/scripts/alcasar-iptables.sh |
---|
9,22 → 9,23 |
# 3 for exterior access attempts. |
# The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script |
private_ip_mask=`grep PRIVATE_IP /usr/local/etc/alcasar-network|cut -d"=" -f2` |
conf_file="/usr/local/etc/alcasar.conf" |
private_ip_mask=`grep PRIVATE_IP $conf_file|cut -d"=" -f2` |
private_network=`/bin/ipcalc -n $private_ip_mask|cut -d"=" -f2` # LAN IP address (ie.: 192.168.182.0) |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24) |
dns1=`grep DNS1 /usr/local/etc/alcasar-network|cut -d"=" -f2` # first public DNS server |
dns2=`grep DNS2 /usr/local/etc/alcasar-network|cut -d"=" -f2` # second public DNS server |
IPTABLES="/sbin/iptables" |
PROTO_FILTERING="no" |
DNS_FILTERING="no" |
QOS="no" |
dns1=`grep DNS1 $conf_file|cut -d"=" -f2` # first public DNS server |
dns2=`grep DNS2 $conf_file|cut -d"=" -f2` # second public DNS server |
PROTOCOLS_FILTERING=`grep PROTOCOLS_FILTERING $conf_file|cut -d"=" -f2` # Network protocols filter (yes/no) |
DNS_FILTERING=`grep DNS_FILTERING $conf_file|cut -d"=" -f2` # DNS and URLs filter (yes/no) |
QOS=`grep QOS $conf_file|cut -d"=" -f2` # QOS (yse/no) |
SSH=`grep SSH $conf_file|cut -d"=" -f2` # sshd active (yes/no) |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24) |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses |
EXTIF="eth0" |
INTIF="eth1" |
TUNIF="tun0" # listen card for chilli daemon |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24) |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses |
IPTABLES="/sbin/iptables" |
# Effacement des règles existantes |
# Flush all existing rules |
96,7 → 97,7 |
# If DNS filter is activate # |
############################### |
# Redirection des flux DNS vers le port 54 (dns+blackhole) sauf pour les IP en exceptions |
if [ $DNS_FILTERING = "yes" ]; then |
if [ $DNS_FILTERING = on ]; then |
# Compute exception IP |
nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1` |
if [ $nb_exceptions != "0" ] |
112,7 → 113,7 |
# If protocols filter is activate # |
##################################### |
# filtrage de protocoles sauf pour les IP en exceptions |
if [ $PROTO_FILTERING = "yes" ]; then |
if [ $PROTOCOLS_FILTERING = on ]; then |
# Compute exception IP |
nb_exceptions=`wc -w /usr/local/etc/alcasar-filter-exceptions | cut -d" " -f1` |
if [ $nb_exceptions != "0" ] |
152,7 → 153,7 |
######################## |
# If QOS is activate # |
######################## |
if [ $QOS = "yes" ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then |
if [ $QOS = on ] && [ -e /usr/local/etc/alcasar-iptables-qos.sh ]; then |
. /usr/local/etc/alcasar-iptables-qos.sh |
fi |
172,10 → 173,8 |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport https -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport http -j ACCEPT |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT |
# SSHD rules if activate |
ssh_active=`grep SSH /usr/local/etc/alcasar-network|cut -d"=" -f2` |
if [ $ssh_active = "on" ] |
if [ $SSH = on ] |
then |
Admin_from_IP="0.0.0.0/0.0.0.0" # Une @IP fixe peut-être fournie pour restreindre l'accès en ssh depuis l'extérieur (ex: 80.22.21.53/24) ( 0.0.0.0/0.0.0.0 = de n'importe où ! ) |
$IPTABLES -A INPUT -i $TUNIF -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT" |
/scripts/alcasar-conf.sh |
---|
42,7 → 42,6 |
# Sauvegarde du logo |
cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE |
# Sauvegarde des fichiers exploités par dansguardian |
cp -f /etc/dansguardian/dansguardian.conf $DIR_UPDATE |
cp -f /etc/dansguardian/lists/exceptioniplist $DIR_UPDATE |
cp -f /etc/dansguardian/lists/exceptionsitelist $DIR_UPDATE |
cp -f /etc/dansguardian/lists/bannedsitelist $DIR_UPDATE |
49,11 → 48,9 |
cp -f /etc/dansguardian/lists/exceptionurllist $DIR_UPDATE |
cp -f /etc/dansguardian/lists/bannedurllist $DIR_UPDATE |
cp -rf /etc/dansguardian/lists/blacklists/ossi $DIR_UPDATE |
# sauvegarde des fichiers : de filtrage, d'exception, digest, etc. |
# sauvegarde des fichiers : de conf, de filtrage, d'exception, digest, etc. |
mkdir $DIR_UPDATE/etc/ |
cp -rf $DIR_ETC/* $DIR_UPDATE/etc/ |
# sauvegarde du fichier alcasar-iptables.sh (pour savoir si on filtre les protocoles) |
cp -f $DIR_BIN/alcasar-iptables.sh $DIR_UPDATE |
# particularité des versions |
# si version < 2.1 |
if ([ $MAJ_RUNNING_VERSION -lt 2 ] || ([ $MAJ_RUNNING_VERSION -eq 2 ] && [ $MIN_RUNNING_VERSION -lt 1 ])) |
96,6 → 93,8 |
chmod -R 750 /etc/pki |
# Import de la dernière base usagers |
mysql -u$DB_USER -p$radiuspwd < `ls $DIR_UPDATE/radius*` |
# Récupération des paramêtres locaux (fichier de conf, règles de filtrage, fichiers d'exception, comptes de gestion, etc.) |
[ -d $DIR_UPDATE/etc ] && cp -rf $DIR_UPDATE/etc/* $DIR_ETC/ |
# Récupération des fichiers de Dansguardian |
[ -e $DIR_UPDATE/exceptioniplist ] && cp -f $DIR_UPDATE/exceptioniplist /etc/dansguardian/lists/ |
[ -e $DIR_UPDATE/exceptionsitelist ] && cp -f $DIR_UPDATE/exceptionsitelist /etc/dansguardian/lists/ |
106,21 → 105,17 |
chown -R dansguardian:apache /etc/dansguardian/lists |
chmod -R g+rw /etc/dansguardian/lists |
# On active/désactive la BL |
active_bl=`cat $DIR_UPDATE/dansguardian.conf|grep ^reportinglevel|cut -d" " -f3` |
$SED "s/^reportinglevel =.*/reportinglevel = $active_bl/g" /etc/dansguardian/dansguardian.conf |
DNS_FILTERING=`grep DNS_FILTERING $conf_file|cut -d"=" -f2` # DNS and URLs filter (yes/no) |
PARENT_SCRIPT=$0 |
export PARENT_SCRIPT |
if [ $active_bl -eq "-1" ] |
then $DIR_SBIN/alcasar-bl.sh --off |
else $DIR_SBIN/alcasar-bl.sh --on |
if [ $DNS_FILTERING -eq "on" ] |
then |
$DIR_SBIN/alcasar-bl.sh --on |
else |
$DIR_SBIN/alcasar-bl.sh --off |
fi |
# Récupération des paramêtres locaux (règles de filtrage, fichiers d'exception, comptes de gestion, etc.) |
[ -d $DIR_UPDATE/etc ] && cp -rf $DIR_UPDATE/etc/* $DIR_ETC/ |
# Prise en compte des comptes de gestion (admin + manager + backup) |
$DIR_SBIN/alcasar-profil.sh --list |
# On active/désactive le filtrage de protocoles |
active_filter=`cat $DIR_UPDATE/alcasar-iptables.sh|grep ^FILTERING|cut -d"=" -f2` |
$SED "s/^FILTERING=.*/FILTERING=$active_filter/g" $DIR_BIN/alcasar-iptables.sh |
# On applique les paramètres réseau |
... |
# Effacement du répertoire d'update |
/scripts/sbin/alcasar-nf.sh |
---|
8,6 → 8,7 |
SED="/bin/sed -i" |
FIC_SERVICES="/usr/local/etc/alcasar-services" |
FIC_EXCEPTIONS="/usr/local/etc/alcasar-filter-exceptions" |
FIC_CONF="/usr/local/etc/alcasar.conf" |
usage="Usage: alcasar-nf.sh {--on or -on} | {--off | -off} " |
nb_args=$# |
24,7 → 25,7 |
;; |
-on|-on) |
# activation du filtrage réseau |
$SED "s?^PROTO_FILTERING.*?PROTO_FILTERING=\"yes\"?g" /usr/local/bin/alcasar-iptables.sh |
$SED "s?^PROTOCOLS_FILTERING.*?PROTOCOLS_FILTERING=on?g" $FIC_CONF |
# tri du fichier de services |
$SED "/^$/d" $FIC_SERVICES # suppression lignes vides |
sort -k2n $FIC_SERVICES > /tmp/alcasar-services-sort |
39,7 → 40,7 |
;; |
--off|-off) |
# désactivation du filtrage réseau |
$SED "s?^PROTO_FILTERING.*?PROTO_FILTERING=\"no\"?g" /usr/local/bin/alcasar-iptables.sh |
$SED "s?^PROTOCOLS_FILTERING.*?PROTOCOLS_FILTERING=off?g" $FIC_CONF |
/usr/local/bin/alcasar-iptables.sh |
;; |
*) |
/scripts/sbin/alcasar-bl.sh |
---|
4,6 → 4,7 |
# Script de gestion de la BL pour le filtrage de domaine (via dnsmasq) et d'URL (via dansguardian) |
# By 3abtux & rexy |
CONF_FILE="/usr/local/etc/alcasar.conf" |
DIR_tmp="/tmp/blacklists" |
FILE_tmp="/tmp/fileFilter.txt" |
DIR_DG="/etc/dansguardian/lists" |
102,7 → 103,7 |
cat_choice |
$SED "s/^reportinglevel =.*/reportinglevel = 3/g" /etc/dansguardian/dansguardian.conf |
$SED "s?^#\"?\"?g" $DIR_DG/urlregexplist # Enable 'safesearch' |
$SED "s?^DNS_FILTERING.*?DNS_FILTERING=\"yes\"?g" /usr/local/bin/alcasar-iptables.sh |
$SED "s?^DNS_FILTERING.*?DNS_FILTERING=on?g" $CONF_FILE |
if [ "$PARENT_SCRIPT" != "/usr/local/bin/alcasar-conf.sh" ] # on ne relance lors d'une install |
then |
service dansguardian restart |
115,7 → 116,7 |
rm -rf $DIR_DNS_FILTER_ENABLED/* |
$SED "s/^reportinglevel =.*/reportinglevel = -1/g" /etc/dansguardian/dansguardian.conf |
$SED "s?^[^#]?#&?g" $DIR_DG/urlregexplist # Disable 'safesearch' |
$SED "s?^DNS_FILTERING.*?DNS_FILTERING=\"no\"?g" /usr/local/bin/alcasar-iptables.sh |
$SED "s?^DNS_FILTERING.*?DNS_FILTERING=off?g" $CONF_FILE |
if [ "$PARENT_SCRIPT" != "/usr/local/bin/alcasar-conf.sh" ] # on ne relance lors d'une install |
then |
service dansguardian restart |
/scripts/sbin/alcasar-havp.sh |
---|
23,6 → 23,7 |
--on|-on) |
# activation havp |
$SED "s/^proxyport =.*/proxyport = 8090/g" /etc/dansguardian/dansguardian.conf |
$SED "s/^WEB_ANTIVIRUS=.*/WEB_ANTIVIRUS=on/g" /usr/local/etc/alcasar.conf |
service dansguardian reload |
service havp start |
;; |
29,6 → 30,7 |
--off|-off) |
# désactivation du filtrage |
$SED "s/^proxyport =.*/proxyport = 3128/g" /etc/dansguardian/dansguardian.conf |
$SED "s/^WEB_ANTIVIRUS=.*/WEB_ANTIVIRUS=off/g" /usr/local/etc/alcasar.conf |
service dansguardian reload |
service havp stop |
;; |