/alcasar.sh |
---|
2174,6 → 2174,7 |
echo "SSH_LAN=22" >> $CONF_FILE |
echo "SSH_WAN=0" >> $CONF_FILE |
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE |
echo "INTERLAN=off" >> $CONF_FILE |
echo "LDAP=off" >> $CONF_FILE |
echo "LDAP_SERVER=127.0.0.1" >> $CONF_FILE |
echo "LDAP_BASE=cn=Users;dc=serverad;dc=localdomain" >> $CONF_FILE |
/scripts/alcasar-iptables-bypass.sh |
---|
35,6 → 35,8 |
SSH_LAN_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2|cut -d"/" -f1` |
SSH_LAN_ADMIN_FROM=${SSH_LAN_ADMIN_FROM:="0.0.0.0"} |
SSH_LAN_ADMIN_FROM=$([ "$SSH_LAN_ADMIN_FROM" == "0.0.0.0" ] && echo "$PRIVATE_NETWORK_MASK" || echo "$SSH_LAN_ADMIN_FROM" ) |
interlan=`grep ^INTERLAN= $CONF_FILE|cut -d"=" -f2` |
interlan=${interlan:=off} |
# On vide (flush) toutes les règles existantes |
# Flush all existing rules |
118,6 → 120,13 |
# Conntrack on forward |
$IPTABLES -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT |
# On autorise (ou pas) les utilisateurs à accéder au réseau situé entre ALCASAR et le routeur Internet |
# Users are allowed (or not allowed) to access the network between ALCASAR and the Internet router |
if [ "$interlan" != "on" ] |
then |
$IPTABLES -A FORWARD -i $TUNIF -d $public_ip_mask -j DROP |
fi |
# Insertion de règles de blocage |
# Here, we add block rules |
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then |
/scripts/alcasar-iptables.sh |
---|
22,8 → 22,10 |
private_prefix=`/bin/ipcalc -p $private_ip_mask|cut -d"=" -f2` # LAN prefix (ie. 24) |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # LAN IP address + prefix (192.168.182.0/24) |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address |
dhcp_on_extif="off" |
if [[ "$public_ip_mask" == "dhcp" ]] |
then |
dhcp_on_extif="on" |
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b" |
public_ip_mask=`ip addr show $EXTIF | egrep -o $PTN` |
fi |
57,6 → 59,8 |
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2` |
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2` |
nb_gw=`grep ^WAN $CONF_FILE|wc -l` |
interlan=`grep ^INTERLAN= $CONF_FILE|cut -d"=" -f2` |
interlan=${interlan:=off} |
# Allow requests to internal DNS if activated |
if [ "$INT_DNS_ACTIVE" = "on" ] |
323,14 → 327,14 |
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m conntrack --ctstate NEW -j DROP |
# Si configéré, on autorise les réponses DHCP |
# Allow DHCP answers if configured |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address |
if [[ "$public_ip_mask" == "dhcp" ]] |
# Si configuré, on autorise les réponses DHCP sur EXTIF |
# If configured, DHCP responses are allowed on EXTIF |
if [[ "$dhcp_on_extif" == "on" ]] |
then |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 68 -j ACCEPT |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 68 -j ACCEPT |
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 68 -j ACCEPT |
$IPTABLES -A INPUT -i $EXTIF -p udp --dport 68 -j ACCEPT |
fi |
# On rejette les trame en broadcast et en multicast sur EXTIF (évite leur journalisation) |
# Drop broadcast & multicast on EXTIF to avoid log |
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP |
420,6 → 424,13 |
############################# |
# FORWARD # |
############################# |
# On autorise (ou pas) les utilisateurs à accéder au réseau situé entre ALCASAR et le routeur Internet |
# Users are allowed (or not allowed) to access the network between ALCASAR and the Internet router |
if [ "$interlan" != "on" ] |
then |
$IPTABLES -A FORWARD -i $TUNIF -d $public_ip_mask -j DROP |
fi |
# Blocage des IPs du SET bl_ip_blocked pour le SET av_bl |
# Deny IPs of the SET bl_ip_blocked for the set av_bl |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set av_bl src -m set --match-set bl_ip_blocked dst -p icmp -j REJECT --reject-with icmp-host-prohibited |
514,10 → 525,9 |
# We let everything out on INTIF (see following rules for the EXTIF) |
$IPTABLES -A OUTPUT ! -o $EXTIF -j ACCEPT |
# Si configuré, on autorise les requêtes DHCP |
# Allow DHCP requests if configured |
public_ip_mask=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` # ALCASAR WAN IP address |
if [[ "$public_ip_mask" == "dhcp" ]] |
# Si configuré, on autorise les requêtes DHCP sur EXTIF |
# Allow DHCP requests on EXTIF if configured |
if [[ "$dhcp_on_extif" == "on" ]] |
then |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport 67 -j ACCEPT |
$IPTABLES -A OUTPUT -o $EXTIF -p udp --dport 67 -j ACCEPT |
/web/acc/admin/network.php |
---|
1,6 → 1,5 |
<?php |
# $Id$ |
// written by steweb57, Rexy, Tom HOUDAYER & Pierre RIVAULT |
/******************** |
83,6 → 82,7 |
$l_ssh_from = "IP autorisée"; |
$l_ssh_wan_activate = "Activer SSH sur WAN"; |
$l_ssh_lan_activate = "Activer SSH sur LAN"; |
$l_interlan_title = "Autoriser l'accès au réseau situé entre ALCASAR et le routeur d'accès à Internet"; |
$l_cert_expiration = "Date d'expiration :"; |
$l_cert_commonname = "Nom commun :"; |
$l_cert_organization = "Organisation :"; |
151,6 → 151,7 |
$l_ssh_from = "IP autorizada"; |
$l_ssh_wan_activate = "Activar SSH on WAN"; |
$l_ssh_lan_activate = "Activar SSH on LAN"; |
$l_interlan_title = "Permitir el acceso a la red entre ALCASAR y el router de acceso a Internet"; |
$l_cert_expiration = "Fecha de vencimiento:"; |
$l_cert_commonname = "Common name:"; |
$l_cert_organization = "Organización:"; |
218,6 → 219,7 |
$l_ssh_from = "Authorized IP"; |
$l_ssh_wan_activate = "Activate SSH on WAN"; |
$l_ssh_lan_activate = "Activate SSH on LAN"; |
$l_interlan_title = "Authorize access to the network located between ALCASAR and Internet broadband router"; |
$l_cert_expiration = "Expiration date:"; |
$l_cert_commonname = "Common name:"; |
$l_cert_organization = "Organization:"; |
413,6 → 415,16 |
} |
header('Location: '.$_SERVER['PHP_SELF']); |
exit(); |
case 'interlan': |
$CONF_FILE = CONF_FILE; |
if (isset($_POST['interlan'])) { |
exec('/bin/sed -i "s/^INTERLAN=.*/INTERLAN=on/g"'.$CONF_FILE); |
} else { |
exec('/bin/sed -i "s/^INTERLAN=.*/INTERLAN=off/g" '.$CONF_FILE); |
} |
exec('sudo /usr/local/bin/alcasar-iptables.sh'); |
header('Location: '.$_SERVER['PHP_SELF']); |
exit(); |
} |
// Network changes |
1199,6 → 1211,17 |
</div> |
<br> |
<div class="panel"> |
<div class="panel-header"><?= $l_interlan_title ?></div> |
<div class="panel-row"> |
<form method="post" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>"> |
<input type="hidden" name="choix" value="interlan"> |
<input type="checkbox" name="interlan" id="interlan" <?= ($conf['INTERLAN'] === 'on')? "checked": "" ?>><b><?= $l_interlan_title ?></b><br> |
<input type="submit" onClick="document.getElementById('ldoverlay').style.display='block';" value="<?= $l_apply ?>"><br> |
</form> |
</div> |
</div> |
<br> |
<div class="panel"> |
<div class="panel-header"><?= $l_ssh_title ?></div> |
<table width="100%" cellspacing="0" cellpadding="5" border="1"> |
<tr> |