/alcasar.sh |
---|
1302,9 → 1302,9 |
rm -rf /tmp/nfsen-1.3.6p1/ |
} # End of nfsen () |
########################################################## |
################################################## |
## Function "dnsmasq" ## |
########################################################## |
################################################## |
dnsmasq () |
{ |
[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq |
1316,6 → 1316,7 |
# Configuration file for "dnsmasq in forward mode" |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions |
listen-address=$PRIVATE_IP |
pid-file=/var/run/dnsmasq.pid |
listen-address=127.0.0.1 |
no-dhcp-interface=$INTIF |
no-dhcp-interface=tun0 |
1343,6 → 1344,7 |
# Add Toulouse blacklist domains |
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions |
pid-file=/var/run/dnsmasq-blacklist.pid |
listen-address=$PRIVATE_IP |
port=54 |
no-dhcp-interface=$INTIF |
1364,6 → 1366,7 |
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux |
listen-address=$PRIVATE_IP |
pid-file=/var/run/dnsmasq-whitelist.pid |
port=55 |
no-dhcp-interface=$INTIF |
no-dhcp-interface=tun0 |
1375,6 → 1378,7 |
bogus-priv |
filterwin2k |
address=/#/$PRIVATE_IP |
ipset=/#/whitelist_ip_allowed |
EOF |
# Start after chilli (which create tun0) |
$SED "s?^After=.*?After=syslog.target network.target chilli.service?g" /lib/systemd/system/dnsmasq.service |
1383,13 → 1387,9 |
cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-whitelist.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-blacklist.conf?g" /lib/systemd/system/dnsmasq-blacklist.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service |
<<<<<<< .mine |
} # End of dnsmasq() |
======= |
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-blacklist.pid?g" /lib/systemd/system/dnsmasq-blacklist.service |
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service |
} # End dnsmasq |
>>>>>>> .r1387 |
########################################################## |
## Fonction "BL" ## |
/scripts/alcasar-iptables.sh |
---|
30,10 → 30,8 |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off) |
DNS_FILTERING=${DNS_FILTERING:=off} |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP |
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP |
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty |
WL_IP_OSSI="/usr/local/share/ossi-ip-wl" # ip of the whitelist |
WL_IP_OSSI_DOMAIN="/usr/local/share/iptables-wl/ossi" # ip of the domain names whitelist |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off) |
117,20 → 115,10 |
ipset del blacklist_ip_blocked $ip |
done |
# Calcul de la taille du set de la whitelist |
# Compute the whitelist set length |
cd $WL_IP_CAT |
set_wl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $WL_IP_OSSI | awk '{print $1}')+$(wc -l $WL_IP_OSSI_DOMAIN | awk '{print $1}'))) |
# Création du fichier set temporaire, remplissage, chargement et suppression |
# Creating the temporary set file, filling, loading and deleting |
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $set_wl_length" > $TMP_set_save |
for category in `ls -1 | cut -d '@' -f1` |
do |
cat $WL_IP_CAT/$category >> $TMP_set_save |
done |
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024" > $TMP_set_save |
cat $WL_IP_OSSI >> $TMP_set_save |
cat $WL_IP_OSSI_DOMAIN >> $TMP_set_save |
ipset -! restore < $TMP_set_save |
rm -f $TMP_set_save |
184,9 → 172,6 |
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
# Redirection des requêtes HTTP des IP qui ne sont pas dans la whitelist vers ALCASAR (page 'accès interdit') pour le set havp_wl_set |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80 |
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT " |
/scripts/sbin/alcasar-bl.sh |
---|
28,12 → 28,9 |
DIR_DNS_BL="$DIR_SHARE/dnsmasq-bl" # all the BL in the DNSMASQ format |
DIR_DNS_WL="$DIR_SHARE/dnsmasq-wl" # all the WL ' ' ' |
DIR_IP_BL="$DIR_SHARE/iptables-bl" # all the IP addresses of the BL |
DIR_IP_WL="$DIR_SHARE/iptables-wl" # all the IP addresses of the WL |
OSSI_WL_IP="$DIR_IP_WL/ossi" # all the IP addresses of the WL ossi category |
DIR_DNS_BL_ENABLED="$DIR_SHARE/dnsmasq-bl-enabled" # symbolic link to the domains BL (only enabled categories) |
DIR_DNS_WL_ENABLED="$DIR_SHARE/dnsmasq-wl-enabled" # ' ' ' WL ' ' ' |
DIR_IP_BL_ENABLED="$DIR_SHARE/iptables-bl-enabled" # ' ' ip BL (only enabled categories) |
DIR_IP_WL_ENABLED="$DIR_SHARE/iptables-wl-enabled" # ' ' ip WL (only enabled categories) |
DNSMASQ_BL_CONF="/etc/dnsmasq-blacklist.conf" # conf file of dnsmasq-blacklist |
DNS1=`grep "DNS1" $CONF_FILE | cut -d '=' -f 2` # server DNS1 (for WL domain names) |
BL_SERVER="dsi.ut-capitole.fr" |
48,11 → 45,11 |
cp $DIR_IP_BL_ENABLED/ossi-* $DIR_tmp |
fi |
cp $DIR_IP_BL/ossi $DIR_tmp |
rm -rf $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED # cleaning for dnsmasq and iptables |
rm -rf $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED # cleaning for dnsmasq and iptables |
$SED "/\.Include/d" $DIR_DG/bannedsitelist $DIR_DG/bannedurllist # cleaning for DG |
$SED "s?^[^#]?#&?g" $BL_CATEGORIES $WL_CATEGORIES # cleaning BL & WL categories file (comment all lines) |
mkdir $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED |
chown apache $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED |
mkdir $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED |
chown apache $DIR_IP_BL_ENABLED |
# process the file $BL_CATEGORIES with the choice of categories |
for ENABLE_CATEGORIE in `cat $BL_CATEGORIES_ENABLED` |
do |
71,7 → 68,6 |
$SED "/\/$ENABLE_CATEGORIE$/d" $WL_CATEGORIES |
$SED "1i\/etc\/dansguardian\/lists\/blacklists\/$ENABLE_CATEGORIE" $WL_CATEGORIES |
ln -s $DIR_DNS_WL/$ENABLE_CATEGORIE.conf $DIR_DNS_WL_ENABLED/$ENABLE_CATEGORIE |
ln -s $DIR_IP_WL/$ENABLE_CATEGORIE $DIR_IP_WL_ENABLED/$ENABLE_CATEGORIE |
done |
sort +0.0 -0.2 $WL_CATEGORIES -o $FILE_tmp |
mv $FILE_tmp $WL_CATEGORIES |
110,75 → 106,7 |
/usr/local/bin/alcasar-iptables.sh |
fi |
} |
function ip_retrieving (){ |
# retrieving IPs of all domain names for the whitelist |
index=0 |
if [ ! -d $DIR_IP_WL ] |
then |
mkdir $DIR_IP_WL |
touch $DIR_IP_WL/ossi |
chown apache $DIR_IP_WL/ossi |
else |
# delete old IPs |
mkdir $DIR_tmp |
cp $DIR_IP_WL/ossi $DIR_tmp |
rm -rf $DIR_IP_WL/* |
cp $DIR_tmp/ossi $DIR_IP_WL |
rm -rf $DIR_tmp |
fi |
echo "Retrieving IPs :" |
cd $DIR_DNS_WL |
for category in `ls | cut -d '.' -f 1` |
do |
echo -n "$category :" |
for domain in `cat $category.conf | cut -d '/' -f 2` |
do |
echo `host $domain | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'` >> $DIR_IP_WL/$category.tmp & |
((index++)) |
echo -n "." |
if [ $index -eq 100 ] |
then |
index=0 |
sleep 1 |
fi |
done |
done |
echo "done" |
sleep 5 |
cd $DIR_IP_WL |
for category in `ls` |
do |
# one IP per line |
$SED 's/ /\n/g' $category |
# add SET syntax |
$SED 's/^/add whitelist_ip_allowed /g' $category |
# delete empty lines |
$SED '/^$/d' $category |
# delete false entries |
$SED -r '/([0-9]{1,3}.){3}[0-9]{1,3}/!d' $category |
# delete duplicate lines |
sort -u $category > ${category%%.*} |
done |
rm -f *.tmp |
} |
function ip_retrieving_ossi (){ |
# retrieving IPs of all domain names for the ossi category |
> $OSSI_WL_IP |
for domain in `cat $OSSI_DOMAINS_WL` |
do |
echo `host $domain | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'` >> $OSSI_WL_IP & |
done |
sleep 5 |
# one IP per line |
$SED 's/ /\n/g' $OSSI_WL_IP |
# add SET syntax |
$SED 's/^/add whitelist_ip_allowed /g' $OSSI_WL_IP |
# delete empty lines |
$SED '/^$/d' $OSSI_WL_IP |
# delete false entries |
$SED -r '/([0-9]{1,3}.){3}[0-9]{1,3}/!d' $OSSI_WL_IP |
} |
usage="Usage: alcasar-bl.sh { -cat_choice or --cat_choice } | { -download or --download } | { -adapt or --adapt } | { -reload or --reload } | { -ip_retrieving or --ip_retrieving } | { -ip_retrieving_ossi or --ip_retrieving_ossi }" |
usage="Usage: alcasar-bl.sh { -cat_choice or --cat_choice } | { -download or --download } | { -adapt or --adapt } | { -reload or --reload }" |
nb_args=$# |
args=$1 |
if [ $nb_args -eq 0 ] |
312,14 → 240,6 |
cp -f $DIR_DG_BL/ossi/domains_wl $DIR_DNS_WL/ossi.conf |
bl_enable |
;; |
# retrieving IPs of all domain names for the whitelist |
-ip_retrieving | --ip_retrieving) |
ip_retrieving |
;; |
# retrieving IPs of all domain names for the whitelist ossi category |
-ip_retrieving_ossi | --ip_retrieving_ossi) |
ip_retrieving_ossi |
;; |
*) |
echo "Argument inconnu :$1"; |
echo "$usage" |
/web/acc/admin/filter_exceptions.php |
---|
File deleted |
/web/acc/admin/bl_categories_help.php |
---|
78,11 → 78,11 |
{ |
$wl_categorie_domain_file = $wl_dnsmasq_dir.$categorie.".conf"; |
$wl_categorie_ip_file = $wl_iptables_dir.$categorie; |
if(isset($_GET['nb_domains']) && isset($_GET['nb_ip'])) |
if(isset($_GET['nb_domains'])) |
{ |
$nb_domains = $_GET['nb_domains']; |
$nb_urls = 0; |
$nb_ip = $_GET['nb_ip']; |
$nb_ip = 0; |
} |
else |
{ |
91,10 → 91,7 |
else |
$nb_domains = $l_error_open_file." ".$wl_categorie_domain_file; |
$nb_urls = 0; |
if(file_exists($wl_categorie_ip_file)) |
$nb_ip = exec("wc -l $wl_categorie_ip_file | cut -d ' ' -f1"); |
else |
$nb_ip = $l_error_open_file." ".$wl_categorie_ip_file; |
$nb_ip = 0; |
} |
} |
$global_usage = file($bl_dir."global_usage"); |
/web/acc/admin/bl_filter.php |
---|
85,8 → 85,6 |
$l_remove="Supprimer"; |
$l_submit="Envoyer"; |
$l_nb_ip="Nombre d'IP"; |
$l_update_ip="Mettre à jour les IP"; |
$l_update_ip_info="(Temps estimé : 3 min 30 sec)"; |
$l_nbDomainNames="Noms de domaine :"; |
$l_nbUrl="Url :"; |
$l_nbIp="Ip :"; |
135,8 → 133,6 |
$l_remove="Delete"; |
$l_submit="Submit"; |
$l_nb_ip="Number of IP"; |
$l_update_ip="Update IPs"; |
$l_update_ip_info="(Estimated time : 3 min 30 sec)"; |
$l_nbDomainNames="Domain names :"; |
$l_nbUrl="Url :"; |
$l_nbIp="Ip :"; |
215,7 → 211,6 |
fputs($fichier, form_filter($_POST['BL_rehabilited_ip'])); |
fclose($fichier); |
unset($_POST['BL_rehabilited_ip']); |
exec ("sudo /usr/local/sbin/alcasar-bl.sh --reload"); |
break; |
case 'MAJ_cat_wl' : |
$tab=file($wl_categories_enabled); |
241,7 → 236,6 |
fputs($fichier, form_filter_ip($_POST['OSSI_wl_ip'], "white")); |
fclose($fichier); |
unset($_POST['OSSI_wl_ip']); |
exec ("sudo /usr/local/sbin/alcasar-bl.sh --ip_retrieving_ossi"); |
exec ("sudo /usr/local/sbin/alcasar-bl.sh --reload"); |
break; |
case 'Specific_filtering' : |
287,10 → 281,6 |
} |
exec ("sudo /usr/local/bin/alcasar-iptables.sh"); |
break; |
case 'Update_IP_WL' : |
shell_exec ("nohup nice -n 10 sudo /usr/local/sbin/alcasar-bl.sh --ip_retrieving > /dev/null 2>/dev/null &"); |
exec ("sudo /usr/local/sbin/alcasar-bl.sh --reload"); |
break; |
} |
?> |
<?php |
/web/acc/admin/bl_filter2.php |
---|
168,7 → 168,7 |
echo "<center>"; |
$nbDomainNames = exec ("wc -l /usr/local/share/dnsmasq-wl/* | tail -n 1 | awk '{print $1}'"); |
$nbUrl = 0; |
$nbIp = exec ("wc -l /usr/local/share/iptables-wl/* | tail -n 1 | awk '{print $1}'"); |
$nbIp = 0; |
echo "<b>$l_nbDomainNames</b> $nbDomainNames, <b>$l_nbUrl</b> $nbUrl, <b>$l_nbIp</b> $nbIp<br/>"; |
echo "$l_wl_categories</center></td></tr>"; |
//on lit et on interprete le fichier de catégories |
211,8 → 211,8 |
echo "<H3>$l_allowed_ip</H3>$l_forbidden_ip_explain<BR>"; |
echo "<textarea name='OSSI_wl_ip' rows=3 cols=40>"; |
echo_ip_file ($file_wl_ip); |
echo "</textarea></td></tr><tr><td colspan=5>"; |
echo "<input type='submit' value='$l_record'></form></td><form action='bl_filter.php' method='POST'><td valign='middle' align='left' colspan=5><input type='hidden' name='choix' value='Update_IP_WL'><input type='submit' value='$l_update_ip'> $l_update_ip_info</form></td></tr>"; |
echo "</textarea></td></tr><tr><td colspan=10>"; |
echo "<input type='submit' value='$l_record'></form></td></tr>"; |
?> |
</TABLE><br/> |
<table width="100%" border="0" cellspacing="0" cellpadding="0"> |