Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1389 → Rev 1390

/scripts/alcasar-iptables.sh
30,10 → 30,8
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
DNS_FILTERING=${DNS_FILTERING:=off}
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP
BL_IP_OSSI="/usr/local/share/iptables-bl/ossi" # ossi categoty
WL_IP_OSSI="/usr/local/share/ossi-ip-wl" # ip of the whitelist
WL_IP_OSSI_DOMAIN="/usr/local/share/iptables-wl/ossi" # ip of the domain names whitelist
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
117,20 → 115,10
ipset del blacklist_ip_blocked $ip
done
 
# Calcul de la taille du set de la whitelist
# Compute the whitelist set length
cd $WL_IP_CAT
set_wl_length=$(($(wc -l * | awk '{print $1}' | tail -n 1)+$(wc -l $WL_IP_OSSI | awk '{print $1}')+$(wc -l $WL_IP_OSSI_DOMAIN | awk '{print $1}')))
 
# Création du fichier set temporaire, remplissage, chargement et suppression
# Creating the temporary set file, filling, loading and deleting
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024 maxelem $set_wl_length" > $TMP_set_save
for category in `ls -1 | cut -d '@' -f1`
do
cat $WL_IP_CAT/$category >> $TMP_set_save
done
echo "create whitelist_ip_allowed hash:net family inet hashsize 1024" > $TMP_set_save
cat $WL_IP_OSSI >> $TMP_set_save
cat $WL_IP_OSSI_DOMAIN >> $TMP_set_save
ipset -! restore < $TMP_set_save
rm -f $TMP_set_save
 
184,9 → 172,6
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Redirection des requêtes HTTP des IP qui ne sont pas dans la whitelist vers ALCASAR (page 'accès interdit') pour le set havp_wl_set
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
 
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
/scripts/sbin/alcasar-bl.sh
28,12 → 28,9
DIR_DNS_BL="$DIR_SHARE/dnsmasq-bl" # all the BL in the DNSMASQ format
DIR_DNS_WL="$DIR_SHARE/dnsmasq-wl" # all the WL ' ' '
DIR_IP_BL="$DIR_SHARE/iptables-bl" # all the IP addresses of the BL
DIR_IP_WL="$DIR_SHARE/iptables-wl" # all the IP addresses of the WL
OSSI_WL_IP="$DIR_IP_WL/ossi" # all the IP addresses of the WL ossi category
DIR_DNS_BL_ENABLED="$DIR_SHARE/dnsmasq-bl-enabled" # symbolic link to the domains BL (only enabled categories)
DIR_DNS_WL_ENABLED="$DIR_SHARE/dnsmasq-wl-enabled" # ' ' ' WL ' ' '
DIR_IP_BL_ENABLED="$DIR_SHARE/iptables-bl-enabled" # ' ' ip BL (only enabled categories)
DIR_IP_WL_ENABLED="$DIR_SHARE/iptables-wl-enabled" # ' ' ip WL (only enabled categories)
DNSMASQ_BL_CONF="/etc/dnsmasq-blacklist.conf" # conf file of dnsmasq-blacklist
DNS1=`grep "DNS1" $CONF_FILE | cut -d '=' -f 2` # server DNS1 (for WL domain names)
BL_SERVER="dsi.ut-capitole.fr"
48,11 → 45,11
cp $DIR_IP_BL_ENABLED/ossi-* $DIR_tmp
fi
cp $DIR_IP_BL/ossi $DIR_tmp
rm -rf $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED # cleaning for dnsmasq and iptables
rm -rf $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED # cleaning for dnsmasq and iptables
$SED "/\.Include/d" $DIR_DG/bannedsitelist $DIR_DG/bannedurllist # cleaning for DG
$SED "s?^[^#]?#&?g" $BL_CATEGORIES $WL_CATEGORIES # cleaning BL & WL categories file (comment all lines)
mkdir $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED
chown apache $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED
mkdir $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED
chown apache $DIR_IP_BL_ENABLED
# process the file $BL_CATEGORIES with the choice of categories
for ENABLE_CATEGORIE in `cat $BL_CATEGORIES_ENABLED`
do
71,7 → 68,6
$SED "/\/$ENABLE_CATEGORIE$/d" $WL_CATEGORIES
$SED "1i\/etc\/dansguardian\/lists\/blacklists\/$ENABLE_CATEGORIE" $WL_CATEGORIES
ln -s $DIR_DNS_WL/$ENABLE_CATEGORIE.conf $DIR_DNS_WL_ENABLED/$ENABLE_CATEGORIE
ln -s $DIR_IP_WL/$ENABLE_CATEGORIE $DIR_IP_WL_ENABLED/$ENABLE_CATEGORIE
done
sort +0.0 -0.2 $WL_CATEGORIES -o $FILE_tmp
mv $FILE_tmp $WL_CATEGORIES
110,75 → 106,7
/usr/local/bin/alcasar-iptables.sh
fi
}
function ip_retrieving (){
# retrieving IPs of all domain names for the whitelist
index=0
if [ ! -d $DIR_IP_WL ]
then
mkdir $DIR_IP_WL
touch $DIR_IP_WL/ossi
chown apache $DIR_IP_WL/ossi
else
# delete old IPs
mkdir $DIR_tmp
cp $DIR_IP_WL/ossi $DIR_tmp
rm -rf $DIR_IP_WL/*
cp $DIR_tmp/ossi $DIR_IP_WL
rm -rf $DIR_tmp
fi
echo "Retrieving IPs :"
cd $DIR_DNS_WL
for category in `ls | cut -d '.' -f 1`
do
echo -n "$category :"
for domain in `cat $category.conf | cut -d '/' -f 2`
do
echo `host $domain | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'` >> $DIR_IP_WL/$category.tmp &
((index++))
echo -n "."
if [ $index -eq 100 ]
then
index=0
sleep 1
fi
done
done
echo "done"
sleep 5
cd $DIR_IP_WL
for category in `ls`
do
# one IP per line
$SED 's/ /\n/g' $category
# add SET syntax
$SED 's/^/add whitelist_ip_allowed /g' $category
# delete empty lines
$SED '/^$/d' $category
# delete false entries
$SED -r '/([0-9]{1,3}.){3}[0-9]{1,3}/!d' $category
# delete duplicate lines
sort -u $category > ${category%%.*}
done
rm -f *.tmp
}
function ip_retrieving_ossi (){
# retrieving IPs of all domain names for the ossi category
> $OSSI_WL_IP
for domain in `cat $OSSI_DOMAINS_WL`
do
echo `host $domain | grep -oE '([0-9]{1,3}\.){3}[0-9]{1,3}'` >> $OSSI_WL_IP &
done
sleep 5
# one IP per line
$SED 's/ /\n/g' $OSSI_WL_IP
# add SET syntax
$SED 's/^/add whitelist_ip_allowed /g' $OSSI_WL_IP
# delete empty lines
$SED '/^$/d' $OSSI_WL_IP
# delete false entries
$SED -r '/([0-9]{1,3}.){3}[0-9]{1,3}/!d' $OSSI_WL_IP
}
usage="Usage: alcasar-bl.sh { -cat_choice or --cat_choice } | { -download or --download } | { -adapt or --adapt } | { -reload or --reload } | { -ip_retrieving or --ip_retrieving } | { -ip_retrieving_ossi or --ip_retrieving_ossi }"
usage="Usage: alcasar-bl.sh { -cat_choice or --cat_choice } | { -download or --download } | { -adapt or --adapt } | { -reload or --reload }"
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
312,14 → 240,6
cp -f $DIR_DG_BL/ossi/domains_wl $DIR_DNS_WL/ossi.conf
bl_enable
;;
# retrieving IPs of all domain names for the whitelist
-ip_retrieving | --ip_retrieving)
ip_retrieving
;;
# retrieving IPs of all domain names for the whitelist ossi category
-ip_retrieving_ossi | --ip_retrieving_ossi)
ip_retrieving_ossi
;;
*)
echo "Argument inconnu :$1";
echo "$usage"