10,7 → 10,7 |
|
# ALCASAR is based on a stripped Mandriva (LSB) with the following open source softwares : |
# ALCASAR est architecturé autour d'une distribution Linux Mandriva minimaliste et les logiciels libres suivants : |
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, mondo, mindi, dialupadmin, awstat, ntpd, openssl, dnsmasq, havp, libclamav and firewalleyes |
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, mondo, mindi, awstat, ntpd, openssl, dnsmasq, havp, libclamav and firewalleyes |
|
# Options : |
# -i or --install |
29,7 → 29,6 |
# param_squid : Configuration du proxy squid en mode 'cache' |
# param_dansguardian : Configuration de l'analyseur de contenu DansGuardian |
# antivirus : Installation havp + libclamav |
# firewall : Mise en place des règles du parefeu et de l'interface WEB FirewallEyes |
# param_awstats : Configuration de l'interface des statistiques de consultation WEB |
# dnsmasq : Configuration du serveur de noms et du serveur dhcp de secours |
# BL : Configuration de la BlackList |
308,7 → 307,7 |
classe_sup=`expr $classe + 1` |
private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup` # dernier octet de l'@ de réseau |
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # @ compatible hosts.allow et hosts.deny (ex.: 192.168.182.) |
PRIVATE_MASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # masque réseau de consultation (ex.: 255.255.255.0) |
PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # masque réseau de consultation (ex.: 255.255.255.0) |
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_IP_MASK | cut -d"=" -f2` # @ broadcast réseau de consultation (ex.: 192.168.182.255) |
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup` # dernier octet de l'@ de broadcast |
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # @ip du portail (côté réseau de consultation) |
324,11 → 323,11 |
PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2` |
PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK |cut -d"=" -f2` # prefixe du réseau (ex. 24) |
PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2` |
echo "- WAN IP address ($EXTIF) :\t$PUBLIC_IP/$PUBLIC_PREFIX" >> $FIC_PARAM |
echo "- Gateway IP address :\t$PUBLIC_GATEWAY" >> $FIC_PARAM |
echo "- DNS servers :\t$DNS1 and $DNS2" >> $FIC_PARAM |
echo "- LAN IP address ($INTIF) :\t$PRIVATE_IP_MASK" >> $FIC_PARAM |
echo "- Dynamic IP addresses (DHCP) :\tfrom $PRIVATE_DYN_FIRST_IP to $PRIVATE_DYN_LAST_IP" >> $FIC_PARAM |
echo -e "- WAN IP address ($EXTIF) :\t$PUBLIC_IP/$PUBLIC_PREFIX" >> $FIC_PARAM |
echo -e "- Gateway IP address :\t\t$PUBLIC_GATEWAY" >> $FIC_PARAM |
echo -e "- DNS servers :\t\t\t$DNS1 and $DNS2" >> $FIC_PARAM |
echo -e "- LAN IP address ($INTIF) :\t$PRIVATE_IP_MASK" >> $FIC_PARAM |
echo -e "- Dynamic IP addresses (DHCP) :\tfrom $PRIVATE_DYN_FIRST_IP to $PRIVATE_DYN_LAST_IP" >> $FIC_PARAM |
echo "#### ALCASAR Network parameters ####" > $DIR_DEST_ETC/alcasar-network |
echo "# Lauch the script 'alcasar-network.sh' after your changes" >> $DIR_DEST_ETC/alcasar-network |
echo "# Lancez le script 'alcasar-network.sh' après vos modifications" >> $DIR_DEST_ETC/alcasar-network |
375,7 → 374,7 |
DEVICE=$INTIF |
BOOTPROTO=static |
IPADDR=$PRIVATE_IP |
NETMASK=$PRIVATE_MASK |
NETMASK=$PRIVATE_NETMASK |
ONBOOT=yes |
METRIC=10 |
NOZEROCONF=yes |
400,7 → 399,7 |
server 2.fr.pool.ntp.org |
server 127.127.1.0 # local clock si NTP internet indisponible ... |
fudge 127.127.1.0 stratum 10 |
restrict $PRIVATE_NETWORK mask $PRIVATE_MASK nomodify notrap |
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap |
restrict 127.0.0.1 |
driftfile /var/lib/ntp/drift |
logfile /var/log/ntp.log |
411,7 → 410,7 |
[ -e /etc/hosts.allow.default ] || cp /etc/hosts.allow /etc/hosts.allow.default |
cat <<EOF > /etc/hosts.allow |
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP |
sshd: $PRIVATE_NETWORK_SHORT |
sshd: ALL |
ntpd: $PRIVATE_NETWORK_SHORT |
EOF |
[ -e /etc/host.deny.default ] || cp /etc/hosts.deny /etc/hosts.deny.default |
418,6 → 417,13 |
cat <<EOF > /etc/hosts.deny |
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) & |
EOF |
# Firewall config |
$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau) |
# création du fichier d'exception au filtrage |
touch $DIR_DEST_ETC/alcasar-filter-exceptions |
# le script $DIR_DEST_BIN/alcasar-iptables.sh est lancé à la fin (pour ne pas perturber une mise à jour via ssh) |
} # End of network () |
|
################################################################## |
539,7 → 545,6 |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
# Allow from $SRC_ADMIN |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
554,7 → 559,6 |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
# Allow from $SRC_ADMIN |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
569,7 → 573,6 |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
# Allow from $SRC_ADMIN |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
584,7 → 587,6 |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
# Allow from $SRC_ADMIN |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
600,7 → 602,6 |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
# Allow from $SRC_ADMIN |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
952,24 → 953,6 |
} |
|
################################################################################## |
## Fonction firewall ## |
## - adaptation des scripts du parefeu ## |
## - mise en place des règles et sauvegarde pour un lancement automatique ## |
################################################################################## |
firewall () |
{ |
$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
$SED "s?^PRIVATE_NETWORK_MASK=.*?PRIVATE_NETWORK_MASK=\"$PRIVATE_NETWORK_MASK\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
$SED "s?^PRIVATE_IP=.*?PRIVATE_IP=\"$PRIVATE_IP\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
$SED "s?^DNSSERVERS=.*?DNSSERVERS=\"$DNS1,$DNS2\"?g" $DIR_DEST_BIN/alcasar-iptables.sh |
chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau) |
# création du fichier d'exception au filtrage |
touch $DIR_DEST_ETC/alcasar-filter-exceptions |
# le script $DIR_DEST_BIN/alcasar-iptables.sh est lancé à la fin (pour ne pas perturber une mise à jour via ssh) |
} # End of firewall () |
|
################################################################################## |
## param_ulogd function ## |
## - Ulog config for multi-log files ## |
################################################################################## |
1079,7 → 1062,7 |
server=$DNS1 |
server=$DNS2 |
# le servive DHCP est configuré mais n'est exploité que pour le "bypass" |
dhcp-range=$PRIVATE_DYN_FIRST_IP,$PRIVATE_DYN_LAST_IP,$PRIVATE_MASK,12h |
dhcp-range=$PRIVATE_DYN_FIRST_IP,$PRIVATE_DYN_LAST_IP,$PRIVATE_NETMASK,12h |
#dhcp-option=3,1.2.3.4 |
#dhcp-option=option:router,1.2.3.4 |
#dhcp-option=42,0.0.0.0 |
1261,8 → 1244,9 |
[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default |
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config |
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config |
# sshd écoute côté LAN |
# sshd écoute côté LAN et WAN |
$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config |
$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config |
# sshd n'est pas lancé automatiquement au démarrage |
/sbin/chkconfig --del sshd |
echo "SSH=off" >> $DIR_DEST_ETC/alcasar-network |
1514,7 → 1498,7 |
else |
mode="install" |
fi |
for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus firewall param_ulogd param_awstats param_dnsmasq BL cron post_install |
for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_awstats param_dnsmasq BL cron post_install |
do |
$func |
echo "*** 'debug' : end of function $func ***"; read a |