WebSVN – ALCASAR – Diff – /alcasar.sh



#!/bin/sh
#  $Id: alcasar.sh 358 2010-12-02 22:34:25Z franck $ 
 
# alcasar.sh
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
 

# On mets à jour le système
	urpmi --auto --auto-update 
# On installe les paquetages complémentaires
	urpmi --auto $PACKAGES 
# On empêche les mises à jour de coova-chilli et freeradius par le biais des dépôts
	for rpmskip in coova freeradius 
	do
		echo -n "/^$rpmskip/" >> /etc/urpmi/skip.list
	done
# On supprime les paquetages, les services et les utilisateurs inutiles
	for rm_rpm in dhcp-server avahi mandi shorewall libc-icap0 cyrus-sasl
	do
		/usr/sbin/urpme --auto $rm_rpm --auto-orphans
	done

	AllowOverride None
	Order deny,allow
	Deny from all
	Allow from 127.0.0.1
	Allow from $PRIVATE_NETWORK_MASK
#	Allow from $SRC_ADMIN
	require valid-user
	AuthType digest
	AuthName $HOSTNAME
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
	AuthUserFile $DIR_ACC/digest/key_all

	AllowOverride None
	Order deny,allow
	Deny from all
	Allow from 127.0.0.1
	Allow from $PRIVATE_NETWORK_MASK
#	Allow from $SRC_ADMIN
	require valid-user
	AuthType digest
	AuthName $HOSTNAME
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
	AuthUserFile $DIR_ACC/digest/key_admin

	AllowOverride None
	Order deny,allow
	Deny from all
	Allow from 127.0.0.1
	Allow from $PRIVATE_NETWORK_MASK
#	Allow from $SRC_ADMIN
	require valid-user
	AuthType digest
	AuthName $HOSTNAME
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
	AuthUserFile $DIR_ACC/digest/key_manager

	AllowOverride None
	Order deny,allow
	Deny from all
	Allow from 127.0.0.1
	Allow from $PRIVATE_NETWORK_MASK
#	Allow from $SRC_ADMIN
	require valid-user
	AuthType digest
	AuthName $HOSTNAME
	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
	AuthUserFile $DIR_ACC/digest/key_backup

	Options Indexes
	Order deny,allow
	Deny from all
	Allow from 127.0.0.1
	Allow from $PRIVATE_NETWORK_MASK
#	Allow from $SRC_ADMIN
	require valid-user
	AuthType digest
	AuthName $HOSTNAME
	AuthUserFile $DIR_ACC/digest/key_backup
	ErrorDocument 404 https://$PRIVATE_IP/

# Le filtrage est désactivé par défaut 
	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" /etc/dansguardian/dansguardian.conf
# la page d'interception est en français
	$SED "s?^language =.*?language = french?g" /etc/dansguardian/dansguardian.conf
# on limite l'écoute de Dansguardian côté LAN
	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" /etc/dansguardian/dansguardian.conf
# on chaîne Dansguardian au proxy antivirus HAVP
	$SED "s?^proxyport.*?proxyport = 8090?g" /etc/dansguardian/dansguardian.conf
# on remplace la page d'interception (template)
	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html

## - mise en place des règles et sauvegarde pour un lancement automatique	##
## - configuration Ulogd							##
##################################################################################
firewall ()
{
	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh  $DIR_DEST_BIN/alcasar-iptables-bypass.sh $DIR_DEST_ETC/alcasar-iptables-local.sh
	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh  $DIR_DEST_BIN/alcasar-iptables-bypass.sh $DIR_DEST_ETC/alcasar-iptables-local.sh
	$SED "s?^PRIVATE_NETWORK_MASK=.*?PRIVATE_NETWORK_MASK=\"$PRIVATE_NETWORK_MASK\"?g" $DIR_DEST_BIN/alcasar-iptables.sh  $DIR_DEST_BIN/alcasar-iptables-bypass.sh $DIR_DEST_ETC/alcasar-iptables-local.sh
	$SED "s?^PRIVATE_IP=.*?PRIVATE_IP=\"$PRIVATE_IP\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh $DIR_DEST_ETC/alcasar-iptables-local.sh
	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
	[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
	[ -e /var/log/firewall/firewall.log ] || touch /var/log/firewall/firewall.log
	chown -R root:apache /var/log/firewall
	chmod 750 /var/log/firewall

Rev 355	Rev 358
Line 1...	Line 1...
1	`#!/bin/sh`	1	`#!/bin/sh`
2	`# $Id: alcasar.sh 355 2010-11-30 23:00:46Z richard $`	2	`# $Id: alcasar.sh 358 2010-12-02 22:34:25Z franck $`
3		3
4	`# alcasar.sh`	4	`# alcasar.sh`
5	`# by Franck BOUIJOUX, Pascal LEVANT and Richard REY`	5	`# by Franck BOUIJOUX, Pascal LEVANT and Richard REY`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7		7
Line 208...	Line 208...
208	`# On mets à jour le système`	208	`# On mets à jour le système`
209	`urpmi --auto --auto-update`	209	`urpmi --auto --auto-update`
210	`# On installe les paquetages complémentaires`	210	`# On installe les paquetages complémentaires`
211	`urpmi --auto $PACKAGES`	211	`urpmi --auto $PACKAGES`
212	`# On empêche les mises à jour de coova-chilli et freeradius par le biais des dépôts`	212	`# On empêche les mises à jour de coova-chilli et freeradius par le biais des dépôts`
213	`echo -n "/^coova/" >> /etc/urpmi/skip.list`	213	`for rpmskip in coova freeradius`
-		214	`do`
214	`echo -n "/^freeradius/" >> /etc/urpmi/skip.list`	215	`echo -n "/^$rpmskip/" >> /etc/urpmi/skip.list`
-		216	`done`
215	`# On supprime les paquetages, les services et les utilisateurs inutiles`	217	`# On supprime les paquetages, les services et les utilisateurs inutiles`
216	`for rm_rpm in dhcp-server avahi mandi shorewall libc-icap0 cyrus-sasl`	218	`for rm_rpm in dhcp-server avahi mandi shorewall libc-icap0 cyrus-sasl`
217	`do`	219	`do`
218	`/usr/sbin/urpme --auto $rm_rpm --auto-orphans`	220	`/usr/sbin/urpme --auto $rm_rpm --auto-orphans`
219	`done`	221	`done`
Line 528...	Line 530...
528	`AllowOverride None`	530	`AllowOverride None`
529	`Order deny,allow`	531	`Order deny,allow`
530	`Deny from all`	532	`Deny from all`
531	`Allow from 127.0.0.1`	533	`Allow from 127.0.0.1`
532	`Allow from $PRIVATE_NETWORK_MASK`	534	`Allow from $PRIVATE_NETWORK_MASK`
-		535	`# Allow from $SRC_ADMIN`
533	`require valid-user`	536	`require valid-user`
534	`AuthType digest`	537	`AuthType digest`
535	`AuthName $HOSTNAME`	538	`AuthName $HOSTNAME`
536	`BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On`	539	`BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On`
537	`AuthUserFile $DIR_ACC/digest/key_all`	540	`AuthUserFile $DIR_ACC/digest/key_all`
Line 542...	Line 545...
542	`AllowOverride None`	545	`AllowOverride None`
543	`Order deny,allow`	546	`Order deny,allow`
544	`Deny from all`	547	`Deny from all`
545	`Allow from 127.0.0.1`	548	`Allow from 127.0.0.1`
546	`Allow from $PRIVATE_NETWORK_MASK`	549	`Allow from $PRIVATE_NETWORK_MASK`
-		550	`# Allow from $SRC_ADMIN`
547	`require valid-user`	551	`require valid-user`
548	`AuthType digest`	552	`AuthType digest`
549	`AuthName $HOSTNAME`	553	`AuthName $HOSTNAME`
550	`BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On`	554	`BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On`
551	`AuthUserFile $DIR_ACC/digest/key_admin`	555	`AuthUserFile $DIR_ACC/digest/key_admin`
Line 556...	Line 560...
556	`AllowOverride None`	560	`AllowOverride None`
557	`Order deny,allow`	561	`Order deny,allow`
558	`Deny from all`	562	`Deny from all`
559	`Allow from 127.0.0.1`	563	`Allow from 127.0.0.1`
560	`Allow from $PRIVATE_NETWORK_MASK`	564	`Allow from $PRIVATE_NETWORK_MASK`
-		565	`# Allow from $SRC_ADMIN`
561	`require valid-user`	566	`require valid-user`
562	`AuthType digest`	567	`AuthType digest`
563	`AuthName $HOSTNAME`	568	`AuthName $HOSTNAME`
564	`BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On`	569	`BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On`
565	`AuthUserFile $DIR_ACC/digest/key_manager`	570	`AuthUserFile $DIR_ACC/digest/key_manager`
Line 570...	Line 575...
570	`AllowOverride None`	575	`AllowOverride None`
571	`Order deny,allow`	576	`Order deny,allow`
572	`Deny from all`	577	`Deny from all`
573	`Allow from 127.0.0.1`	578	`Allow from 127.0.0.1`
574	`Allow from $PRIVATE_NETWORK_MASK`	579	`Allow from $PRIVATE_NETWORK_MASK`
-		580	`# Allow from $SRC_ADMIN`
575	`require valid-user`	581	`require valid-user`
576	`AuthType digest`	582	`AuthType digest`
577	`AuthName $HOSTNAME`	583	`AuthName $HOSTNAME`
578	`BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On`	584	`BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On`
579	`AuthUserFile $DIR_ACC/digest/key_backup`	585	`AuthUserFile $DIR_ACC/digest/key_backup`
Line 585...	Line 591...
585	`Options Indexes`	591	`Options Indexes`
586	`Order deny,allow`	592	`Order deny,allow`
587	`Deny from all`	593	`Deny from all`
588	`Allow from 127.0.0.1`	594	`Allow from 127.0.0.1`
589	`Allow from $PRIVATE_NETWORK_MASK`	595	`Allow from $PRIVATE_NETWORK_MASK`
-		596	`# Allow from $SRC_ADMIN`
590	`require valid-user`	597	`require valid-user`
591	`AuthType digest`	598	`AuthType digest`
592	`AuthName $HOSTNAME`	599	`AuthName $HOSTNAME`
593	`AuthUserFile $DIR_ACC/digest/key_backup`	600	`AuthUserFile $DIR_ACC/digest/key_backup`
594	`ErrorDocument 404 https://$PRIVATE_IP/`	601	`ErrorDocument 404 https://$PRIVATE_IP/`
Line 871...	Line 878...
871	`# Le filtrage est désactivé par défaut`	878	`# Le filtrage est désactivé par défaut`
872	`$SED "s/^reportinglevel =.*/reportinglevel = -1/g" /etc/dansguardian/dansguardian.conf`	879	`$SED "s/^reportinglevel =.*/reportinglevel = -1/g" /etc/dansguardian/dansguardian.conf`
873	`# la page d'interception est en français`	880	`# la page d'interception est en français`
874	`$SED "s?^language =.*?language = french?g" /etc/dansguardian/dansguardian.conf`	881	`$SED "s?^language =.*?language = french?g" /etc/dansguardian/dansguardian.conf`
875	`# on limite l'écoute de Dansguardian côté LAN`	882	`# on limite l'écoute de Dansguardian côté LAN`
876	`$SED "s?^filterip =.*?filterip = $PRIVATE_IP?g" /etc/dansguardian/dansguardian.conf`	883	`$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" /etc/dansguardian/dansguardian.conf`
877	`# on chaîne Dansguardian au proxy antivirus HAVP`	884	`# on chaîne Dansguardian au proxy antivirus HAVP`
878	`$SED "s?^proxyport.*?proxyport = 8090?g" /etc/dansguardian/dansguardian.conf`	885	`$SED "s?^proxyport.*?proxyport = 8090?g" /etc/dansguardian/dansguardian.conf`
879	`# on remplace la page d'interception (template)`	886	`# on remplace la page d'interception (template)`
880	`cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/`	887	`cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/`
881	`cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html`	888	`cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html`
Line 953...	Line 960...
953	`## - mise en place des règles et sauvegarde pour un lancement automatique ##`	960	`## - mise en place des règles et sauvegarde pour un lancement automatique ##`
954	`## - configuration Ulogd ##`	961	`## - configuration Ulogd ##`
955	`##################################################################################`	962	`##################################################################################`
956	`firewall ()`	963	`firewall ()`
957	`{`	964	`{`
958	`$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh`	965	`$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh $DIR_DEST_ETC/alcasar-iptables-local.sh`
959	`$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh`	966	`$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh $DIR_DEST_ETC/alcasar-iptables-local.sh`
960	`$SED "s?^PRIVATE_NETWORK_MASK=.*?PRIVATE_NETWORK_MASK=\"$PRIVATE_NETWORK_MASK\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh`	967	`$SED "s?^PRIVATE_NETWORK_MASK=.*?PRIVATE_NETWORK_MASK=\"$PRIVATE_NETWORK_MASK\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh $DIR_DEST_ETC/alcasar-iptables-local.sh`
961	`$SED "s?^PRIVATE_IP=.*?PRIVATE_IP=\"$PRIVATE_IP\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh`	968	`$SED "s?^PRIVATE_IP=.*?PRIVATE_IP=\"$PRIVATE_IP\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh $DIR_DEST_ETC/alcasar-iptables-local.sh`
962	`chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)`	969	`chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)`
963	`[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall`	970	`[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall`
964	`[ -e /var/log/firewall/firewall.log ] \|\| touch /var/log/firewall/firewall.log`	971	`[ -e /var/log/firewall/firewall.log ] \|\| touch /var/log/firewall/firewall.log`
965	`chown -R root:apache /var/log/firewall`	972	`chown -R root:apache /var/log/firewall`
966	`chmod 750 /var/log/firewall`	973	`chmod 750 /var/log/firewall`

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 355 → 358