/alcasar.sh |
---|
673,12 → 673,16 |
sleep 4 |
mysqladmin -u root password $mysqlpwd |
MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec" |
# On supprime les tables d'exemple |
# Delete exemple databases if exist |
$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;CONNECT mysql;DELETE from user where user='';FLUSH PRIVILEGES;" |
# On crée la base 'radius' |
# Create 'radius' database |
$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES" |
# Ajout d'une base vierge |
# Add an empty radius database structure |
mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql |
# modify the start script in order to close accounting connexion when the system is comming down or up |
[ -e /etc/init.d/mysqld.default ] || cp /etc/init.d/mysqld /etc/init.d/mysqld.default |
$SED "/wait_for_pid created/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld |
$SED "/'stop')/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld |
} # End init_db () |
########################################################################## |
1275,6 → 1279,7 |
/sbin/chkconfig --del sshd |
echo "SSH=off" >> $FIC_CONF |
echo "QOS=off" >> $FIC_CONF |
echo "LDAP=off" >> $FIC_CONF |
echo "PROTOCOLS_FILTERING=off" >> $FIC_CONF |
echo "DNS_FILTERING=off" >> $FIC_CONF |
echo "WEB_ANTIVIRUS=on" >> $FIC_CONF |
/CHANGELOG |
---|
1,6 → 1,9 |
# $Id$ |
************ CHANGELOG *********** |
- 'alcasar-nf.sh' and 'alcasar-bl.sh' scripts now use the global parameters file (alcasar.conf) |
- allow LDAP/AD connections both on WAN and LAN servers |
- close all accounting session when the system goes down ou up |
- if activate, sshd listen both on LAN and on WAN |
- add a central conf file (/usr/local/etc/alcasar.conf) |
- add the equipment name in the activity window when MAC authenticate |
/scripts/alcasar-iptables.sh |
---|
11,14 → 11,23 |
conf_file="/usr/local/etc/alcasar.conf" |
private_ip_mask=`grep PRIVATE_IP $conf_file|cut -d"=" -f2` |
private_ip_mask=${private_ip_mask:=192.168.182.1/24} |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0) |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24) |
dns1=`grep DNS1 $conf_file|cut -d"=" -f2` # first public DNS server |
dns1=${dns1:=208.67.220.220} |
dns2=`grep DNS2 $conf_file|cut -d"=" -f2` # second public DNS server |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING $conf_file|cut -d"=" -f2` # Network protocols filter (yes/no) |
DNS_FILTERING=`grep DNS_FILTERING $conf_file|cut -d"=" -f2` # DNS and URLs filter (yes/no) |
QOS=`grep QOS $conf_file|cut -d"=" -f2` # QOS (yse/no) |
SSH=`grep SSH $conf_file|cut -d"=" -f2` # sshd active (yes/no) |
dns2=${dns2:=208.67.222.222} |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING $conf_file|cut -d"=" -f2` # Network protocols filter (on/off) |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off} |
DNS_FILTERING=`grep DNS_FILTERING $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off) |
DNS_FILTERING=${DNS_FILTERING:=off} |
QOS=`grep QOS $conf_file|cut -d"=" -f2` # QOS (on/off) |
QOS=${QOS:=off} |
SSH=`grep SSH $conf_file|cut -d"=" -f2` # sshd active (on/off) |
SSH=${SSH:=off} |
LDAP=`grep LDAP $conf_file|cut -d"=" -f2` # ldap external server active (on/off) |
LDAP=${LDAP:=off} |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24) |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses |
236,16 → 245,22 |
# On autorise les requêtes DNS vers les serveurs DNS identifiés |
# Allow DNS requests to identified DNS servers |
$IPTABLES -A OUTPUT -o $EXTIF -d $DNSSERVERS -p udp --dport domain -m state --state NEW -j ACCEPT |
# On autorise les requêtes http sortantes |
# On autorise les requêtes HTTP sortantes |
# HTTP requests are allowed |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT |
# On autorise les requêtes ntp |
# On autorise les requêtes NTP |
# NTP requests are allowed |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ntp -j ACCEPT |
# On autorise les requêtes ICMP (ping) |
# ICMP (ping) requests are allowed |
$IPTABLES -A OUTPUT -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT |
# On autorise les requêtes LDAP si un serveur externe est configué |
# LDAP requests are allowed if an external server is declared |
if [ $LDAP = on ] |
then |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport ldap -j ACCEPT |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport ldap -j ACCEPT |
fi |
# Traduction dynamique d'adresse en sortie |
# Dynamic NAT on EXTIF |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE |
/scripts/sbin/alcasar-nf.sh |
---|
10,7 → 10,7 |
FIC_EXCEPTIONS="/usr/local/etc/alcasar-filter-exceptions" |
FIC_CONF="/usr/local/etc/alcasar.conf" |
usage="Usage: alcasar-nf.sh {--on or -on} | {--off | -off} " |
usage="Usage: alcasar-nf.sh {--on | -on} | {--off | -off} | {-conf}" |
nb_args=$# |
args=$1 |
if [ $nb_args -eq 0 ] |
23,26 → 23,29 |
echo "$usage" |
exit 0 |
;; |
-on|-on) |
# activation du filtrage réseau |
$SED "s?^PROTOCOLS_FILTERING.*?PROTOCOLS_FILTERING=on?g" $FIC_CONF |
# tri du fichier de services |
$SED "/^$/d" $FIC_SERVICES # suppression lignes vides |
-on|-on) # enable protocols filter |
# sort service file |
$SED "/^$/d" $FIC_SERVICES # delete empty lines |
sort -k2n $FIC_SERVICES > /tmp/alcasar-services-sort |
mv -f /tmp/alcasar-services-sort $FIC_SERVICES |
chown root:apache $FIC_SERVICES |
chmod 660 $FIC_SERVICES |
# vérification de présence du fichier d'exception |
# vérify exception file |
[ -e $FIC_EXCEPTIONS ] || touch $FIC_EXCEPTIONS |
chown root:apache $FIC_EXCEPTIONS |
chmod 664 $FIC_EXCEPTIONS |
$SED "s?^PROTOCOLS_FILTERING.*?PROTOCOLS_FILTERING=on?g" $FIC_CONF |
/usr/local/bin/alcasar-iptables.sh |
;; |
--off|-off) |
# désactivation du filtrage réseau |
--off|-off) # disable protocols filter |
$SED "s?^PROTOCOLS_FILTERING.*?PROTOCOLS_FILTERING=off?g" $FIC_CONF |
/usr/local/bin/alcasar-iptables.sh |
;; |
--conf|-conf) |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING $FIC_CONF|cut -d"=" -f2` # Network protocols filter (on/off) |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off} |
/usr/local/bin/alcasar-iptables.sh |
;; |
*) |
echo "Argument inconnu :$1"; |
echo "$usage" |
/scripts/sbin/alcasar-uninstall.sh |
---|
47,8 → 47,9 |
sleep 1 |
#init_db |
echo -en "\n- init_db(1) : " |
[ -e /etc/my.cnf.default ] && mv -f /etc/my.cnf.default /etc/my.cnf && echo -n "1" |
echo -en "\n- init_db(2) : " |
[ -e /etc/my.cnf.default ] && mv -f /etc/my.cnf.default /etc/my.cnf && echo -n "1, " |
[ -e /etc/init.d/mysqld.default ] && mv -f /etc/init.d/mysqld.default /etc/init.d/mysqld && echo -n "2" |
rm -rf /var/lib/mysql* |
sleep 1 |
/scripts/sbin/alcasar-bl.sh |
---|
85,7 → 85,27 |
echo ".Include<$DIR_DG_BL/$i/urls>" >> $DIR_DG/bannedurllist |
done |
} |
usage="Usage: alcasar-bl.sh {-on or --on} | { -off or --off } | { -download or --download } | { -reload - --reload }" |
function bl_enable (){ |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" /etc/dansguardian/dansguardian.conf |
$SED "s?^#\"?\"?g" $DIR_DG/urlregexplist # Enable 'safesearch' |
if [ "$PARENT_SCRIPT" != "/usr/local/bin/alcasar-conf.sh" ] # don't launch on install stage |
then |
service dansguardian restart |
service dnsmasq restart |
/usr/local/bin/alcasar-iptables.sh |
fi |
} |
function bl_disable (){ |
rm -rf $DIR_DNS_FILTER_ENABLED/* |
$SED "s/^reportinglevel =.*/reportinglevel = -1/g" /etc/dansguardian/dansguardian.conf |
$SED "s?^[^#]?#&?g" $DIR_DG/urlregexplist # Disable 'safesearch' |
if [ "$PARENT_SCRIPT" != "/usr/local/bin/alcasar-conf.sh" ] # don't launch on install stage |
then |
service dansguardian restart |
/usr/local/bin/alcasar-iptables.sh |
fi |
} |
usage="Usage: alcasar-bl.sh {-on or --on} | { -off or --off } | { -download or --download } | { -reload or --reload } | { -conf or --conf}" |
nb_args=$# |
args=$1 |
if [ $nb_args -eq 0 ] |
101,28 → 121,24 |
# activation du filtrage |
-on | --on) |
cat_choice |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" /etc/dansguardian/dansguardian.conf |
$SED "s?^#\"?\"?g" $DIR_DG/urlregexplist # Enable 'safesearch' |
$SED "s?^DNS_FILTERING.*?DNS_FILTERING=on?g" $CONF_FILE |
if [ "$PARENT_SCRIPT" != "/usr/local/bin/alcasar-conf.sh" ] # on ne relance lors d'une install |
then |
service dansguardian restart |
service dnsmasq restart |
/usr/local/bin/alcasar-iptables.sh |
fi |
bl_enable |
;; |
# désactivation du filtrage |
-off | --off) |
rm -rf $DIR_DNS_FILTER_ENABLED/* |
$SED "s/^reportinglevel =.*/reportinglevel = -1/g" /etc/dansguardian/dansguardian.conf |
$SED "s?^[^#]?#&?g" $DIR_DG/urlregexplist # Disable 'safesearch' |
$SED "s?^DNS_FILTERING.*?DNS_FILTERING=off?g" $CONF_FILE |
if [ "$PARENT_SCRIPT" != "/usr/local/bin/alcasar-conf.sh" ] # on ne relance lors d'une install |
then |
service dansguardian restart |
/usr/local/bin/alcasar-iptables.sh |
bl_disable |
;; |
-conf | --conf) |
DNS_FILTERING=`grep DNS_FILTERING $CONF_FILE|cut -d"=" -f2` # DNS and URLs filter (on/off) |
DNS_FILTERING=${DNS_FILTERING:=off} |
if [ $DNS_FILTERING = on ]; then |
cat_choice |
bl_enable |
else |
bl_disable |
fi |
;; |
;; |
# Mise a jour de la blacklist 'Toulouse' et adaptation à dansguardian et dnsmasq |
-download | --download) |
rm -rf /tmp/con_ok.html |
/web/acc/admin/update_ldap.php |
---|
6,6 → 6,7 |
define ("ALCASAR_RADIUS_SITE", "/etc/raddb/sites-available/alcasar"); |
define ("ALCASAR_RADIUS_MODULE_LDAP", "/etc/raddb/modules/ldap"); |
define ("ALCASAR_CONF_FILE", "/usr/local/etc/alcasar.conf"); |
/******************************************************************** |
* FONCTION ERREUR * |
225,10 → 226,15 |
} //test $auth_enable |
/******************************************************************** |
* Redémarage du service radius * |
*********************************************************************/ |
/**************************************************************** |
* Redémarage des service * |
*****************************************************************/ |
if ($auth_enable == "1"){ |
file_put_contents(ALCASAR_CONF_FILE, str_replace('LDAP=off', 'LDAP=on', file_get_contents(ALCASAR_CONF_FILE)));} |
else { |
file_put_contents(ALCASAR_CONF_FILE, str_replace('LDAP=on', 'LDAP=off', file_get_contents(ALCASAR_CONF_FILE)));} |
exec ("sudo /usr/local/bin/alcasar-iptables.sh"); |
exec ("sudo service radiusd restart"); |
/******************************************************************** |
237,4 → 243,4 |
header('Location:ldap.php?update=ok'); |
exit(); |
?> |
?> |