Line 1... |
Line 1... |
1 |
#!/bin/sh
|
1 |
#!/bin/sh
|
2 |
# $Id: alcasar.sh 599 2011-05-07 15:06:07Z franck $
|
2 |
# $Id: alcasar.sh 604 2011-05-15 21:23:10Z richard $
|
3 |
|
3 |
|
4 |
# alcasar.sh
|
4 |
# alcasar.sh
|
5 |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
|
5 |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
7 |
|
7 |
|
8 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
|
8 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
|
9 |
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
|
9 |
# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
|
10 |
|
10 |
|
11 |
# ALCASAR is based on a stripped Mandriva (LSB) with the following open source softwares :
|
11 |
# ALCASAR is based on a stripped Mandriva (LSB) with the following open source softwares :
|
12 |
# ALCASAR est architecturé autour d'une distribution Linux Mandriva minimaliste et les logiciels libres suivants :
|
12 |
# ALCASAR est architecturé autour d'une distribution Linux Mandriva minimaliste et les logiciels libres suivants :
|
13 |
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, mondo, mindi, dialupadmin, awstat, ntpd, openssl, dnsmasq, havp, libclamav and firewalleyes
|
13 |
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, mondo, mindi, awstat, ntpd, openssl, dnsmasq, havp, libclamav and firewalleyes
|
14 |
|
14 |
|
15 |
# Options :
|
15 |
# Options :
|
16 |
# -i or --install
|
16 |
# -i or --install
|
17 |
# -u or --uninstall
|
17 |
# -u or --uninstall
|
18 |
|
18 |
|
Line 27... |
Line 27... |
27 |
# param_web_radius: Configuration de l'interface de gestion de FreeRadius (dialupadmin)
|
27 |
# param_web_radius: Configuration de l'interface de gestion de FreeRadius (dialupadmin)
|
28 |
# param_chilli : Configuration du daemon 'coova-chilli' et de la page d'authentification
|
28 |
# param_chilli : Configuration du daemon 'coova-chilli' et de la page d'authentification
|
29 |
# param_squid : Configuration du proxy squid en mode 'cache'
|
29 |
# param_squid : Configuration du proxy squid en mode 'cache'
|
30 |
# param_dansguardian : Configuration de l'analyseur de contenu DansGuardian
|
30 |
# param_dansguardian : Configuration de l'analyseur de contenu DansGuardian
|
31 |
# antivirus : Installation havp + libclamav
|
31 |
# antivirus : Installation havp + libclamav
|
32 |
# firewall : Mise en place des règles du parefeu et de l'interface WEB FirewallEyes
|
- |
|
33 |
# param_awstats : Configuration de l'interface des statistiques de consultation WEB
|
32 |
# param_awstats : Configuration de l'interface des statistiques de consultation WEB
|
34 |
# dnsmasq : Configuration du serveur de noms et du serveur dhcp de secours
|
33 |
# dnsmasq : Configuration du serveur de noms et du serveur dhcp de secours
|
35 |
# BL : Configuration de la BlackList
|
34 |
# BL : Configuration de la BlackList
|
36 |
# cron : Mise en place des exports de logs (+ chiffrement)
|
35 |
# cron : Mise en place des exports de logs (+ chiffrement)
|
37 |
# post_install : Finalisation environnement ( sécurité, bannières, rotation logs, ...)
|
36 |
# post_install : Finalisation environnement ( sécurité, bannières, rotation logs, ...)
|
Line 306... |
Line 305... |
306 |
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$private_prefix # @ + masque du réseau de consult (192.168.182.0/24)
|
305 |
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$private_prefix # @ + masque du réseau de consult (192.168.182.0/24)
|
307 |
classe=$((private_prefix/8)); # classe de réseau (ex.: 2=classe B, 3=classe C)
|
306 |
classe=$((private_prefix/8)); # classe de réseau (ex.: 2=classe B, 3=classe C)
|
308 |
classe_sup=`expr $classe + 1`
|
307 |
classe_sup=`expr $classe + 1`
|
309 |
private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup` # dernier octet de l'@ de réseau
|
308 |
private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup` # dernier octet de l'@ de réseau
|
310 |
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # @ compatible hosts.allow et hosts.deny (ex.: 192.168.182.)
|
309 |
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # @ compatible hosts.allow et hosts.deny (ex.: 192.168.182.)
|
311 |
PRIVATE_MASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # masque réseau de consultation (ex.: 255.255.255.0)
|
310 |
PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2` # masque réseau de consultation (ex.: 255.255.255.0)
|
312 |
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_IP_MASK | cut -d"=" -f2` # @ broadcast réseau de consultation (ex.: 192.168.182.255)
|
311 |
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_IP_MASK | cut -d"=" -f2` # @ broadcast réseau de consultation (ex.: 192.168.182.255)
|
313 |
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup` # dernier octet de l'@ de broadcast
|
312 |
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup` # dernier octet de l'@ de broadcast
|
314 |
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # @ip du portail (côté réseau de consultation)
|
313 |
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` # @ip du portail (côté réseau de consultation)
|
315 |
PRIVATE_DYN_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 2` # @ip du portail (côté réseau de consultation)
|
314 |
PRIVATE_DYN_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 2` # @ip du portail (côté réseau de consultation)
|
316 |
PRIVATE_DYN_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # @ip du portail (côté réseau de consultation)
|
315 |
PRIVATE_DYN_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # @ip du portail (côté réseau de consultation)
|
Line 322... |
Line 321... |
322 |
DNS1=${DNS1:=208.67.220.220}
|
321 |
DNS1=${DNS1:=208.67.220.220}
|
323 |
DNS2=${DNS2:=208.67.222.222}
|
322 |
DNS2=${DNS2:=208.67.222.222}
|
324 |
PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2`
|
323 |
PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2`
|
325 |
PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK |cut -d"=" -f2` # prefixe du réseau (ex. 24)
|
324 |
PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK |cut -d"=" -f2` # prefixe du réseau (ex. 24)
|
326 |
PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2`
|
325 |
PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2`
|
327 |
echo "- WAN IP address ($EXTIF) :\t$PUBLIC_IP/$PUBLIC_PREFIX" >> $FIC_PARAM
|
326 |
echo -e "- WAN IP address ($EXTIF) :\t$PUBLIC_IP/$PUBLIC_PREFIX" >> $FIC_PARAM
|
328 |
echo "- Gateway IP address :\t$PUBLIC_GATEWAY" >> $FIC_PARAM
|
327 |
echo -e "- Gateway IP address :\t\t$PUBLIC_GATEWAY" >> $FIC_PARAM
|
329 |
echo "- DNS servers :\t$DNS1 and $DNS2" >> $FIC_PARAM
|
328 |
echo -e "- DNS servers :\t\t\t$DNS1 and $DNS2" >> $FIC_PARAM
|
330 |
echo "- LAN IP address ($INTIF) :\t$PRIVATE_IP_MASK" >> $FIC_PARAM
|
329 |
echo -e "- LAN IP address ($INTIF) :\t$PRIVATE_IP_MASK" >> $FIC_PARAM
|
331 |
echo "- Dynamic IP addresses (DHCP) :\tfrom $PRIVATE_DYN_FIRST_IP to $PRIVATE_DYN_LAST_IP" >> $FIC_PARAM
|
330 |
echo -e "- Dynamic IP addresses (DHCP) :\tfrom $PRIVATE_DYN_FIRST_IP to $PRIVATE_DYN_LAST_IP" >> $FIC_PARAM
|
332 |
echo "#### ALCASAR Network parameters ####" > $DIR_DEST_ETC/alcasar-network
|
331 |
echo "#### ALCASAR Network parameters ####" > $DIR_DEST_ETC/alcasar-network
|
333 |
echo "# Lauch the script 'alcasar-network.sh' after your changes" >> $DIR_DEST_ETC/alcasar-network
|
332 |
echo "# Lauch the script 'alcasar-network.sh' after your changes" >> $DIR_DEST_ETC/alcasar-network
|
334 |
echo "# Lancez le script 'alcasar-network.sh' après vos modifications" >> $DIR_DEST_ETC/alcasar-network
|
333 |
echo "# Lancez le script 'alcasar-network.sh' après vos modifications" >> $DIR_DEST_ETC/alcasar-network
|
335 |
echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $DIR_DEST_ETC/alcasar-network
|
334 |
echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $DIR_DEST_ETC/alcasar-network
|
336 |
echo "GW=$PUBLIC_GATEWAY" >> $DIR_DEST_ETC/alcasar-network
|
335 |
echo "GW=$PUBLIC_GATEWAY" >> $DIR_DEST_ETC/alcasar-network
|
Line 373... |
Line 372... |
373 |
# Configuration de l'interface eth1 (réseau de consultation)
|
372 |
# Configuration de l'interface eth1 (réseau de consultation)
|
374 |
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
|
373 |
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
|
375 |
DEVICE=$INTIF
|
374 |
DEVICE=$INTIF
|
376 |
BOOTPROTO=static
|
375 |
BOOTPROTO=static
|
377 |
IPADDR=$PRIVATE_IP
|
376 |
IPADDR=$PRIVATE_IP
|
378 |
NETMASK=$PRIVATE_MASK
|
377 |
NETMASK=$PRIVATE_NETMASK
|
379 |
ONBOOT=yes
|
378 |
ONBOOT=yes
|
380 |
METRIC=10
|
379 |
METRIC=10
|
381 |
NOZEROCONF=yes
|
380 |
NOZEROCONF=yes
|
382 |
MII_NOT_SUPPORTED=yes
|
381 |
MII_NOT_SUPPORTED=yes
|
383 |
IPV6INIT=no
|
382 |
IPV6INIT=no
|
Line 398... |
Line 397... |
398 |
server 0.fr.pool.ntp.org # adapt to your country
|
397 |
server 0.fr.pool.ntp.org # adapt to your country
|
399 |
server 1.fr.pool.ntp.org
|
398 |
server 1.fr.pool.ntp.org
|
400 |
server 2.fr.pool.ntp.org
|
399 |
server 2.fr.pool.ntp.org
|
401 |
server 127.127.1.0 # local clock si NTP internet indisponible ...
|
400 |
server 127.127.1.0 # local clock si NTP internet indisponible ...
|
402 |
fudge 127.127.1.0 stratum 10
|
401 |
fudge 127.127.1.0 stratum 10
|
403 |
restrict $PRIVATE_NETWORK mask $PRIVATE_MASK nomodify notrap
|
402 |
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
|
404 |
restrict 127.0.0.1
|
403 |
restrict 127.0.0.1
|
405 |
driftfile /var/lib/ntp/drift
|
404 |
driftfile /var/lib/ntp/drift
|
406 |
logfile /var/log/ntp.log
|
405 |
logfile /var/log/ntp.log
|
407 |
EOF
|
406 |
EOF
|
408 |
|
407 |
|
409 |
chown -R ntp:ntp /var/lib/ntp
|
408 |
chown -R ntp:ntp /var/lib/ntp
|
410 |
# Renseignement des fichiers hosts.allow et hosts.deny
|
409 |
# Renseignement des fichiers hosts.allow et hosts.deny
|
411 |
[ -e /etc/hosts.allow.default ] || cp /etc/hosts.allow /etc/hosts.allow.default
|
410 |
[ -e /etc/hosts.allow.default ] || cp /etc/hosts.allow /etc/hosts.allow.default
|
412 |
cat <<EOF > /etc/hosts.allow
|
411 |
cat <<EOF > /etc/hosts.allow
|
413 |
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
|
412 |
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
|
414 |
sshd: $PRIVATE_NETWORK_SHORT
|
413 |
sshd: ALL
|
415 |
ntpd: $PRIVATE_NETWORK_SHORT
|
414 |
ntpd: $PRIVATE_NETWORK_SHORT
|
416 |
EOF
|
415 |
EOF
|
417 |
[ -e /etc/host.deny.default ] || cp /etc/hosts.deny /etc/hosts.deny.default
|
416 |
[ -e /etc/host.deny.default ] || cp /etc/hosts.deny /etc/hosts.deny.default
|
418 |
cat <<EOF > /etc/hosts.deny
|
417 |
cat <<EOF > /etc/hosts.deny
|
419 |
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
|
418 |
ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
|
420 |
EOF
|
419 |
EOF
|
- |
|
420 |
# Firewall config
|
- |
|
421 |
$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
|
- |
|
422 |
$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
|
- |
|
423 |
chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
|
- |
|
424 |
# création du fichier d'exception au filtrage
|
- |
|
425 |
touch $DIR_DEST_ETC/alcasar-filter-exceptions
|
- |
|
426 |
# le script $DIR_DEST_BIN/alcasar-iptables.sh est lancé à la fin (pour ne pas perturber une mise à jour via ssh)
|
421 |
} # End of network ()
|
427 |
} # End of network ()
|
422 |
|
428 |
|
423 |
##################################################################
|
429 |
##################################################################
|
424 |
## Fonction gestion ##
|
430 |
## Fonction gestion ##
|
425 |
## - installation du centre de gestion ##
|
431 |
## - installation du centre de gestion ##
|
Line 537... |
Line 543... |
537 |
AllowOverride None
|
543 |
AllowOverride None
|
538 |
Order deny,allow
|
544 |
Order deny,allow
|
539 |
Deny from all
|
545 |
Deny from all
|
540 |
Allow from 127.0.0.1
|
546 |
Allow from 127.0.0.1
|
541 |
Allow from $PRIVATE_NETWORK_MASK
|
547 |
Allow from $PRIVATE_NETWORK_MASK
|
542 |
# Allow from $SRC_ADMIN
|
- |
|
543 |
require valid-user
|
548 |
require valid-user
|
544 |
AuthType digest
|
549 |
AuthType digest
|
545 |
AuthName $HOSTNAME
|
550 |
AuthName $HOSTNAME
|
546 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
551 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
547 |
AuthUserFile $DIR_DEST_ETC/digest/key_all
|
552 |
AuthUserFile $DIR_DEST_ETC/digest/key_all
|
Line 552... |
Line 557... |
552 |
AllowOverride None
|
557 |
AllowOverride None
|
553 |
Order deny,allow
|
558 |
Order deny,allow
|
554 |
Deny from all
|
559 |
Deny from all
|
555 |
Allow from 127.0.0.1
|
560 |
Allow from 127.0.0.1
|
556 |
Allow from $PRIVATE_NETWORK_MASK
|
561 |
Allow from $PRIVATE_NETWORK_MASK
|
557 |
# Allow from $SRC_ADMIN
|
- |
|
558 |
require valid-user
|
562 |
require valid-user
|
559 |
AuthType digest
|
563 |
AuthType digest
|
560 |
AuthName $HOSTNAME
|
564 |
AuthName $HOSTNAME
|
561 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
565 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
562 |
AuthUserFile $DIR_DEST_ETC/digest/key_admin
|
566 |
AuthUserFile $DIR_DEST_ETC/digest/key_admin
|
Line 567... |
Line 571... |
567 |
AllowOverride None
|
571 |
AllowOverride None
|
568 |
Order deny,allow
|
572 |
Order deny,allow
|
569 |
Deny from all
|
573 |
Deny from all
|
570 |
Allow from 127.0.0.1
|
574 |
Allow from 127.0.0.1
|
571 |
Allow from $PRIVATE_NETWORK_MASK
|
575 |
Allow from $PRIVATE_NETWORK_MASK
|
572 |
# Allow from $SRC_ADMIN
|
- |
|
573 |
require valid-user
|
576 |
require valid-user
|
574 |
AuthType digest
|
577 |
AuthType digest
|
575 |
AuthName $HOSTNAME
|
578 |
AuthName $HOSTNAME
|
576 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
579 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
577 |
AuthUserFile $DIR_DEST_ETC/digest/key_manager
|
580 |
AuthUserFile $DIR_DEST_ETC/digest/key_manager
|
Line 582... |
Line 585... |
582 |
AllowOverride None
|
585 |
AllowOverride None
|
583 |
Order deny,allow
|
586 |
Order deny,allow
|
584 |
Deny from all
|
587 |
Deny from all
|
585 |
Allow from 127.0.0.1
|
588 |
Allow from 127.0.0.1
|
586 |
Allow from $PRIVATE_NETWORK_MASK
|
589 |
Allow from $PRIVATE_NETWORK_MASK
|
587 |
# Allow from $SRC_ADMIN
|
- |
|
588 |
require valid-user
|
590 |
require valid-user
|
589 |
AuthType digest
|
591 |
AuthType digest
|
590 |
AuthName $HOSTNAME
|
592 |
AuthName $HOSTNAME
|
591 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
593 |
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
|
592 |
AuthUserFile $DIR_DEST_ETC/digest/key_backup
|
594 |
AuthUserFile $DIR_DEST_ETC/digest/key_backup
|
Line 598... |
Line 600... |
598 |
Options Indexes
|
600 |
Options Indexes
|
599 |
Order deny,allow
|
601 |
Order deny,allow
|
600 |
Deny from all
|
602 |
Deny from all
|
601 |
Allow from 127.0.0.1
|
603 |
Allow from 127.0.0.1
|
602 |
Allow from $PRIVATE_NETWORK_MASK
|
604 |
Allow from $PRIVATE_NETWORK_MASK
|
603 |
# Allow from $SRC_ADMIN
|
- |
|
604 |
require valid-user
|
605 |
require valid-user
|
605 |
AuthType digest
|
606 |
AuthType digest
|
606 |
AuthName $HOSTNAME
|
607 |
AuthName $HOSTNAME
|
607 |
AuthUserFile $DIR_DEST_ETC/digest/key_backup
|
608 |
AuthUserFile $DIR_DEST_ETC/digest/key_backup
|
608 |
ErrorDocument 404 https://$HOSTNAME/
|
609 |
ErrorDocument 404 https://$HOSTNAME/
|
Line 950... |
Line 951... |
950 |
# on supprime les fichiers '*.cld' (cas d'une mise à jour)
|
951 |
# on supprime les fichiers '*.cld' (cas d'une mise à jour)
|
951 |
rm -f /var/lib/clamav/*.cld
|
952 |
rm -f /var/lib/clamav/*.cld
|
952 |
}
|
953 |
}
|
953 |
|
954 |
|
954 |
##################################################################################
|
955 |
##################################################################################
|
955 |
## Fonction firewall ##
|
- |
|
956 |
## - adaptation des scripts du parefeu ##
|
- |
|
957 |
## - mise en place des règles et sauvegarde pour un lancement automatique ##
|
- |
|
958 |
##################################################################################
|
- |
|
959 |
firewall ()
|
- |
|
960 |
{
|
- |
|
961 |
$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
|
- |
|
962 |
$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
|
- |
|
963 |
$SED "s?^PRIVATE_NETWORK_MASK=.*?PRIVATE_NETWORK_MASK=\"$PRIVATE_NETWORK_MASK\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
|
- |
|
964 |
$SED "s?^PRIVATE_IP=.*?PRIVATE_IP=\"$PRIVATE_IP\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
|
- |
|
965 |
$SED "s?^DNSSERVERS=.*?DNSSERVERS=\"$DNS1,$DNS2\"?g" $DIR_DEST_BIN/alcasar-iptables.sh
|
- |
|
966 |
chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
|
- |
|
967 |
# création du fichier d'exception au filtrage
|
- |
|
968 |
touch $DIR_DEST_ETC/alcasar-filter-exceptions
|
- |
|
969 |
# le script $DIR_DEST_BIN/alcasar-iptables.sh est lancé à la fin (pour ne pas perturber une mise à jour via ssh)
|
- |
|
970 |
} # End of firewall ()
|
- |
|
971 |
|
- |
|
972 |
##################################################################################
|
- |
|
973 |
## param_ulogd function ##
|
956 |
## param_ulogd function ##
|
974 |
## - Ulog config for multi-log files ##
|
957 |
## - Ulog config for multi-log files ##
|
975 |
##################################################################################
|
958 |
##################################################################################
|
976 |
param_ulogd ()
|
959 |
param_ulogd ()
|
977 |
{
|
960 |
{
|
Line 1077... |
Line 1060... |
1077 |
bogus-priv
|
1060 |
bogus-priv
|
1078 |
filterwin2k
|
1061 |
filterwin2k
|
1079 |
server=$DNS1
|
1062 |
server=$DNS1
|
1080 |
server=$DNS2
|
1063 |
server=$DNS2
|
1081 |
# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
|
1064 |
# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
|
1082 |
dhcp-range=$PRIVATE_DYN_FIRST_IP,$PRIVATE_DYN_LAST_IP,$PRIVATE_MASK,12h
|
1065 |
dhcp-range=$PRIVATE_DYN_FIRST_IP,$PRIVATE_DYN_LAST_IP,$PRIVATE_NETMASK,12h
|
1083 |
#dhcp-option=3,1.2.3.4
|
1066 |
#dhcp-option=3,1.2.3.4
|
1084 |
#dhcp-option=option:router,1.2.3.4
|
1067 |
#dhcp-option=option:router,1.2.3.4
|
1085 |
#dhcp-option=42,0.0.0.0
|
1068 |
#dhcp-option=42,0.0.0.0
|
1086 |
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
|
1069 |
#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
|
1087 |
|
1070 |
|
Line 1259... |
Line 1242... |
1259 |
cp /etc/mandriva-release /etc/ssh/alcasar-banner-ssh
|
1242 |
cp /etc/mandriva-release /etc/ssh/alcasar-banner-ssh
|
1260 |
chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
|
1243 |
chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
|
1261 |
[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
|
1244 |
[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
|
1262 |
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
|
1245 |
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
|
1263 |
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
|
1246 |
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
|
1264 |
# sshd écoute côté LAN
|
1247 |
# sshd écoute côté LAN et WAN
|
1265 |
$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
|
1248 |
$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
|
- |
|
1249 |
$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
|
1266 |
# sshd n'est pas lancé automatiquement au démarrage
|
1250 |
# sshd n'est pas lancé automatiquement au démarrage
|
1267 |
/sbin/chkconfig --del sshd
|
1251 |
/sbin/chkconfig --del sshd
|
1268 |
echo "SSH=off" >> $DIR_DEST_ETC/alcasar-network
|
1252 |
echo "SSH=off" >> $DIR_DEST_ETC/alcasar-network
|
1269 |
# Coloration des prompts
|
1253 |
# Coloration des prompts
|
1270 |
[ -e /etc/bashrc.default ] || cp /etc/bashrc /etc/bashrc.default
|
1254 |
[ -e /etc/bashrc.default ] || cp /etc/bashrc /etc/bashrc.default
|
Line 1512... |
Line 1496... |
1512 |
ORGANISME=`cat $DIR_CONF/organisme`
|
1496 |
ORGANISME=`cat $DIR_CONF/organisme`
|
1513 |
mode="update"
|
1497 |
mode="update"
|
1514 |
else
|
1498 |
else
|
1515 |
mode="install"
|
1499 |
mode="install"
|
1516 |
fi
|
1500 |
fi
|
1517 |
for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus firewall param_ulogd param_awstats param_dnsmasq BL cron post_install
|
1501 |
for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_awstats param_dnsmasq BL cron post_install
|
1518 |
do
|
1502 |
do
|
1519 |
$func
|
1503 |
$func
|
1520 |
echo "*** 'debug' : end of function $func ***"; read a
|
1504 |
echo "*** 'debug' : end of function $func ***"; read a
|
1521 |
done
|
1505 |
done
|
1522 |
;;
|
1506 |
;;
|