Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 786 → Rev 785

/alcasar.sh
1143,7 → 1143,7
$SED "/daemon/a \$dnsmasq -C /etc/dnsmasq-blackhole.conf \$OPTIONS" /etc/init.d/dnsmasq
$SED "/killproc \$DAEMON_NAME/a killproc \$DAEMON_NAME" /etc/init.d/dnsmasq
# Optionnellement on active les logs DNS des clients --> traiter les uninstall et update
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.conf.default
$SED "s?^OPTIONS=.*?OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
} # End dnsmasq
 
1189,7 → 1189,8
chown -R root:apache $DIR_DEST_ETC/{alcasar-dnsfilter-available,alcasar-dnsfilter-enabled}
# On fait pointer le black-hole sur une page interne
$SED "s?^IP_RETOUR=.*?IP_RETOUR=\"$PRIVATE_IP\"?g" $DIR_DEST_SBIN/alcasar-bl.sh
# On adapte la BL de Toulouse à notre structure
# On récupère la dernière version de la BL Toulouse et on l'adapte à notre structure
$DIR_DEST_SBIN/alcasar-bl.sh --download
if [ "$mode" != "update" ]; then
$DIR_DEST_SBIN/alcasar-bl.sh --adapt
fi
1311,7 → 1312,7
echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE
echo "QOS=off" >> $CONF_FILE
echo "LDAP=off" >> $CONF_FILE
echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
echo "LDAP_IP=0.0.0.0" >> $CONF_FILE
echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
echo "DNS_FILTERING=off" >> $CONF_FILE
echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
/conf/blacklist-MD5SUM.lst
File deleted
/conf/blacklists.tar.gz
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
/scripts/alcasar-iptables.sh
146,13 → 146,13
 
# Accès direct aux services internes
# Internal services access
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS non filtré # DNS without blackhole
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 8 -j ACCEPT # Réponse ping # ping responce
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT # Requête ping # ping request
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # Pages d'authentification et MCC # authentication pages and MCC
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT # Page d'avertissement filtrage # Filtering warning pages
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT # Requêtes de deconnexion usagers # Users logout requests
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS non filtré # DNS without blackhole
#$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp --icmp-type 8 -j ACCEPT # Requête ping # ping request
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p icmp --icmp-type 0 -j ACCEPT # Réponse ping # ping reply
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport https -j ACCEPT # Pages d'authentification et MCC # authentication pages and MCC
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport http -j ACCEPT # Page d'avertissement filtrage # Filtering warning pages
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport 3990 -j ACCEPT # Requêtes de deconnexion usagers # Users logout requests
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT # Serveur local de temps # local time server
 
# SSHD rules if activate
if [ $SSH = on ]
/scripts/alcasar-watchdog.sh
16,11 → 16,7
 
EXTIF="eth0"
INTIF="eth1"
macallowed_file="/usr/local/etc/alcasar-macallowed"
conf_file="/usr/local/etc/alcasar.conf"
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
private_ip_mask=${private_ip_mask:=192.168.182.1/24}
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
PRIVATE_IP="192.168.182.1"
tmp_file="/tmp/watchdog.txt"
DIR_WEB="/var/www/html"
Index_Page="$DIR_WEB/index.php"
113,15 → 109,8
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $noresponse_ip|grep response|cut -d" " -f2`
if [[ $(expr $arp_reply) -eq 0 ]]
then
mac_allowed=`cat $macallowed_file |grep $noresponse_mac | wc -l`
if [ $mac_allowed -eq 0 ]
then
logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) can't be contact. Alcasar disconnects the user."
/usr/sbin/chilli_query logout $noresponse_mac
else
logger "alcasar-watchdog $noresponse_ip ($noresponse_mac - macallowed) can't be contact. Alcasar release the IP address"
/usr/sbin/chilli_query dhcp-release $noresponse_mac
fi
logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) can't be contact. Alcasar disconnects the user."
/usr/sbin/chilli_query logout $noresponse_mac
fi
done
rm $tmp_file
/CHANGELOG
2,7 → 2,6
 
************ CHANGELOG ***********
---- svn ----
- Bug : watchdog release the ip address of macallowed equipment (insteed of logout the user)
- Bug : reading of alcasar.conf file parameters more securely
- Bug : don't download RPMs twice
- Bug : allow connexion to an LDAP server on WAN side
14,9 → 13,7
- Core : Authenticate user on Mysql when LDAP server is down
- Core : import users via text file with or without password
- Security : The 8080 (TCP) and 53 (UDP) ports are now hidden on Lan side
- Install : control eth0 config on startup (no dhcp)
- Install : don't dowload the last BL version
 
- Install : control eth0 config on startup
---- 2.4 ----
- Bug : some minor bugs (log rotate, intercept page, squid, ...)
- Bug : ACC - correction of the Internet connectivity test flag