Subversion Repositories ALCASAR

Rev

Rev 2947 | Rev 2964 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2947 Rev 2956
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
#  $Id: alcasar.sh 2947 2021-04-21 16:36:52Z rexy $
 2 
#  $Id: alcasar.sh 2956 2021-05-24 19:57:17Z rexy $
3 
 
 3 
 
4 
# alcasar.sh
 4 
# alcasar.sh
5 
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
 5 
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6 
# This script is distributed under the Gnu General Public License (GPL)
 6 
# This script is distributed under the Gnu General Public License (GPL)
7 
#  team@alcasar.net
 7 
#  team@alcasar.net
Line 598... Line 598...
598 
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
 598 
		echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
599 
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
 599 
		echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
600 
	fi
 600 
	fi
601 
	echo "DNS1=$DNS1" >> $CONF_FILE
 601 
	echo "DNS1=$DNS1" >> $CONF_FILE
602 
	echo "DNS2=$DNS2" >> $CONF_FILE
 602 
	echo "DNS2=$DNS2" >> $CONF_FILE
- 
 
 603 
	echo "PROXY=off" >> $CONF_FILE
- 
 
 604 
	echo "PROXY_IP=\"192.168.0.100:80\"" >> $CONF_FILE
- 
 
 605 
	echo "PUBLIC_WEIGHT=1" >> $CONF_FILE
603 
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
 606 
	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
604 
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
 607 
	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
605 
	echo "DHCP=on" >> $CONF_FILE
 608 
	echo "DHCP=on" >> $CONF_FILE
606 
	echo "EXT_DHCP_IP=" >> $CONF_FILE
 609 
	echo "EXT_DHCP_IP=" >> $CONF_FILE
607 
	echo "RELAY_DHCP_IP=" >> $CONF_FILE
 610 
	echo "RELAY_DHCP_IP=" >> $CONF_FILE
Line 740... Line 743...
740 
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
 743 
# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
741 
	cp /lib/systemd/system/iptables.service /etc/systemd/system/iptables.service
 744 
	cp /lib/systemd/system/iptables.service /etc/systemd/system/iptables.service
742 
	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /etc/systemd/system/iptables.service
 745 
	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /etc/systemd/system/iptables.service
743 
	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
 746 
	[ -e /usr/libexec/iptables.init.default ] || cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
744 
	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
 747 
	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test (flush all rules & policies)
- 
 
 748 
# create the alcasar-network unit
- 
 
 749 
	cat << EOF > /etc/systemd/system/alcasar-network.service
- 
 
 750 
#  This file is part of systemd.
745 
#
 751 
#
- 
 
 752 
#  systemd is free software; you can redistribute it and/or modify it
- 
 
 753 
#  under the terms of the GNU General Public License as published by
- 
 
 754 
#  the Free Software Foundation; either version 2 of the License, or
- 
 
 755 
#  (at your option) any later version.
- 
 
 756 
 
- 
 
 757 
# This unit starts alcasar-network.sh script.
- 
 
 758 
[Unit]
- 
 
 759 
Description=alcasar-network.sh execution
- 
 
 760 
After=network.target iptables.service
- 
 
 761 
 
- 
 
 762 
[Service]
- 
 
 763 
Type=oneshot
- 
 
 764 
RemainAfterExit=yes
- 
 
 765 
ExecStart=$DIR_DEST_BIN/alcasar-network.sh
- 
 
 766 
ExecStop=$DIR_DEST_BIN/alcasar-network.sh
- 
 
 767 
TimeoutSec=0
- 
 
 768 
 
- 
 
 769 
[Install]
- 
 
 770 
WantedBy=multi-user.target
- 
 
 771 
EOF
- 
 
 772 
	/usr/bin/systemctl daemon-reload
- 
 
 773 
 
746 
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
 774 
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is started at the end of this script in order not to cut network flow in case of using ssh
747 
} # End of network()
 775 
} # End of network()
748 
 
 776 
 
749 
##################################################################
 777 
##################################################################
750 
##                      Fonction "CA"                           ##
 778 
##                      Fonction "CA"                           ##
751 
## - Creating the CA and the server certificate (lighttpd)      ##
 779 
## - Creating the CA and the server certificate (lighttpd)      ##
Line 2162... Line 2190...
2162 
	echo "LDAP_PASSWORD=" >> $CONF_FILE
 2190 
	echo "LDAP_PASSWORD=" >> $CONF_FILE
2163 
	echo "LDAP_SSL=on" >> $CONF_FILE
 2191 
	echo "LDAP_SSL=on" >> $CONF_FILE
2164 
	echo "LDAP_CERT_REQUIRED=" >> $CONF_FILE
 2192 
	echo "LDAP_CERT_REQUIRED=" >> $CONF_FILE
2165 
	echo "SMS=off" >> $CONF_FILE
 2193 
	echo "SMS=off" >> $CONF_FILE
2166 
	echo "SMS_NUM=" >> $CONF_FILE
 2194 
	echo "SMS_NUM=" >> $CONF_FILE
- 
 
 2195 
	echo "## MULTIWAN : WANx=@IPx,Weightx" >> $CONF_FILE
2167 
	echo "MULTIWAN=off" >> $CONF_FILE
 2196 
	echo "MULTIWAN=off" >> $CONF_FILE
2168 
	echo "FAILOVER=30" >> $CONF_FILE
 - 
 
2169 
	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
 - 
 
2170 
	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
 2197 
	echo "#WAN1=\"192.168.0.250,1\"" >> $CONF_FILE
2171 
	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
 2198 
	echo "#WAN2=\"192.168.0.251,1\"" >> $CONF_FILE
2172 
	echo "BL_PUREIP=on" >> $CONF_FILE
 2199 
	echo "BL_PUREIP=on" >> $CONF_FILE
2173 
	echo "BL_SAFESEARCH=off" >> $CONF_FILE
 2200 
	echo "BL_SAFESEARCH=off" >> $CONF_FILE
2174 
	echo "WL_SAFESEARCH=off" >> $CONF_FILE
 2201 
	echo "WL_SAFESEARCH=off" >> $CONF_FILE
2175 
	echo "IOT_CAPTURE=off" >> $CONF_FILE
 2202 
	echo "IOT_CAPTURE=off" >> $CONF_FILE
2176 
	echo "WIFI4EU=off" >> $CONF_FILE
 2203 
	echo "WIFI4EU=off" >> $CONF_FILE
Line 2192... Line 2219...
2192 
# actualisation des fichiers logs compressés
 2219 
# actualisation des fichiers logs compressés
2193 
	for dir in firewall e2guardian lighttpd
 2220 
	for dir in firewall e2guardian lighttpd
2194 
	do
 2221 
	do
2195 
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
 2222 
		find /var/log/$dir -type f -name "*.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]" -exec gzip {} \;
2196 
	done
 2223 
	done
2197 
# create the alcasar-load_balancing unit
 - 
 
2198 
	cat << EOF > /etc/systemd/system/alcasar-load_balancing.service
 - 
 
2199 
#  This file is part of systemd.
 - 
 
2200 
#
 - 
 
2201 
#  systemd is free software; you can redistribute it and/or modify it
 - 
 
2202 
#  under the terms of the GNU General Public License as published by
 - 
 
2203 
#  the Free Software Foundation; either version 2 of the License, or
 - 
 
2204 
#  (at your option) any later version.
 - 
 
2205 
 
 - 
 
2206 
# This unit lauches alcasar-load-balancing.sh script.
 - 
 
2207 
[Unit]
 - 
 
2208 
Description=alcasar-load_balancing.sh execution
 - 
 
2209 
After=network.target iptables.service
 - 
 
2210 
 
 - 
 
2211 
[Service]
 - 
 
2212 
Type=oneshot
 - 
 
2213 
RemainAfterExit=yes
 - 
 
2214 
ExecStart=$DIR_DEST_BIN/alcasar-load_balancing.sh start
 - 
 
2215 
ExecStop=$DIR_DEST_BIN/alcasar-load_balancing.sh stop
 - 
 
2216 
TimeoutSec=0
 - 
 
2217 
 
 - 
 
2218 
[Install]
 - 
 
2219 
WantedBy=multi-user.target
 - 
 
2220 
EOF
 - 
 
2221 
	/usr/bin/systemctl daemon-reload
 2224 
	/usr/bin/systemctl daemon-reload
2222 
# processes launched at boot time (Systemctl)
 2225 
# processes started at boot time (Systemctl)
2223 
	for i in alcasar-load_balancing mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
 2226 
	for i in alcasar-network mysqld lighttpd php-fpm ntpd iptables unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole radiusd nfcapd e2guardian clamav-daemon clamav-freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban vnstat sshd
2224 
	do
 2227 
	do
2225 
		/usr/bin/systemctl -q enable $i.service
 2228 
		/usr/bin/systemctl -q enable $i.service
2226 
	done
 2229 
	done
2227 
 
 2230 
 
2228 
# disable processes at boot time (Systemctl)
 2231 
# disable processes at boot time (Systemctl)
Line 2386... Line 2389...
2386 
				echo "*** 'debug' : end of function '$func' ***"
 2389 
				echo "*** 'debug' : end of function '$func' ***"
2387 
				read
 2390 
				read
2388 
			fi
 2391 
			fi
2389 
		done
 2392 
		done
2390 
# RPMs install
 2393 
# RPMs install
2391 
			if [ "$mode" == "update" ] # to avoid updating unbound during the V5.3.3 update (to be removed after this version)
 - 
 
2392 
			then
 - 
 
2393 
				echo "/^unbound/" >> /etc/urpmi/skip.list
 - 
 
2394 
			fi
 - 
 
2395 
		$DIR_SCRIPTS/alcasar-rpm.sh
 2394 
		$DIR_SCRIPTS/alcasar-rpm.sh
2396 
		if [ "$?" != "0" ]
 2395 
		if [ "$?" != "0" ]
2397 
		then
 2396 
		then
2398 
			exit 0
 2397 
			exit 0
2399 
		fi
 2398 
		fi
Line 2426... Line 2425...
2426 
				MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
 2425 
				MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
2427 
				MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
 2426 
				MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
2428 
				UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
 2427 
				UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3|cut -c1`
2429 
				if [ $Lang == "fr" ]
 2428 
				if [ $Lang == "fr" ]
2430 
					then echo "Le fichier de configuration d'une version $MAJ_PREVIOUS_VERSION.$MIN_PREVIOUS_VERSION.$UPD_PREVIOUS_VERSION a été trouvé";
 2429 
					then echo "Le fichier de configuration d'une version $MAJ_PREVIOUS_VERSION.$MIN_PREVIOUS_VERSION.$UPD_PREVIOUS_VERSION a été trouvé";
2431 
					else echo "The configuration file of an old version has been found";
 2430 
					else echo "The configuration file of a version $MAJ_PREVIOUS_VERSION.$MIN_PREVIOUS_VERSION.$UPD_PREVIOUS_VERSION has been found";
2432 
				fi
 2431 
				fi
2433 
				response=0
 2432 
				response=0
2434 
				PTN='^[oOnNyY]?$'
 2433 
				PTN='^[oOnNyY]?$'
2435 
				until [[ "$response" =~ $PTN ]]
 2434 
				until [[ "$response" =~ $PTN ]]
2436 
				do
 2435 
				do