WebSVN – ALCASAR – Diff – /alcasar.sh

 #!/bin/bash
-#  $Id: alcasar.sh 1471 2014-10-31 17:46:11Z richard $
+#  $Id: alcasar.sh 1472 2014-11-03 17:56:00Z richard $
 # alcasar.sh
 # ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
 # Ce programme est un logiciel libre ; This software is free and open source
+{
 	[ -d /var/log/dnsmasq ] || mkdir /var/log/dnsmasq
 	[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
 	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
 	[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
-# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
+# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
 	cat << EOF > /etc/dnsmasq.conf
 # Configuration file for "dnsmasq in forward mode"
 conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
 listen-address=$PRIVATE_IP
 pid-file=/var/run/dnsmasq.pid
 EOF
 # 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
 	cat << EOF > /etc/dnsmasq-blacklist.conf
 # Configuration file for "dnsmasq with blacklist"
 # Add Toulouse blacklist domains
-conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
 conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
+conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
 pid-file=/var/run/dnsmasq-blacklist.pid
 listen-address=$PRIVATE_IP
 port=54
 no-dhcp-interface=$INTIF
 no-dhcp-interface=tun0
+no-dhcp-interface=lo
 bind-interfaces
 cache-size=256
 domain=$DOMAIN
 domain-needed
 expand-hosts
 EOF
 # 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
 	cat << EOF > /etc/dnsmasq-whitelist.conf
 # Configuration file for "dnsmasq with whitelist"
 # Inclusion de la whitelist <domains> de Toulouse dans la configuration
+conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
 conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
-conf-file=$DIR_DEST_ETC/alcasar-dns-name	# zone de definition de noms DNS locaux
-listen-address=$PRIVATE_IP
 pid-file=/var/run/dnsmasq-whitelist.pid
+listen-address=$PRIVATE_IP
 port=55
 no-dhcp-interface=$INTIF
 no-dhcp-interface=tun0
+no-dhcp-interface=lo
 bind-interfaces
 cache-size=256
 domain=$DOMAIN
 domain-needed
 expand-hosts
 bogus-priv
 filterwin2k
-address=/#/$PRIVATE_IP
+address=/#/$PRIVATE_IP				# for Domain name without local resolution (WL)
-ipset=/#/whitelist_ip_allowed
+ipset=/#/whitelist_ip_allowed			# dynamicly add the resolv IP address in the Firewall rules
 EOF
+# 4th dnsmasq listen on udp 56 ("blackhole")
+	cat << EOF > /etc/dnsmasq-blackhole.conf
+# Configuration file for "dnsmasq as a blackhole"
+conf-file=$DIR_DEST_ETC/alcasar-dns-name	# local DNS resolutions
+address=/#/$PRIVATE_IP				# redirect all on ALCASAR IP address
+pid-file=/var/run/dnsmasq-blackhole.pid
+listen-address=$PRIVATE_IP
+port=56
+no-dhcp-interface=$INTIF
+no-dhcp-interface=tun0
+no-dhcp-interface=lo
+bind-interfaces
+cache-size=256
+domain=$DOMAIN
+domain-needed
+expand-hosts
+bogus-priv
+filterwin2k
+EOF
 # Start after chilli (which create tun0)
 	$SED "s?^After=.*?After=syslog.target network.target chilli.service?g" /lib/systemd/system/dnsmasq.service
 # Create dnsmasq-blacklist and dnsmasq-whitelist unit
-	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-blacklist.service
-	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-whitelist.service
+	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-blacklist.service /lib/systemd/system/dnsmasq-whitelist.service /lib/systemd/system/dnsmasq-blackhole.service
 	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-blacklist.conf?g" /lib/systemd/system/dnsmasq-blacklist.service
 	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
+	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-blackhole.conf?g" /lib/systemd/system/dnsmasq-blackhole.service
 	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-blacklist.pid?g" /lib/systemd/system/dnsmasq-blacklist.service
 	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
+	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-blackhole.pid?g" /lib/systemd/system/dnsmasq-blackhole.service
 } # End dnsmasq
 ##########################################################
 ##		Fonction "BL"				##
 ##########################################################
 	for i in havp
 	do
 		/sbin/chkconfig --add $i
 	done
 # processes launched at boot time (Systemctl)
-	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban
+	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban
 	do
 		systemctl -q enable $i.service
 	done
 # disable processes at boot time (Systemctl)
 # Remove unused services and users
 	for svc in sshd.service
 	do
 		/bin/systemctl -q disable $svc
 	done
-#	for rm_users in games
-#	do
-#		user=`cat /etc/passwd|grep $rm_users|cut -d":" -f1`
-#		if [ "$user" == "$rm_users" ]
-#		then
-#			/usr/sbin/userdel -r $rm_users
-#		fi
-#	done
 # Load and apply the previous conf file
 	if [ "$mode" = "update" ]
 	then
 		$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
 		$DIR_DEST_BIN/alcasar-conf.sh --load

Subversion Repositories ALCASAR

(root)/alcasar.sh – Rev 1471 → 1472