################################################
682
        #########################################################################################################
683
# write hosts.allow & hosts.deny
683
# write hosts.allow & hosts.deny
684
        [ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
684
        [ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default
685
        cat <<EOF > /etc/hosts.allow
685
        cat <<EOF > /etc/hosts.allow
686
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
686
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
687
sshd: ALL
687
sshd: ALL
688
ntpd: $PRIVATE_NETWORK_SHORT
688
ntpd: $PRIVATE_NETWORK_SHORT
689
EOF
689
EOF
690
        [ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
690
        [ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
691
        cat <<EOF > /etc/hosts.deny
691
        cat <<EOF > /etc/hosts.deny
692
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
692
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
693
EOF
693
EOF
694
        chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
694
        chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
695
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
695
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
696
        echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
696
        echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
697
# load conntrack ftp module
697
# load conntrack ftp module
698
        [ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
698
        [ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
699
        echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
699
        echo "nf_conntrack_ftp" >>  /etc/modprobe.preload
700
# load ipt_NETFLOW module
700
# load ipt_NETFLOW module
701
        echo "ipt_NETFLOW" >>  /etc/modprobe.preload
701
        echo "ipt_NETFLOW" >>  /etc/modprobe.preload
702
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
702
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
703
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
703
[ -e /lib/systemd/system/iptables.service.default ] || cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
704
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
704
$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
705
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
705
[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
706
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
706
$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
707
#
707
#
708
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
708
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
709
} # End of network ()
709
} # End of network ()
710
 
710
 
711
###################################################
711
###################################################
712
##                  Function "ACC"               ##
712
##                  Function "ACC"               ##
713
## - copy ALCASAR Control Center (ACC) files     ##
713
## - copy ALCASAR Control Center (ACC) files     ##
714
## - configuration of the web server (Lighttpd)  ##
714
## - configuration of the web server (Lighttpd)  ##
715
## - creation of the first ACC admin account     ##
715
## - creation of the first ACC admin account     ##
716
## - secure the ACC access                       ##
716
## - secure the ACC access                       ##
717
###################################################
717
###################################################
718
ACC ()
718
ACC ()
719
{
719
{
720
        [ -d $DIR_WEB ] && rm -rf $DIR_WEB
720
        [ -d $DIR_WEB ] && rm -rf $DIR_WEB
721
        mkdir $DIR_WEB
721
        mkdir $DIR_WEB
722
# Copy & adapt ACC files
722
# Copy & adapt ACC files
723
        cp -rf $DIR_INSTALL/web/* $DIR_WEB/
723
        cp -rf $DIR_INSTALL/web/* $DIR_WEB/
724
        $SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
724
        $SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
725
        $SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
725
        $SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
726
        $SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
726
        $SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
727
        $SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
727
        $SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
728
        chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
728
        chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
729
        chown -R apache:apache $DIR_WEB/*
729
        chown -R apache:apache $DIR_WEB/*
730
# copy & adapt "freeradius-web" files
730
# copy & adapt "freeradius-web" files
731
        cp -rf $DIR_CONF/freeradius-web/ /etc/
731
        cp -rf $DIR_CONF/freeradius-web/ /etc/
732
        [ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
732
        [ -e /etc/freeradius-web/admin.conf.default ] || cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
733
        $SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
733
        $SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
734
        $SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
734
        $SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
735
        $SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
735
        $SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
736
        cat <<EOF > /etc/freeradius-web/naslist.conf
736
        cat <<EOF > /etc/freeradius-web/naslist.conf
737
nas1_name: alcasar-$ORGANISME
737
nas1_name: alcasar-$ORGANISME
738
nas1_model: Network Access Controler
738
nas1_model: Network Access Controler
739
nas1_ip: $PRIVATE_IP
739
nas1_ip: $PRIVATE_IP
740
nas1_port_num: 0
740
nas1_port_num: 0
741
nas1_community: public
741
nas1_community: public
742
EOF
742
EOF
743
        chown -R apache:apache /etc/freeradius-web/
743
        chown -R apache:apache /etc/freeradius-web/
744
# create the log & backup structure :
744
# create the log & backup structure :
745
# - base = users database
745
# - base = users database
746
# - archive = tarball of "base + http firewall + netflow"
746
# - archive = tarball of "base + http firewall + netflow"
747
# - security = watchdog log
747
# - security = watchdog log
748
        for i in base archive security activity_report;
748
        for i in base archive security activity_report;
749
        do
749
        do
750
                [ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
750
                [ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i
751
        done
751
        done
752
        chown -R root:apache $DIR_SAVE
752
        chown -R root:apache $DIR_SAVE
753
# Configuring & securing php
753
# Configuring & securing php
754
        [ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
754
        [ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default
755
        timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
755
        timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`
756
        $SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
756
        $SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
757
        $SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
757
        $SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
758
        $SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
758
        $SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
759
        $SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
759
        $SED "s?^display_errors.*?display_errors = Off?" /etc/php.ini
760
        $SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
760
        $SED "s?^display_startup_errors.*?display_startup_errors = Off?" /etc/php.ini
761
        $SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
761
        $SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
762
        $SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
762
        $SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
763
        $SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
763
        $SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
764
# Configuring & securing Lighttpd
764
# Configuring & securing Lighttpd
765
        rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
765
        rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
766
        [ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
766
        [ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
767
        [ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
767
        [ -e /etc/lighttpd/modules.conf.default ] || cp /etc/lighttpd/modules.conf /etc/lighttpd/modules.conf.default
768
        [ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
768
        [ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
769
        [ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
769
        [ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
770
        [ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
770
        [ -d /etc/lighttpd/vhosts.d ] || mkdir /etc/lighttpd/vhosts.d
771
 
771
 
772
        cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
772
        cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
773
        cp $DIR_CONF/lighttpd/vhosts.d/alcasar.conf /etc/lighttpd/vhosts.d/alcasar.conf
773
        cp $DIR_CONF/lighttpd/vhosts.d/alcasar.conf /etc/lighttpd/vhosts.d/alcasar.conf
774
 
774
 
775
        $SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
775
        $SED "s?^;listen\.owner.*?listen\.owner = apache?g" /etc/php-fpm.conf
776
        $SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
776
        $SED "s?^;listen\.group.*?listen\.group = apache?g" /etc/php-fpm.conf
777
        $SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
777
        $SED "s?^;listen\.mode.*?listen\.mode = 0660?g" /etc/php-fpm.conf
778
        $SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
778
        $SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
779
        $SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
779
        $SED "s?^#server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
780
        $SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
780
        $SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
781
        echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
781
        echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
782
        $SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
782
        $SED "s?^#[ ]*\"mod_auth\",.*? \"mod_auth\",?g" /etc/lighttpd/modules.conf
783
        $SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf
783
        $SED "s?^#[ ]*\"mod_alias\",.*? \"mod_alias\",?g" /etc/lighttpd/modules.conf
784
        $SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
784
        $SED "s?^#[ ]*\"mod_redirect\",.*? \"mod_redirect\",?g" /etc/lighttpd/modules.conf
785
        $SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
785
        $SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
786
        $SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
786
        $SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf
787
        $SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf
787
        $SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf
788
        $SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf
788
        $SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf
789
 
789
 
790
        [ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
790
        [ -d /var/log/lighttpd ] || mkdir /var/log/lighttpd
791
        [ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
791
        [ -e /var/log/lighttpd/access.log ] || touch /var/log/lighttpd/access.log
792
        [ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
792
        [ -e /var/log/lighttpd/error.log ] || touch /var/log/lighttpd/error.log
793
        chown -R apache:apache /var/log/lighttpd
793
        chown -R apache:apache /var/log/lighttpd
794
       
794
       
795
        /usr/bin/systemctl start lighttpd
795
        /usr/bin/systemctl start lighttpd
796
        /usr/bin/systemctl start php-fpm
796
        /usr/bin/systemctl start php-fpm
797
 
797
 
798
# Creation of the first account (in 'admin' profile)
798
# Creation of the first account (in 'admin' profile)
799
        if [ "$mode" = "install" ]
799
        if [ "$mode" = "install" ]
800
                then
800
                then
801
                        header_install
801
                        header_install
802
# Creation of keys file for the admin account ("admin")
802
# Creation of keys file for the admin account ("admin")
803
                        [ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
803
                        [ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
804
                        mkdir -p $DIR_DEST_ETC/digest
804
                        mkdir -p $DIR_DEST_ETC/digest
805
                        chmod 755 $DIR_DEST_ETC/digest
805
                        chmod 755 $DIR_DEST_ETC/digest
806
                        until [ -s $DIR_DEST_ETC/digest/key_admin ]
806
                        until [ -s $DIR_DEST_ETC/digest/key_admin ]
807
                        do
807
                        do
808
                                $DIR_DEST_BIN/alcasar-profil.sh --add admin
808
                                $DIR_DEST_BIN/alcasar-profil.sh --add admin
809
                        done
809
                        done
810
        fi
810
        fi
811
 
811
 
812
        # Run after coova (in order to wait tun0 to be up)
812
        # Run after coova (in order to wait tun0 to be up)
813
        $SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
813
        $SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/lighttpd.service
814
        # Log file for ACC access imputability
814
        # Log file for ACC access imputability
815
        [ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
815
        [ -e /var/Save/security/acc_access.log ] || touch /var/Save/security/acc_access.log
816
        chown root:apache /var/Save/security/acc_access.log
816
        chown root:apache /var/Save/security/acc_access.log
817
        chmod 664 /var/Save/security/acc_access.log
817
        chmod 664 /var/Save/security/acc_access.log
818
} # End of ACC ()
818
} # End of ACC ()
819
 
819
 
820
##################################################################
820
##################################################################
821
##                               Fonction "CA"                  ##
821
##                               Fonction "CA"                  ##
822
## - Creating the CA and the server certificate (lighttpd)      ##
822
## - Creating the CA and the server certificate (lighttpd)      ##
823
##################################################################
823
##################################################################
824
CA ()
824
CA ()
825
{
825
{
826
        $DIR_DEST_BIN/alcasar-CA.sh
826
        $DIR_DEST_BIN/alcasar-CA.sh
827
        chown -R root:apache /etc/pki
827
        chown -R root:apache /etc/pki
828
        chmod -R 750 /etc/pki
828
        chmod -R 750 /etc/pki
829
} # End of CA ()
829
} # End of CA ()
830
 
830
 
831
#############################################################
831
#############################################################
832
##               Function "time_server"                    ##
832
##               Function "time_server"                    ##
833
## - Configuring NTP server                                ##
833
## - Configuring NTP server                                ##
834
#############################################################
834
#############################################################
835
time_server ()
835
time_server ()
836
{
836
{
837
# Set the Internet time server
837
# Set the Internet time server
838
        [ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
838
        [ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
839
        cat <<EOF > /etc/ntp/step-tickers
839
        cat <<EOF > /etc/ntp/step-tickers
840
0.fr.pool.ntp.org       # adapt to your country
840
0.fr.pool.ntp.org       # adapt to your country
841
1.fr.pool.ntp.org
841
1.fr.pool.ntp.org
842
2.fr.pool.ntp.org
842
2.fr.pool.ntp.org
843
EOF
843
EOF
844
        [ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
844
        [ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
845
        cat <<EOF > /etc/ntp.conf
845
        cat <<EOF > /etc/ntp.conf
846
server 0.fr.pool.ntp.org        # adapt to your country
846
server 0.fr.pool.ntp.org        # adapt to your country
847
server 1.fr.pool.ntp.org
847
server 1.fr.pool.ntp.org
848
server 2.fr.pool.ntp.org
848
server 2.fr.pool.ntp.org
849
server 127.127.1.0              # local clock si NTP internet indisponible ...
849
server 127.127.1.0              # local clock si NTP internet indisponible ...
850
fudge 127.127.1.0 stratum 10
850
fudge 127.127.1.0 stratum 10
851
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
851
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
852
restrict 127.0.0.1
852
restrict 127.0.0.1
853
driftfile /var/lib/ntp/drift
853
driftfile /var/lib/ntp/drift
854
logfile /var/log/ntp.log
854
logfile /var/log/ntp.log
855
disable monitor
855
disable monitor
856
EOF
856
EOF
857
        chown -R ntp:ntp /var/lib/ntp
857
        chown -R ntp:ntp /var/lib/ntp
858
# Synchronize now
858
# Synchronize now
859
        ntpd -q -g &
859
        ntpd -q -g &
860
} # End of time_server ()
860
} # End of time_server ()
861
 
861
 
862
#####################################################################
862
#####################################################################
863
##                     Function "init_db"                          ##
863
##                     Function "init_db"                          ##
864
## - Mysql initialization                                          ##
864
## - Mysql initialization                                          ##
865
## - Set admin (root) password                                     ##
865
## - Set admin (root) password                                     ##
866
## - Remove unused users & databases                               ##
866
## - Remove unused users & databases                               ##
867
## - Radius database creation                                      ##
867
## - Radius database creation                                      ##
868
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
868
## - Copy of accounting tables (mtotacct, totacct) & userinfo      ##
869
#####################################################################
869
#####################################################################
870
init_db ()
870
init_db ()
871
{
871
{
872
        if [ `systemctl is-active mysqld` == "active" ]
872
        if [ `systemctl is-active mysqld` == "active" ]
873
        then
873
        then
874
                systemctl stop mysqld
874
                systemctl stop mysqld
875
        fi
875
        fi
876
        rm -rf /var/lib/mysql # to be sure that there is no former installation
876
        rm -rf /var/lib/mysql # to be sure that there is no former installation
877
        [ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
877
        [ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default
878
        $SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
878
        $SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
879
        $SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
879
        $SED "s?^port.*?#&?g" /etc/my.cnf # we use unix socket only
880
        $SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
880
        $SED "s?^;collation_server =.*?collation_server = utf8_unicode_ci?g" /etc/my.cnf
881
        $SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
881
        $SED "s?^;character_set_server =.*?character_set_server = utf8?g" /etc/my.cnf  # accentuated user names are allowed
882
        $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
882
        $SED "s?^plugin-load.*?#&?g" /etc/my.cnf.d/feedback.cnf # remove the feedback plugin (ALCASAR doesn't report anything !)
883
        /usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
883
        /usr/sbin/mysqld-prepare-db-dir > /dev/null 2>&1
884
        /usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
884
        /usr/bin/systemctl set-environment MYSQLD_OPTS="--skip-grant-tables --skip-networking"
885
        /usr/bin/systemctl start mysqld
885
        /usr/bin/systemctl start mysqld
886
        nb_round=1
886
        nb_round=1
887
        while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
887
        while [ ! -S /var/lib/mysql/mysql.sock ] && [ $nb_round -lt 10 ] # we wait until mariadb is on
888
        do
888
        do
889
                nb_round=`expr $nb_round + 1`
889
                nb_round=`expr $nb_round + 1`
890
                sleep 2
890
                sleep 2
891
        done
891
        done
892
        if [ ! -S /var/lib/mysql/mysql.sock ]
892
        if [ ! -S /var/lib/mysql/mysql.sock ]
893
        then
893
        then
894
                echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
894
                echo "Problème : la base données 'MariaDB' ne s'est pas lancée !"
895
                exit
895
                exit
896
        fi
896
        fi
897
        MYSQL="/usr/bin/mysql --execute"
897
        MYSQL="/usr/bin/mysql --execute"
898
# Secure the server
898
# Secure the server
899
        $MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
899
        $MYSQL="GRANT ALL PRIVILEGES ON *.* TO root@'localhost' IDENTIFIED BY '$mysqlpwd';"
900
        MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
900
        MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
901
        $MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
901
        $MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
902
        $MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
902
        $MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
903
# Create 'radius' database
903
# Create 'radius' database
904
        $MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
904
        $MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
905
# Add an empty radius database structure
905
# Add an empty radius database structure
906
        mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
906
        mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/empty-radiusd-db.sql
907
# modify the start script in order to close accounting connexion when the system is comming down or up
907
# modify the start script in order to close accounting connexion when the system is comming down or up
908
        [ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
908
        [ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
909
        $SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
909
        $SED "/^ExecStart=/a ExecStop=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
910
        $SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
910
        $SED "/^ExecStop=/a ExecStartPost=$DIR_DEST_BIN/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
911
        /usr/bin/systemctl unset-environment MYSQLD_OPTS
911
        /usr/bin/systemctl unset-environment MYSQLD_OPTS
912
        /usr/bin/systemctl daemon-reload
912
        /usr/bin/systemctl daemon-reload
913
} # End of init_db ()
913
} # End of init_db ()
914
 
914
 
915
###################################################################
915
###################################################################
916
##                       Function "freeradius"                   ##
916
##                       Function "freeradius"                   ##
917
## - Set the configuration files                                 ##
917
## - Set the configuration files                                 ##
918
## - Set the shared secret between coova-chilli and freeradius   ##
918
## - Set the shared secret between coova-chilli and freeradius   ##
919
## - Adapt the Mysql conf file and counters                      ##
919
## - Adapt the Mysql conf file and counters                      ##
920
###################################################################
920
###################################################################
921
freeradius ()
921
freeradius ()
922
{
922
{
923
        cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
923
        cp -f $DIR_CONF/empty-radiusd-db.sql /etc/raddb/
924
        chown -R radius:radius /etc/raddb
924
        chown -R radius:radius /etc/raddb
925
        [ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
925
        [ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
926
# Set radius global parameters (radius.conf)
926
# Set radius global parameters (radius.conf)
927
        $SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
927
        $SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf
928
        $SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
928
        $SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf
929
        $SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
929
        $SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf
930
        $SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
930
        $SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf # remove the proxy function
931
        $SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
931
        $SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf # remove the proxy function
932
 
932
 
933
# Add ALCASAR dictionary
933
# Add ALCASAR dictionary
934
        cp $DIR_CONF/radius/dictionary.alcasar /usr/share/freeradius/dictionary.alcasar
934
        cp $DIR_CONF/radius/dictionary.alcasar /usr/share/freeradius/dictionary.alcasar
935
        echo -e '\n$INCLUDE dictionary.alcasar' >> /usr/share/freeradius/dictionary
935
        echo -e '\n$INCLUDE dictionary.alcasar' >> /usr/share/freeradius/dictionary
936
# Add CoovaChilli dictionary
936
# Add CoovaChilli dictionary
937
        cp /usr/share/doc/coova-chilli/dictionary.coovachilli /usr/share/freeradius/dictionary.coovachilli
937
        cp /usr/share/doc/coova-chilli/dictionary.coovachilli /usr/share/freeradius/dictionary.coovachilli
938
        echo -e '\n$INCLUDE dictionary.coovachilli' >> /usr/share/freeradius/dictionary
938
        echo -e '\n$INCLUDE dictionary.coovachilli' >> /usr/share/freeradius/dictionary
939
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
939
# Set "client.conf" to describe radius clients (coova on 127.0.0.1)
940
        [ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
940
        [ -e /etc/raddb/clients.conf.default ] || cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
941
        cat << EOF > /etc/raddb/clients.conf
941
        cat << EOF > /etc/raddb/clients.conf
942
client localhost {
942
client localhost {
943
        ipaddr = 127.0.0.1
943
        ipaddr = 127.0.0.1
944
        secret = $secretradius
944
        secret = $secretradius
945
        shortname = chilli
945
        shortname = chilli
946
        nas_type = other
946
        nas_type = other
947
}
947
}
948
EOF
948
EOF
949
# Set Virtual server (remvove all except "alcasar virtual site")
949
# Set Virtual server (remvove all except "alcasar virtual site")
950
        rm -f /etc/raddb/sites-enabled/*
950
        rm -f /etc/raddb/sites-enabled/*
951
        cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
951
        cp $DIR_CONF/radius/alcasar /etc/raddb/sites-available/alcasar
952
        cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
952
        cp $DIR_CONF/radius/alcasar-with-ldap /etc/raddb/sites-available/alcasar-with-ldap
953
        chown radius:apache /etc/raddb/sites-available/alcasar*
953
        chown radius:apache /etc/raddb/sites-available/alcasar*
954
        chmod 660 /etc/raddb/sites-available/alcasar*
954
        chmod 660 /etc/raddb/sites-available/alcasar*
955
        ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
955
        ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
956
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
956
# INFO : To connect from outside (EAP), add the EAP virtual server (link in sites-enabled) and inner-tunnel modules (link in mods-enabled)
957
 
957
 
958
# Set modules
958
# Set modules
959
# Add custom LDAP "available module"
959
# Add custom LDAP "available module"
960
        cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
960
        cp -f $DIR_CONF/radius/ldap-alcasar /etc/raddb/mods-available/
961
        chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
961
        chown -R radius:radius /etc/raddb/mods-available/ldap-alcasar
962
# Set only usefull modules for ALCASAR (ldap is enabled only via ACC)
962
# Set only usefull modules for ALCASAR (ldap is enabled only via ACC)
963
        rm -rf  /etc/raddb/mods-enabled/*
963
        rm -rf  /etc/raddb/mods-enabled/*
964
        for mods in sql sqlcounter attr_filter expiration logintime pap expr
964
        for mods in sql sqlcounter attr_filter expiration logintime pap expr
965
        do
965
        do
966
                ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
966
                ln -s /etc/raddb/mods-available/$mods /etc/raddb/mods-enabled/$mods
967
        done
967
        done
968
# Configure SQL mod
968
# Configure SQL mod
969
        [ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
969
        [ -e /etc/raddb/mods-available/sql.default ] || cp /etc/raddb/mods-available/sql /etc/raddb/mods-available/sql.default
970
        $SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
970
        $SED "s?^[\t ]*driver =.*?driver = \"rlm_sql_mysql\"?g" /etc/raddb/mods-available/sql
971
        $SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
971
        $SED "s?^[\t ]*dialect =.*?dialect = \"mysql\"?g" /etc/raddb/mods-available/sql
972
        $SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
972
        $SED "s?^[\t ]*radius_db =.*?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/mods-available/sql
973
        $SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
973
        $SED "s?^#[\t ]*server =.*?server = \"localhost\"?g" /etc/raddb/mods-available/sql
974
        $SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
974
        $SED "s?^#[\t ]*port =.*?port = \"3306\"?g" /etc/raddb/mods-available/sql
975
        $SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
975
        $SED "s?^#[\t ]*login =.*?login = \"$DB_USER\"?g" /etc/raddb/mods-available/sql
976
        $SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
976
        $SED "s?^#[\t ]*password =.*?password = \"$radiuspwd\"?g" /etc/raddb/mods-available/sql
977
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
977
# queries.conf modifications : case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.
978
        [ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
978
        [ -e /etc/raddb/mods-config/sql/main/mysql/queries.conf.default ] || cp /etc/raddb/mods-config/sql/main/mysql/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf.default
979
        cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
979
        cp -f $DIR_CONF/radius/queries.conf /etc/raddb/mods-config/sql/main/mysql/queries.conf
980
        chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
980
        chown -R radius:radius /etc/raddb/mods-config/sql/main/mysql/queries.conf
981
# sqlcounter modifications
981
# sqlcounter modifications
982
        [ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
982
        [ -e /etc/raddb/mods-available/sqlcounter.default ] || cp /etc/raddb/mods-available/sqlcounter /etc/raddb/mods-available/sqlcounter.default
983
        cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
983
        cp -f $DIR_CONF/radius/sqlcounter /etc/raddb/mods-available/sqlcounter
984
        chown -R radius:radius /etc/raddb/mods-available/sqlcounter
984
        chown -R radius:radius /etc/raddb/mods-available/sqlcounter
985
        [ -e /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default
985
        [ -e /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf.default
986
        cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
986
        cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/dailycounter.conf
987
query = "\
987
query = "\
988
    SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)),0)) \
988
    SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)),0)) \
989
    FROM radacct \
989
    FROM radacct \
990
    WHERE username = '%{\${key}}' \
990
    WHERE username = '%{\${key}}' \
991
    AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
991
    AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
992
EOF
992
EOF
993
        [ -e /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default
993
        [ -e /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf.default
994
        cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
994
        cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/monthlycounter.conf
995
query = "\
995
query = "\
996
    SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \
996
    SELECT IFNULL((SELECT SUM(acctsessiontime - GREATEST((%%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \
997
    FROM radacct \
997
    FROM radacct \
998
    WHERE username='%{\${key}}' \
998
    WHERE username='%{\${key}}' \
999
    AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
999
    AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime > '%%b'),0)"
1000
EOF
1000
EOF
1001
        [ -e /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default
1001
        [ -e /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf.default
1002
        cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
1002
        cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/noresetcounter.conf
1003
query = "\
1003
query = "\
1004
    SELECT IFNULL(SUM(AcctSessionTime),0) \
1004
    SELECT IFNULL(SUM(AcctSessionTime),0) \
1005
    FROM radacct \
1005
    FROM radacct \
1006
    WHERE username='%{\${key}}'"
1006
    WHERE username='%{\${key}}'"
1007
EOF
1007
EOF
1008
        [ -e /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default
1008
        [ -e /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default ] || cp /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf.default
1009
        cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
1009
        cat << EOF > /etc/raddb/mods-config/sql/counter/mysql/expire_on_login.conf
1010
query = "\
1010
query = "\
1011
    SELECT IFNULL((SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
1011
    SELECT IFNULL((SELECT TIME_TO_SEC(TIMEDIFF(NOW(), acctstarttime)) \
1012
    FROM radacct \
1012
    FROM radacct \
1013
    WHERE username='%{\${key}}' \
1013
    WHERE username='%{\${key}}' \
1014
    ORDER BY acctstarttime \
1014
    ORDER BY acctstarttime \
1015
    LIMIT 1),0)"
1015
    LIMIT 1),0)"
1016
EOF
1016
EOF
1017
# make certain that mysql is up before freeradius start
1017
# make certain that mysql is up before freeradius start
1018
        [ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1018
        [ -e /lib/systemd/system/radiusd.service.default ] || cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
1019
        $SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1019
        $SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1020
        /usr/bin/systemctl daemon-reload
1020
        /usr/bin/systemctl daemon-reload
1021
 # Allow apache to change some conf files (ie : ldap on/off)
1021
 # Allow apache to change some conf files (ie : ldap on/off)
1022
 chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1022
 chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/mods-available
1023
 
1023
 
1024
} # End freeradius ()
1024
} # End freeradius ()
1025
 
1025
 
1026
#############################################################################
1026
#############################################################################
1027
##                           Function "chilli"                             ##
1027
##                           Function "chilli"                             ##
1028
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1028
## - Creation of the conf file and init file (systemd) for coova-chilli    ##
1029
## - Adapt the authentication web page (intercept.php)                     ##
1029
## - Adapt the authentication web page (intercept.php)                     ##
1030
#############################################################################
1030
#############################################################################
1031
chilli ()
1031
chilli ()
1032
{
1032
{
1033
# chilli unit for systemd
1033
# chilli unit for systemd
1034
        cat << EOF > /lib/systemd/system/chilli.service
1034
        cat << EOF > /lib/systemd/system/chilli.service
1035
#  This file is part of systemd.
1035
#  This file is part of systemd.
1036
#
1036
#
1037
#  systemd is free software; you can redistribute it and/or modify it
1037
#  systemd is free software; you can redistribute it and/or modify it
1038
#  under the terms of the GNU General Public License as published by
1038
#  under the terms of the GNU General Public License as published by
1039
#  the Free Software Foundation; either version 2 of the License, or
1039
#  the Free Software Foundation; either version 2 of the License, or
1040
#  (at your option) any later version.
1040
#  (at your option) any later version.
1041
[Unit]
1041
[Unit]
1042
Description=chilli is a captive portal daemon
1042
Description=chilli is a captive portal daemon
1043
After=network.target
1043
After=network.target
1044
 
1044
 
1045
[Service]
1045
[Service]
1046
Type=forking
1046
Type=forking
1047
ExecStart=/usr/libexec/chilli start
1047
ExecStart=/usr/libexec/chilli start
1048
ExecStop=/usr/libexec/chilli stop
1048
ExecStop=/usr/libexec/chilli stop
1049
ExecReload=/usr/libexec/chilli reload
1049
ExecReload=/usr/libexec/chilli reload
1050
PIDFile=/var/run/chilli.pid
1050
PIDFile=/var/run/chilli.pid
1051
 
1051
 
1052
[Install]
1052
[Install]
1053
WantedBy=multi-user.target
1053
WantedBy=multi-user.target
1054
EOF
1054
EOF
1055
# init file creation
1055
# init file creation
1056
        [ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1056
        [ -e /etc/init.d/chilli.default ] || mv /etc/init.d/chilli /etc/init.d/chilli.default
1057
        cat <<EOF > /etc/init.d/chilli
1057
        cat <<EOF > /etc/init.d/chilli
1058
#!/bin/sh
1058
#!/bin/sh
1059
#
1059
#
1060
# chilli CoovaChilli init
1060
# chilli CoovaChilli init
1061
#
1061
#
1062
# chkconfig: 2345 65 35
1062
# chkconfig: 2345 65 35
1063
# description: CoovaChilli
1063
# description: CoovaChilli
1064
### BEGIN INIT INFO
1064
### BEGIN INIT INFO
1065
# Provides:       chilli
1065
# Provides:       chilli
1066
# Required-Start: network
1066
# Required-Start: network
1067
# Should-Start:
1067
# Should-Start:
1068
# Required-Stop:  network
1068
# Required-Stop:  network
1069
# Should-Stop:
1069
# Should-Stop:
1070
# Default-Start:  2 3 5
1070
# Default-Start:  2 3 5
1071
# Default-Stop:
1071
# Default-Stop:
1072
# Description:    CoovaChilli access controller
1072
# Description:    CoovaChilli access controller
1073
### END INIT INFO
1073
### END INIT INFO
1074
 
1074
 
1075
[ -f /usr/sbin/chilli ] || exit 0
1075
[ -f /usr/sbin/chilli ] || exit 0
1076
. /etc/init.d/functions
1076
. /etc/init.d/functions
1077
CONFIG=/etc/chilli.conf
1077
CONFIG=/etc/chilli.conf
1078
pidfile=/var/run/chilli.pid
1078
pidfile=/var/run/chilli.pid
1079
[ -f \$CONFIG ] || {
1079
[ -f \$CONFIG ] || {
1080
        echo "\$CONFIG Not found"
1080
        echo "\$CONFIG Not found"
1081
        exit 0
1081
        exit 0
1082
}
1082
}
1083
current_users_file="/var/tmp/havp/current_users.txt"    # file containing active users
1083
current_users_file="/var/tmp/havp/current_users.txt"    # file containing active users
1084
RETVAL=0
1084
RETVAL=0
1085
prog="chilli"
1085
prog="chilli"
1086
case \$1 in
1086
case \$1 in
1087
        start)
1087
        start)
1088
                if [ -f \$pidfile ] ; then
1088
                if [ -f \$pidfile ] ; then
1089
                        gprintf "chilli is already running"
1089
                        gprintf "chilli is already running"
1090
                else
1090
                else
1091
                        gprintf "Starting \$prog: "
1091
                        gprintf "Starting \$prog: "
1092
                        echo '' > \$current_users_file && chown apache:apache \$current_users_file
1092
                        echo '' > \$current_users_file && chown apache:apache \$current_users_file
1093
                        rm -f /var/run/chilli* # cleaning
1093
                        rm -f /var/run/chilli* # cleaning
1094
                        /usr/sbin/modprobe tun >/dev/null 2>&1
1094
                        /usr/sbin/modprobe tun >/dev/null 2>&1
1095
                        echo 1 > /proc/sys/net/ipv4/ip_forward
1095
                        echo 1 > /proc/sys/net/ipv4/ip_forward
1096
                        [ -e /dev/net/tun ] || {
1096
                        [ -e /dev/net/tun ] || {
1097
                                (cd /dev;
1097
                                (cd /dev;
1098
                                mkdir net;
1098
                                mkdir net;
1099
                                cd net;
1099
                                cd net;
1100
                                mknod tun c 10 200)
1100
                                mknod tun c 10 200)
1101
                        }
1101
                        }
1102
                        ifconfig $INTIF 0.0.0.0
1102
                        ifconfig $INTIF 0.0.0.0
1103
                        /usr/sbin/ethtool -K $INTIF gro off
1103
                        /usr/sbin/ethtool -K $INTIF gro off
1104
                        daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1104
                        daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
1105
                        RETVAL=\$?
1105
                        RETVAL=\$?
1106
                fi
1106
                fi
1107
                ;;
1107
                ;;
1108
 
1108
 
1109
        reload)
1109
        reload)
1110
                killall -HUP chilli
1110
                killall -HUP chilli
1111
                ;;
1111
                ;;
1112
 
1112
 
1113
        restart)
1113
        restart)
1114
                \$0 stop
1114
                \$0 stop
1115
                sleep 2
1115
                sleep 2
1116
                \$0 start
1116
                \$0 start
1117
                ;;
1117
                ;;
1118
 
1118
 
1119
        status)
1119
        status)
1120
                status chilli
1120
                status chilli
1121
                RETVAL=0
1121
                RETVAL=0
1122
                ;;
1122
                ;;
1123
 
1123
 
1124
        stop)
1124
        stop)
1125
                if [ -f \$pidfile ] ; then
1125
                if [ -f \$pidfile ] ; then
1126
                        gprintf "Shutting down \$prog: "
1126
                        gprintf "Shutting down \$prog: "
1127
                        killproc /usr/sbin/chilli
1127
                        killproc /usr/sbin/chilli
1128
                        RETVAL=\$?
1128
                        RETVAL=\$?
1129
                        [ \$RETVAL = 0 ] && rm -f \$pidfile
1129
                        [ \$RETVAL = 0 ] && rm -f \$pidfile
1130
                        [ -e \$current_users_file ] && rm -f \$current_users_file
1130
                        [ -e \$current_users_file ] && rm -f \$current_users_file
1131
                else
1131
                else
1132
                        gprintf "chilli is not running"
1132
                        gprintf "chilli is not running"
1133
                fi
1133
                fi
1134
                ;;
1134
                ;;
1135
 
1135
 
1136
        *)
1136
        *)
1137
                echo "Usage: \$0 {start|stop|restart|reload|status}"
1137
                echo "Usage: \$0 {start|stop|restart|reload|status}"
1138
                exit 1
1138
                exit 1
1139
esac
1139
esac
1140
echo
1140
echo
1141
EOF
1141
EOF
1142
        chmod a+x /etc/init.d/chilli
1142
        chmod a+x /etc/init.d/chilli
1143
        ln -s /etc/init.d/chilli /usr/libexec/chilli
1143
        ln -s /etc/init.d/chilli /usr/libexec/chilli
1144
# conf file creation
1144
# conf file creation
1145
        [ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1145
        [ -e /etc/chilli.conf.default ] || cp /etc/chilli.conf /etc/chilli.conf.default
1146
        #NTP Option configuration for DHCP
1146
        #NTP Option configuration for DHCP
1147
        #DHCP Options : rfc2132
1147
        #DHCP Options : rfc2132
1148
                #dhcp option value will be convert in hexa.
1148
                #dhcp option value will be convert in hexa.
1149
                #NTP option (or 'option 42') is like :
1149
                #NTP option (or 'option 42') is like :
1150
                #
1150
                #
1151
                #    Code   Len         Address 1               Address 2
1151
                #    Code   Len         Address 1               Address 2
1152
                #   +-----+-----+-----+-----+-----+-----+-----+-----+--
1152
                #   +-----+-----+-----+-----+-----+-----+-----+-----+--
1153
                #   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1153
                #   |  42 |  n  |  a1 |  a2 |  a3 |  a4 |  a1 |  a2 |  ...
1154
                #   +-----+-----+-----+-----+-----+-----+-----+-----+--
1154
                #   +-----+-----+-----+-----+-----+-----+-----+-----+--
1155
                #
1155
                #
1156
                #Code : 42 => 2a
1156
                #Code : 42 => 2a
1157
                #Len : 4 => 04
1157
                #Len : 4 => 04
1158
        PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1158
        PRIVATE_IP_HEXA=$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f1))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f2))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f3))$(printf "%02x\n" $(echo $PRIVATE_IP | cut -d'.' -f4))
1159
        cat <<EOF > /etc/chilli.conf
1159
        cat <<EOF > /etc/chilli.conf
1160
# coova config for ALCASAR
1160
# coova config for ALCASAR
1161
cmdsocket       /var/run/chilli.sock
1161
cmdsocket       /var/run/chilli.sock
1162
unixipc         chilli.$INTIF.ipc
1162
unixipc         chilli.$INTIF.ipc
1163
pidfile         /var/run/chilli.pid
1163
pidfile         /var/run/chilli.pid
1164
net             $PRIVATE_NETWORK_MASK
1164
net             $PRIVATE_NETWORK_MASK
1165
dhcpif          $INTIF
1165
dhcpif          $INTIF
1166
ethers          $DIR_DEST_ETC/alcasar-ethers
1166
ethers          $DIR_DEST_ETC/alcasar-ethers
1167
#nodynip
1167
#nodynip
1168
#statip
1168
#statip
1169
dynip           $PRIVATE_NETWORK_MASK
1169
dynip           $PRIVATE_NETWORK_MASK
1170
domain          $DOMAIN
1170
domain          $DOMAIN
1171
dns1            $PRIVATE_IP
1171
dns1            $PRIVATE_IP
1172
dns2            $PRIVATE_IP
1172
dns2            $PRIVATE_IP
1173
uamlisten       $PRIVATE_IP
1173
uamlisten       $PRIVATE_IP
1174
uamport         3990
1174
uamport         3990
1175
uamuiport       3991
1175
uamuiport       3991
1176
macauth
1176
macauth
1177
macpasswd       password
1177
macpasswd       password
1178
strictmacauth
1178
strictmacauth
1179
locationname    $HOSTNAME.$DOMAIN
1179
locationname    $HOSTNAME.$DOMAIN
1180
radiusserver1   127.0.0.1
1180
radiusserver1   127.0.0.1
1181
radiusserver2   127.0.0.1
1181
radiusserver2   127.0.0.1
1182
radiussecret    $secretradius
1182
radiussecret    $secretradius
1183
radiusauthport  1812
1183
radiusauthport  1812
1184
radiusacctport  1813
1184
radiusacctport  1813
1185
uamserver       https://$HOSTNAME.$DOMAIN/intercept.php
1185
uamserver       https://$HOSTNAME.$DOMAIN/intercept.php
1186
redirurl
1186
redirurl
1187
radiusnasid     $HOSTNAME.$DOMAIN
1187
radiusnasid     $HOSTNAME.$DOMAIN
1188
uamsecret       $secretuam
1188
uamsecret       $secretuam
1189
uamallowed      $HOSTNAME,$HOSTNAME.$DOMAIN
1189
uamallowed      $HOSTNAME,$HOSTNAME.$DOMAIN
1190
coaport         3799
1190
coaport         3799
1191
conup           $DIR_DEST_BIN/alcasar-conup.sh
1191
conup           $DIR_DEST_BIN/alcasar-conup.sh
1192
condown         $DIR_DEST_BIN/alcasar-condown.sh
1192
condown         $DIR_DEST_BIN/alcasar-condown.sh
1193
include         $DIR_DEST_ETC/alcasar-uamallowed
1193
include         $DIR_DEST_ETC/alcasar-uamallowed
1194
include         $DIR_DEST_ETC/alcasar-uamdomain
1194
include         $DIR_DEST_ETC/alcasar-uamdomain
1195
dhcpopt         2a04$PRIVATE_IP_HEXA
1195
dhcpopt         2a04$PRIVATE_IP_HEXA
1196
#dhcpgateway            none
1196
#dhcpgateway            none
1197
#dhcprelayagent         none
1197
#dhcprelayagent         none
1198
#dhcpgatewayport        none
1198
#dhcpgatewayport        none
1199
sslkeyfile      /etc/pki/tls/private/alcasar.key
1199
sslkeyfile      /etc/pki/tls/private/alcasar.key
1200
sslcertfile     /etc/pki/tls/certs/alcasar.crt
1200
sslcertfile     /etc/pki/tls/certs/alcasar.crt
1201
redirssl
1201
redirssl
1202
uamuissl
1202
uamuissl
1203
EOF
1203
EOF
1204
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1204
# create files for "DHCP static ip" and "DHCP static ip info". Reserve the second IP address for INTIF (the first one is for tun0)
1205
        echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1205
        echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
1206
        echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1206
        echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers-info
1207
# create files for trusted domains and urls
1207
# create files for trusted domains and urls
1208
        touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1208
        touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
1209
        chown root:apache $DIR_DEST_ETC/alcasar-*
1209
        chown root:apache $DIR_DEST_ETC/alcasar-*
1210
        chmod 660 $DIR_DEST_ETC/alcasar-*
1210
        chmod 660 $DIR_DEST_ETC/alcasar-*
1211
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1211
# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
1212
        $SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1212
        $SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
1213
# user 'chilli' creation (in order to run conup/off and up/down scripts
1213
# user 'chilli' creation (in order to run conup/off and up/down scripts
1214
        chilli_exist=`grep -c ^chilli: /etc/passwd`
1214
        chilli_exist=`grep -c ^chilli: /etc/passwd`
1215
        if [ "$chilli_exist" == "1" ]
1215
        if [ "$chilli_exist" == "1" ]
1216
        then
1216
        then
1217
                userdel -r chilli 2>/dev/null
1217
                userdel -r chilli 2>/dev/null
1218
        fi
1218
        fi
1219
        groupadd -f chilli
1219
        groupadd -f chilli
1220
        useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1220
        useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1221
}  # End of chilli ()
1221
}  # End of chilli ()
1222
 
1222
 
1223
################################################################
1223
################################################################
1224
##                   Function "e2guardian"                    ##
1224
##                   Function "e2guardian"                    ##
1225
## - Set the parameters of this HTML proxy (as controler)     ##
1225
## - Set the parameters of this HTML proxy (as controler)     ##
1226
################################################################
1226
################################################################
1227
e2guardian ()
1227
e2guardian ()
1228
{
1228
{
1229
        mkdir -p /var/e2guardian /var/log/e2guardian
1229
        mkdir -p /var/e2guardian /var/log/e2guardian
1230
        chown -R e2guardian /var/e2guardian /var/log/e2guardian
1230
        chown -R e2guardian /var/e2guardian /var/log/e2guardian
1231
        $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1231
        $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/e2guardian -c /etc/e2guardian/e2guardian.conf?g" /lib/systemd/system/e2guardian.service
1232
        $SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1232
        $SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/e2guardian.service
1233
        [ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1233
        [ -e $DIR_DG/e2guardian.conf.default ] || cp $DIR_DG/e2guardian.conf $DIR_DG/e2guardian.conf.default
1234
# By default the filter is off
1234
# By default the filter is off
1235
        $SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf
1235
        $SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardian.conf
1236
# French deny HTML page
1236
# French deny HTML page
1237
        $SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
1237
        $SED "s?^language =.*?language = french?g" $DIR_DG/e2guardian.conf
1238
# Listen only on LAN side
1238
# Listen only on LAN side
1239
        $SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1239
        $SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/e2guardian.conf
1240
# DG send its flow to HAVP
1240
# DG send its flow to HAVP
1241
        $SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
1241
        $SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/e2guardian.conf
1242
# replace the default deny HTML page
1242
# replace the default deny HTML page
1243
        cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/
1243
        cp -f $DIR_CONF/template.html /usr/share/e2guardian/languages/ukenglish/
1244
        cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1244
        cp -f $DIR_CONF/template-fr.html /usr/share/e2guardian/languages/french/template.html
1245
# Don't log
1245
# Don't log
1246
        $SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1246
        $SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/e2guardian.conf
1247
# # Change the default report page
1247
# # Change the default report page
1248
        $SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf
1248
        $SED "s?^accessdeniedaddress =.*?accessdeniedaddress = http://$HOSTNAME.$DOMAIN?g" $DIR_DG/e2guardian.conf
1249
# Disable HTML content control
1249
# Disable HTML content control
1250
        $SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1250
        $SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/e2guardian.conf
1251
        cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1251
        cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1252
        $SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1252
        $SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1253
# Disable URL control with regex
1253
# Disable URL control with regex
1254
        cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1254
        cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
1255
        $SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1255
        $SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1256
# Configure E2guardian for large site
1256
# Configure E2guardian for large site
1257
# Minimum number of processus to handle connections
1257
# Minimum number of processus to handle connections
1258
        $SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf
1258
        $SED "s?^minchildren =.*?minchildren = 15?g" $DIR_DG/e2guardian.conf
1259
# Maximum number of processus to handle connections
1259
# Maximum number of processus to handle connections
1260
        $SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf
1260
        $SED "s?^maxchildren =.*?maxchildren = 200?g" $DIR_DG/e2guardian.conf
1261
# Run at least 8 daemons
1261
# Run at least 8 daemons
1262
        $SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf
1262
        $SED "s?^minsparechildren =.*?minsparechildren = 8?g" $DIR_DG/e2guardian.conf
1263
# minimum number of processes to spawn
1263
# minimum number of processes to spawn
1264
        $SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf
1264
        $SED "s?^preforkchildren =.*?preforkchildren = 10?g" $DIR_DG/e2guardian.conf
1265
# maximum age of a child process before it croaks it
1265
# maximum age of a child process before it croaks it
1266
        $SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf
1266
        $SED "s?^maxagechildren =.*?maxagechildren = 1000?g" $DIR_DG/e2guardian.conf
1267
# Disable download files control
1267
# Disable download files control
1268
        [ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1268
        [ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1269
        $SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf
1269
        $SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/e2guardianf1.conf
1270
        [ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1270
        [ -e $DIR_DG/lists/bannedextensionlist.default ] || mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
1271
        [ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1271
        [ -e $DIR_DG/lists/bannedmimetypelist.default ] || mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
1272
        touch $DIR_DG/lists/bannedextensionlist
1272
        touch $DIR_DG/lists/bannedextensionlist
1273
        touch $DIR_DG/lists/bannedmimetypelist
1273
        touch $DIR_DG/lists/bannedmimetypelist
1274
# 'Safesearch' regex actualisation
1274
# 'Safesearch' regex actualisation
1275
        $SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1275
        $SED "s?images?search?g" $DIR_DG/lists/urlregexplist
1276
# empty LAN IP list that won't be WEB filtered
1276
# empty LAN IP list that won't be WEB filtered
1277
        [ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1277
        [ -e $DIR_DG/lists/exceptioniplist.default ] || mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
1278
        touch $DIR_DG/lists/exceptioniplist
1278
        touch $DIR_DG/lists/exceptioniplist
1279
# Keep a copy of URL & domain filter configuration files
1279
# Keep a copy of URL & domain filter configuration files
1280
        [ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1280
        [ -e $DIR_DG/lists/bannedsitelist.default ] || mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
1281
        [ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1281
        [ -e $DIR_DG/lists/bannedurllist.default ] || mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1282
} # End of e2guardian ()
1282
} # End of e2guardian ()
1283
 
1283
 
1284
##################################################################
1284
##################################################################
1285
##                     Function "antivirus"                     ##
1285
##                     Function "antivirus"                     ##
1286
## - Set the parameters of havp, libclamav and freshclam        ##
1286
## - Set the parameters of havp, libclamav and freshclam        ##
1287
##################################################################
1287
##################################################################
1288
antivirus ()
1288
antivirus ()
1289
{
1289
{
1290
# create 'havp' user
1290
# create 'havp' user
1291
        havp_exist=`grep -c ^havp: /etc/passwd`
1291
        havp_exist=`grep -c ^havp: /etc/passwd`
1292
        if [ "$havp_exist" == "1" ]
1292
        if [ "$havp_exist" == "1" ]
1293
        then
1293
        then
1294
                userdel -r havp 2>/dev/null
1294
                userdel -r havp 2>/dev/null
1295
                groupdel havp 2>/dev/null
1295
                groupdel havp 2>/dev/null
1296
        fi
1296
        fi
1297
        groupadd -f havp
1297
        groupadd -f havp
1298
        useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1298
        useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1299
        mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1299
        mkdir -p /var/tmp/havp /var/log/havp /var/run/havp /var/log/clamav /var/lib/clamav
1300
        chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1300
        chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
1301
        chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1301
        chown -R clamav:clamav /var/log/clamav /var/lib/clamav
1302
        [ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1302
        [ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1303
        $SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1303
        $SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1304
        $SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config    # pidfile
1304
        $SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config    # pidfile
1305
        $SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config             # transparent mode
1305
        $SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config             # transparent mode
1306
        $SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config       # we listen only on loopback
1306
        $SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config       # we listen only on loopback
1307
        $SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config                            # datas come on port 8090 (on loopback)
1307
        $SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config                            # datas come on port 8090 (on loopback)
1308
        $SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config   # Log format
1308
        $SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config   # Log format
1309
        $SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config            # active libclamav AV
1309
        $SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config            # active libclamav AV
1310
        $SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config                     # log only when malware matches
1310
        $SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config                     # log only when malware matches
1311
        $SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config              # 10 daemons are started simultaneously
1311
        $SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config              # 10 daemons are started simultaneously
1312
        $SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config               # doesn't scan image files
1312
        $SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config               # doesn't scan image files
1313
        $SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1313
        $SED "s?^# SKIPMIME.*?SKIPMIME image\/\* video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1314
# skip checking of youtube flow (too heavy load / risk too low)
1314
# skip checking of youtube flow (too heavy load / risk too low)
1315
        [ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1315
        [ -e /etc/havp/whitelist.default ] || cp /etc/havp/whitelist /etc/havp/whitelist.default
1316
        echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1316
        echo "# Whitelist youtube flow" >> /etc/havp/whitelist
1317
        echo "*.youtube.com/*" >> /etc/havp/whitelist
1317
        echo "*.youtube.com/*" >> /etc/havp/whitelist
1318
# adapt init script and systemd unit
1318
# adapt init script and systemd unit
1319
        [ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1319
        [ -e /etc/init.d/havp.default ] || cp /etc/init.d/havp /etc/init.d/havp.default
1320
        cp -f $DIR_CONF/havp-init /etc/init.d/havp
1320
        cp -f $DIR_CONF/havp-init /etc/init.d/havp
1321
        [ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1321
        [ -e /lib/systemd/system/havp.service.default ] || cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
1322
        $SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1322
        $SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1323
        $SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1323
        $SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1324
# replace of the intercept page (template)
1324
# replace of the intercept page (template)
1325
        cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1325
        cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
1326
        cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1326
        cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1327
# update virus database every 4 hours (24h/6)
1327
# update virus database every 4 hours (24h/6)
1328
        [ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1328
        [ -e /etc/freshclam.conf.default ] || cp /etc/freshclam.conf /etc/freshclam.conf.default
1329
        $SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1329
        $SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
1330
        $SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1330
        $SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1331
        $SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1331
        $SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1332
        $SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1332
        $SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
1333
        $SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1333
        $SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1334
# update now
1334
# update now
1335
        /usr/bin/freshclam --no-warnings
1335
        /usr/bin/freshclam --no-warnings
1336
} # End of antivirus ()
1336
} # End of antivirus ()
1337
 
1337
 
1338
################################################################################
1338
################################################################################
1339
##                           Function "tinyproxy"                             ##
1339
##                           Function "tinyproxy"                             ##
1340
## - Set the parameters of tinyproxy (proxy between filtered users and havp)  ##
1340
## - Set the parameters of tinyproxy (proxy between filtered users and havp)  ##
1341
################################################################################
1341
################################################################################
1342
tinyproxy ()
1342
tinyproxy ()
1343
{
1343
{
1344
        tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1344
        tinyproxy_exist=`grep -c ^tinyproxy: /etc/passwd`
1345
        if [ "$tinyproxy_exist" == "1" ]
1345
        if [ "$tinyproxy_exist" == "1" ]
1346
        then
1346
        then
1347
                userdel -r tinyproxy 2>/dev/null
1347
                userdel -r tinyproxy 2>/dev/null
1348
                groupdel tinyproxy 2>/dev/null
1348
                groupdel tinyproxy 2>/dev/null
1349
        fi
1349
        fi
1350
        groupadd -f tinyproxy
1350
        groupadd -f tinyproxy
1351
        useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1351
        useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1352
        mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1352
        mkdir -p /var/run/tinyproxy /var/log/tinyproxy
1353
        chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1353
        chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1354
        [ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1354
        [ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
1355
        $SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1355
        $SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1356
        $SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1356
        $SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
1357
        $SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf                      # Listen Port
1357
        $SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf                      # Listen Port
1358
        $SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf          # Listen NIC (only intif)
1358
        $SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf          # Listen NIC (only intif)
1359
        $SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1359
        $SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1360
        $SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1360
        $SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1361
        $SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf             # Only errors are logged
1361
        $SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf             # Only errors are logged
1362
        $SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf   # forward to HAVP
1362
        $SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf   # forward to HAVP
1363
        $SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf      # Stealth mode
1363
        $SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf      # Stealth mode
1364
        $SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf   # Allow from LAN
1364
        $SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf   # Allow from LAN
1365
# Create the systemd unit
1365
# Create the systemd unit
1366
cat << EOF > /lib/systemd/system/tinyproxy.service
1366
cat << EOF > /lib/systemd/system/tinyproxy.service
1367
#  This file is part of systemd.
1367
#  This file is part of systemd.
1368
#
1368
#
1369
#  systemd is free software; you can redistribute it and/or modify it
1369
#  systemd is free software; you can redistribute it and/or modify it
1370
#  under the terms of the GNU General Public License as published by
1370
#  under the terms of the GNU General Public License as published by
1371
#  the Free Software Foundation; either version 2 of the License, or
1371
#  the Free Software Foundation; either version 2 of the License, or
1372
#  (at your option) any later version.
1372
#  (at your option) any later version.
1373
 
1373
 
1374
# This unit launches tinyproxy (a very light proxy).
1374
# This unit launches tinyproxy (a very light proxy).
1375
# The "sleep 2" is needed because the pid file isn't ready for systemd
1375
# The "sleep 2" is needed because the pid file isn't ready for systemd
1376
[Unit]
1376
[Unit]
1377
Description=Tinyproxy Web Proxy Server
1377
Description=Tinyproxy Web Proxy Server
1378
After=network.target iptables.service
1378
After=network.target iptables.service
1379
 
1379
 
1380
[Service]
1380
[Service]
1381
Type=forking
1381
Type=forking
1382
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1382
ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
1383
ExecStartPre=/bin/sleep 2
1383
ExecStartPre=/bin/sleep 2
1384
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1384
PIDFile=/var/run/tinyproxy/tinyproxy.pid
1385
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1385
ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
1386
 
1386
 
1387
[Install]
1387
[Install]
1388
WantedBy=multi-user.target
1388
WantedBy=multi-user.target
1389
EOF
1389
EOF
1390
 
1390
 
1391
} # end of tinyproxy
1391
} # end of tinyproxy
1392
##############################################################################
1392
##############################################################################
1393
##                            function "ulogd"                              ##
1393
##                            function "ulogd"                              ##
1394
## - Ulog config for multi-log files                                        ##
1394
## - Ulog config for multi-log files                                        ##
1395
##############################################################################
1395
##############################################################################
1396
ulogd ()
1396
ulogd ()
1397
{
1397
{
1398
# Three instances of ulogd (three different logfiles)
1398
# Three instances of ulogd (three different logfiles)
1399
        [ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1399
        [ -d /var/log/firewall ] || mkdir -p /var/log/firewall
1400
        nl=1
1400
        nl=1
1401
        for log_type in traceability ssh ext-access
1401
        for log_type in traceability ssh ext-access
1402
        do
1402
        do
1403
                [ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1403
                [ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1404
                [ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1404
                [ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
1405
                cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1405
                cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1406
                $SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
1406
                $SED "s?^group=.*?group=$nl?g" /etc