Subversion Repositories ALCASAR

Compare Revisions

No changes between revisions

Ignore whitespace Rev 2956 → Rev 2947

/scripts/alcasar-network.sh
File deleted
Property changes:
Deleted: svn:eol-style
-native
\ No newline at end of property
Deleted: svn:executable
-*
\ No newline at end of property
/scripts/alcasar-conf.sh
124,7 → 124,7
--load|-load)
cd /var/tmp || { echo "Unable to find /var/tmp directory"; }
tar -xf alcasar-conf.tar.gz
# update alcasar.conf parameters
# copy alcasar.conf parameters
PREVIOUS_VERSION=`grep ^VERSION= $DIR_UPDATE/etc/alcasar.conf|cut -d"=" -f2`
MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1`
MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2`
/scripts/alcasar-rpm-download.sh
13,7 → 13,7
# The kernel version we compile netflow for
KERNEL="kernel-server-5.10.30-1.mga7-1-1.mga7"
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ******
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamd clamav clamav-db fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat"
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamd fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat"
 
rpm_repository_sync ()
{
/scripts/alcasar-rpm.sh
18,8 → 18,7
# "lsscsi" & nvme-cli" : needed by phpsysinfo
# "socat" : avoid a warning when run the install script of letsencrypt ("acme.sh")
# "sudo" : needed after a reinstallation (to be investigated)
# "clamav + clamav-db" : needes because of a mutual dependance
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamav clamav-db clamd fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat"
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamd fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat"
 
rpm_repository_sync ()
{
/scripts/alcasar-uninstall.sh
289,14 → 289,19
 
post_install ()
{
echo -en "(7) : "
echo -en "(8) : "
[ -e /etc/mageia-release.default ] && mv -f /etc/mageia-release.default /etc/mageia-release && echo -n "1, "
[ -e /etc/ssh/alcasar-banner-ssh ] && rm -f /etc/ssh/alcasar-banner-ssh && echo -n "2, "
[ -e /etc/ssh/sshd_config.default ] && mv -f /etc/ssh/sshd_config.default /etc/ssh/sshd_config && echo -n "3, "
[ -e /etc/bashrc.default ] && mv -f /etc/bashrc.default /etc/bashrc && echo -n "4, "
[ -e /etc/sudoers.default ] && mv -f /etc/sudoers.default /etc/sudoers && echo -n "5, "
[ -e /etc/security/limits.conf.default ] && mv -f /etc/security/limits.conf.default /etc/security/limits.conf && echo -n "6, "
[ -e /etc/default/grub.default ] && mv -f /etc/default/grub.default /etc/default/grub && echo -n "7"
if [ -e /etc/systemd/system/alcasar-load_balancing.service ]
then
rm -f /etc/systemd/system/alcasar-load_balancing.service
echo -n "6, "
fi
[ -e /etc/security/limits.conf.default ] && mv -f /etc/security/limits.conf.default /etc/security/limits.conf && echo -n "7, "
[ -e /etc/default/grub.default ] && mv -f /etc/default/grub.default /etc/default/grub && echo -n "8"
}
 
 
332,7 → 337,7
echo "----------------------------------------------------------------------------"
echo "** Uninstall/Désinstallation d'ALCASAR **"
echo "----------------------------------------------------------------------------"
services="vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole nfcapd fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian sshd chilli"
services="alcasar-load_balancing vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole nfcapd fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian sshd chilli"
/usr/local/bin/alcasar-logout.sh all # logout everybody
else
echo "--------------------------------------------------------------------------"
339,7 → 344,7
echo "** update/mise à jour d'ALCASAR **"
echo "--------------------------------------------------------------------------"
# unbound, iptables & sshd should stay on to allow remote update
services="vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole nfcapd fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli"
services="alcasar-load_balancing vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole nfcapd fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli"
/usr/local/bin/alcasar-bypass.sh -on # to allow remote update + users stay connected during the update
fi
 
386,7 → 391,7
done
if [ $mode == "full" ]
then
echo -en "\n- network(10) : "
echo -en "\n- network(9) : "
hostnamectl set-hostname localhost.localdomain
chmod a-x /etc/sysconfig/network-scripts/default-*
i=0
401,17 → 406,12
[ -e /etc/hosts.allow.default ] && mv -f /etc/hosts.allow.default /etc/hosts.allow && echo -n "5, "
[ -e /etc/hosts.deny.default ] && mv -f /etc/hosts.deny.default /etc/hosts.deny && echo -n "6, "
[ -e /etc/modprobe.preload.default ] && mv -f /etc/modprobe.preload.default /etc/modprobe.preload && echo -n "7, "
if [ -e /etc/systemd/system/alcasar-network.service ]
- then
- rm -f /etc/systemd/system/alcasar-network.service
- echo -n "8, "
- fi
if [ -e /etc/systemd/system/iptables.service ]
then
rm -f /etc/systemd/system/iptables.service
echo -n "9, "
echo -n "8, "
fi
[ -e /usr/libexec/iptables.init.default ] && mv -f /usr/libexec/iptables.init.default /usr/libexec/iptables.init && echo -n "10"
[ -e /usr/libexec/iptables.init.default ] && mv -f /usr/libexec/iptables.init.default /usr/libexec/iptables.init && echo -n "9"
/usr/bin/systemctl restart network
sleep 1
fi
/scripts/alcasar-iptables.sh
39,7 → 39,6
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation
TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off)
SSH=${SSH:=off}
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2`
47,10 → 46,6
IPTABLES="/sbin/iptables"
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users)
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2`
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2`
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2`
nb_gw=`grep ^WAN $CONF_FILE|wc -l`
 
# Allow requests to internal DNS if activated
if [ "$INT_DNS_ACTIVE" = "on" ]
58,15 → 53,6
DNSSERVERS="$DNSSERVERS,$INT_DNS_IP"
fi
 
#ipset name list for load_balancing
gw_list="gw0"
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then
for ((i=1 ; i<=$nb_gw ; i++)); do
gw_list="${gw_list} gw$i"
done
fi
 
 
# Sauvegarde des SET des utilisateurs connectés si ils existent
# Saving SET of connected users if it exists
ipset list not_filtered 1>/dev/null 2>&1
82,20 → 68,6
ipset save proto_3 >> $TMP_users_set_save
fi
 
# Sauvegarde de la liste de toutes les IP déjà connectées pour les réintégrer dans le load balancing
# Saving all of the already connected IP in order to put them back in the load balancing after
if [ ! -f $TMP_ip_gw_save ];then
# Save only if alcasar-network.sh --save has not been executed before
for i in $gw_list;do
ipset list $i 1>/dev/null 2>&1
if [ $? -eq 0 ]
then
# the cut -d":" -f5 deletes all the lines with a :, i.e all the lines execpt the members
ipset list $i | cut -d":" -f5 | sed '/^[[:space:]]*$/d' >> $TMP_ip_gw_save
fi
done
fi
 
# Chargement de la sonde NetFlow (module noyau ipt_NETFLOW)
# loading of NetFlow probe (ipt_NETFLOW kernel module)
modprobe ipt_NETFLOW destination=127.0.0.1:2055
188,41 → 160,10
ipset create proto_3 hash:ip hashsize 1024
fi
 
#ipsets for load balancing
for i in $gw_list; do
ipset create $i hash:ip
done
cat $TMP_ip_gw_save | while read ip; do
gw_min="gw0"
weight=`grep ^PUBLIC_WEIGHT= $CONF_FILE | cut -d"=" -f2`
already=`ipset list $gw_min | grep Number\ of\ entries: | cut -d":" -f2`
#The *1000 is here to avoid working on floats in bash
gw_min_value=$((1000 * $already / $weight))
i=1
for gw in $gw_list;do
if [ "$gw" != "gw0" ]; then
weight=`grep ^WAN$i= $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F ',' '{ print $2 }'`
already=`ipset list $gw | grep Number\ of\ entries: | cut -d":" -f2`
value=$((1000 * $already / $weight))
if [ $value -lt $gw_min_value ]
then
gw_min_value=$value
gw_min=$gw
fi
i=$(($i+1))
fi
done
ipset add $gw_min $ip
done
rm -f $TMP_ip_gw_save
 
 
 
#############################
# PREROUTING #
#############################
 
 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules
# 8080 = ipset av_bl
255,7 → 196,7
# 55 = ipset av_wl
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p udp --dport domain -j REDIRECT --to-port 55
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p tcp --dport domain -j REDIRECT --to-port 55
# 53 = all other users
# 53 = all other users
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53
 
276,7 → 217,6
# Redirection des requêtes HTTP des usagers "av_bl + av_wl + av" vers E2guardian
# Redirect outbound "av_bl + av_wl +av" users HTTP requests to E2guardian
# 8080 = ipset av_bl
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j MARK --set-mark 200
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
# 8090 = ipset av_wl & av
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
292,23 → 232,6
# Redirect NTP request in local NTP server
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
 
#Récupération de la marque associée à une gw pour chaque connection
$IPTABLES -A PREROUTING -t mangle -j CONNMARK --restore-mark
 
if [ "$PROXY" == "on" ] || [ "$PROXY" == "On" ];then
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp -m multiport --dports http,https -j DNAT --to-destination $PROXY_IP
fi
 
#Marquage pour le load balancing
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then
temp_index=200
for i in $gw_list; do
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set $i src -j MARK --set-mark $temp_index
temp_index=$(($temp_index+1))
done
fi
 
 
#############################
# INPUT #
#############################
319,7 → 242,7
$IPTABLES -A OUTPUT -o lo -j ACCEPT
 
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST and NEW not SYN)
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
532,7 → 455,7
# HTTP & HTTPS requests are allowed with netflow log (from E2guardian)
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy)
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy)
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT
 
# On autorise les requêtes RSYNC sortantes (maj BL de Toulouse)
566,9 → 489,6
# Dynamic NAT on EXTIF
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
 
#Sauvegarde de la marque associée à la connexion pour le load balancing
$IPTABLES -A POSTROUTING -t mangle -j CONNMARK --save-mark
 
#############################
# FAIL2BAN #
#############################
/scripts/alcasar-condown.sh
3,7 → 3,7
# $Id$
#
# alcasar-condown.sh
# by Rexy & Pierre RIVAULT
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
 
# This script is started by coova after each logout
56,17 → 56,6
current_users_file="/tmp/current_users.txt"
[ -e $current_users_file ] && sed -i "/^$FRAMED_IP_ADDRESS:/d" $current_users_file
 
# Remove user_IP from ipset of load balancing
nb_gw=`grep ^WAN $CONF_FILE | wc -l`
for (( i = 0 ; i <= $nb_gw ; i++ ));do
gw="gw$i"
ipset test $gw $FRAMED_IP_ADDRESS 1>/dev/null 2>&1
if [ $? -eq 0 ];then
ipset del $gw $FRAMED_IP_ADDRESS
break
fi
done
 
#############################
## Debug : show all the coova parse variables (+ ALCASAR-Filter + ALCASAR-Protocols-Filter).
## see "/src/chilli.c" for the complete list of parse variables
/scripts/alcasar-conup.sh
3,13 → 3,13
# $Id$
#
# alcasar-conup.sh
# by Rexy & Pierre RIVAULT
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
 
# This script is started by coova after each successfull login
# Ce script est démarré par coova à chaque connexion d'usager (authentification réussi)
 
CONF_FILE="/usr/local/etc/alcasar.conf"
 
PASSWD_FILE="/root/ALCASAR-passwords.txt"
DB_USER=`cat $PASSWD_FILE|grep ^db_user=|cut -d'=' -f2`
DB_PASSWORD=`cat $PASSWD_FILE|grep ^db_password=|cut -d'=' -f2`
67,27 → 67,6
echo "$FRAMED_IP_ADDRESS:PERM" >> $current_users_file
fi
 
# set the user_ip to an gw_ipset for load-balancing
gw_min="gw0"
weight=`grep ^PUBLIC_WEIGHT= $CONF_FILE | cut -d"=" -f2`
already=`ipset list $gw_min | grep Number\ of\ entries: | cut -d":" -f2`
#The *1000 is here to avoid working on floats in bash
gw_min_value=$((1000 * $already / $weight))
 
nb_gw=`grep ^WAN $CONF_FILE | wc -l`
for (( i = 1 ; i <= $nb_gw ; i++ ));do
gw="gw${i}"
weight=`grep ^WAN$i= $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F ',' '{ print $2 }'`
already=`ipset list $gw | grep Number\ of\ entries: | cut -d":" -f2`
value=$((1000 * $already / $weight))
if [ $value -lt $gw_min_value ]
then
gw_min_value=$value
gw_min=$gw
fi
done
ipset add $gw_min $FRAMED_IP_ADDRESS
 
#############################
## Debug : show all the coova parse variables (+ ALCASAR-Filter + ALCASAR-Protocols-Filter + Alcasar-Status-Page-Must-Stay-Open).
## see "/src/chilli.c" for the complete list of parse variables
/scripts/alcasar-load_balancing.sh
0,0 → 1,407
#!/bin/bash
# $Id$
 
# Generic Load balancer for multiple WAN links - version 1.1 (04 Feb 2011)
# (c) 2011 Pau Oliva Fora - http://pof.eslack.org
#
# Licensed under GPLv3 - for full terms see:
# http://www.gnu.org/licenses/gpl-3.0.html
#
# Adapted and debugged (adr et ping -S) by ALCASAR Team (3abtux@alcasar.net)
# (c) 2013 3abtux - http://www.alcasar.net
#
# Specify each WAN link in a separate column, example:
# In this example we have 3 wan links (vlanXXX interfaces) attached to a single
# physical interface because we use a vlan-enabled switch between the balancer
# machine and the ADSL routers we want to balance. The weight parameter should
# be kept to a low integer.
#
#
# Modified by ALCASAR team :
 
 
prog="alcasar-load_balancing.sh"
pidfile="/run/alcasar-load_balancing.pid"
 
###############################
# MAIN PARAMETERs Configuration
###############################
 
DIR_ETC="/usr/local/etc"
CONF_FILE="$DIR_ETC/alcasar.conf"
MULTIWAN=`grep ^MULTIWAN= $CONF_FILE|cut -d"=" -f2`
MULTIWAN=${MULTIWAN:=off}
FAILOVER=`grep ^FAILOVER= $CONF_FILE|cut -d"=" -f2`
FAILOVER=${FAILOVER:=30}
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace
 
 
# space separated list of public IPs to ping in watchdog mode
# set this to some public ip addresses pingable and always on.
TESTIPS="8.8.8.8 192.0.32.10"
 
# set to 1 when testing, set to 0 when happy with the results
VERBOSE=0
 
# CONFIGURATION ENDS HERE
###############################
 
 
if [ $(whoami) != "root" ]; then
echo "You must be root to run this!" ; echo ; exit 1
fi
 
# Adapter for ALCASAR project
CONF_FILE="/usr/local/etc/alcasar.conf"
 
# Virtual interfaces creating
function create_eth () {
routecmd="ip route replace default scope global"
NBIFACE=`grep "^WAN=" $CONF_FILE | wc -l` # Nbre interfaces virtuelles
i=0
while [ $i -le $NBIFACE ]
do
INT="WAN$i"
echo $INT
ACTIVE=`grep "$INT=" $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F, '{ print $1}'` # Active
WT=`grep "$INT=" $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F, '{ print $5}'` # WEIGHT
WT=${WT:-1}
IP=`grep "$INT=" $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F, '{ print $3}' | cut -d"/" -f1` # @IP
 
if [ $i -ne 0 ]; then
[ -e /etc/sysconfig/network-scripts/ifcfg-$EXTIF:$i ] && ifdown $EXTIF:$i && rm -f /etc/sysconfig/network-scripts/ifcfg-$EXTIF:$i
IFACE=`grep "$INT=" $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F, '{ print $2}'` # IFACE
IP_NET=`grep "^$INT=" $CONF_FILE | awk -F'"' '{print $2}' | awk -F, '{ print $3}'` # IP
NET="`ipcalc -n $IP_NET | cut -d"=" -f2`/`ipcalc -p $IP_NET|cut -d"=" -f2`"
GW=`grep "$INT=" $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F, '{ print $4}'` # @GW
MTU=`grep "$INT=" $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F, '{ print $6}'` # MTU
 
# Config $EXTIF:$i (Internet)
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF:$i
DEVICE=$IFACE
BOOTPROTO=static
IPADDR=`echo $IP | cut -d"/" -f1`
NETMASK=`ipcalc -m $IP_NET | cut -d= -f2`
NETWORK=`ipcalc -n $IP_NET | cut -d= -f2`
MTU=$MTU
ONBOOT=yes
NOZEROCONF=yes
MII_NOT_SUPPORTED=yes
IPV6INIT=no
IPV6TO4INIT=no
ACCOUNTING=no
USERCTL=no
EOF
echo "ifup $EXTIF:$i"
ifup $EXTIF:$i
NET="`ipcalc -n $IP_NET | cut -d"=" -f2`/`ipcalc -p $IP_NET|cut -d"=" -f2`"
else
IFACE="$EXTIF"
IP_NET=`grep "^PUBLIC_IP=" $CONF_FILE | awk -F'=' '{print $2}'` # IP/MSK
IP=`grep "^PUBLIC_IP=" $CONF_FILE | awk -F= '{ print $2 }' | cut -d"/" -f1` # @IP
GW=`grep "^GW=" $CONF_FILE | awk -F= '{print $2}'` # @GW
# MTU=`grep "^PUBLIC_MTU=" $CONF_FILE | awk -F= '{print $2}'` # MTU
fi # End
 
NET="`ipcalc -n $IP_NET | cut -d"=" -f2`/`ipcalc -p $IP_NET|cut -d"=" -f2`"
if [ "$PARAM" == "add" ]; then
set -x
table=$(($i + 1))
ip route ${PARAM} ${NET} dev ${IFACE} src ${IP} table $table
ip route ${PARAM} default via ${GW} table $table
ip rule ${PARAM} from ${IP} table $table
set +x
fi
echo " Iface: ${IFACE}"
echo " IP: ${IP}"
echo " IP_NET: ${IP_NET}"
echo " NET: ${NET}"
echo " GW: ${GW}"
echo " Weight: ${WT}"
echo " MTU : ${MTU}"
echo
routecmd="${routecmd} nexthop via ${GW} dev ${IFACE} weight ${WT}"
i=$(($i + 1))
done # End While
 
if [ "$PARAM" == "add" ]; then
echo "[] Balanced routing:"
# suppress default route
ip route del default scope global
set -x
${routecmd}
set +x
echo
fi
 
} # end create_eth
 
###########################
# Fonction virtual Interfaces deleting
###########################
delete_eth () {
IFACE_COUNT=`ls -l /etc/sysconfig/network-scripts/ifcfg-$EXTIF:* | wc -l`
echo $IFACE_COUNT
while [ $IFACE_COUNT -ne 0 ]
do
i=$IFACE_COUNT
echo "ifdown $EXTIF:$i"
ifdown $EXTIF:$i
rm -f /etc/sysconfig/network-scripts/ifcfg-$EXTIF:$i
IFACE_COUNT=$(($IFACE_COUNT - 1))
done
ip route del default scope global
# ip route add default gw 192.168.1.1
}
 
 
# do not modify below this line unless you know what you're doing :)
function getvalue() {
index=$1
VAR=$2
 
n=1
for f in ${VAR} ; do
if [ "${n}" == "${index}" ]; then
echo "$f"
break
fi
n=$(($n++))
done
}
 
######################
# Fonction de FailOver
######################
function failover () {
 
echo "[] Watchdog started"
# 0 == all links ok, 1 == some link down
STATE=0
 
DOWNCOUNT_BAK=0
DOWN_BAK=""
NBIFACE=`grep "^WAN=" $CONF_FILE | wc -l` # Nbre interfaces virtuelles
echo "Nombre interfaces = "$NBIFACE
WANIFACE[0]="$EXTIF"
c=0
while [ $c -le $NBIFACE ]; do
ITH=(`grep "^WAN$c=" $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F, '{ print $2}'`) # IFACE
echo $ITH
WANIFACE="${WANIFACE} $ITH"
echo $WANIFACE
c=$(($c + 1))
done
echo "Liste des interfaces : "${WANIFACE[*]}
# Failover test
while : ; do
 
if [ $VERBOSE -eq 1 ]; then
echo "[] Sleeping, state=$STATE"
fi
sleep $FAILOVER
 
IFINDEX=1
DOWN="" # liste des interfaces down
DOWNCOUNT=0 # nombre d'interface down
for iface in $WANIFACE ; do
COUNT=0 # compteur de test
FAIL=0 # Nombre de fois down
# Recup de l'adresse IP dynamiquement
IP=`ifconfig $iface |grep "inet adr" |cut -f 2 -d ":" |awk '{print $1}'`
if [ $i -ne 0 ]; then
GW=`grep "$iface," $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F, '{ print $4}'` # @GW
WT=`grep "$iface," $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F, '{ print $5}'` # @WT
else
GW=`grep "^GW=" $CONF_FILE | awk -F= '{print $2}'` # @GW
fi
for TESTIP in $TESTIPS ; do
COUNT=$(($COUNT + 1))
ping -W 3 -I $IP -c 1 $TESTIP > /dev/null 2>&1
# ping -W 3 -I $IP -c 1 $TESTIP
# Si ping de la première adresse --> ok --> stop du test pour l'interface testée
if [ $? -eq 0 ]; then
break
else
# sinon on compte une erreur
FAIL=$(($FAIL + 1))
fi
done # End of test sur un serveur Internet
# Affichage du nombre de down
echo "FAIL=$FAIL"
# Si nombre de fois down = nombre de tests --> Iface down --> log dans fichier log avec l'heure
if [ $FAIL -eq $COUNT ]; then
echo "`date +%F-%Hh%mm%Ss` : [WARN] $iface is down!"
# Si etat différent de 1 (déjà tombé) --> changement de l'état général en default
if [ $STATE -ne 1 ]; then
echo "Switching state $STATE -> 1"
STATE=1
fi
# Rajout de l'iface dans la liste des interfaces down
DOWN="${DOWN} $IFINDEX"
echo "DOWN=$DOWN"
# Nombre d'interface down
DOWNCOUNT=$(($DOWNCOUNT + 1))
echo "DOWNCOUNT=$DOWNCOUNT"
fi
IFINDEX=$(($IFINDEX + 1))
echo "IFINDEX =$IFINDEX"
done # End Test Interface in WANIFACE
 
# 0 Passerelle down et état précédent différent (retour à la normale)) --> mise à la normale des passerelles
# if [ $DOWNCOUNT -eq 0 ] && [ $DOWNCOUNT -ne $DOWNCOUNT_BAK ]; then
if [ $DOWNCOUNT -eq 0 ] ; then
if [ $STATE -eq 1 ]; then
echo
echo "[] All links up and running :)"
set -x
${routecmd}
set +x
# Changement de l'état en normal
STATE=0
echo "Switching state 1 -> 0"
fi # End retour etat normal
# if no interface is down, go to the next cycle
continue
# cas ou au moins une passerelle down mais état identique au précédent Test --> rien à changer
else
if [ "$DOWN_BAK" == "$DOWN" ]; then
echo "DOWN_BAK == DOWN = $DOWN"
continue # --> état identique test precedent --> boucle suivante
# cas ou au moins une passerelle down mais état différent de test précédent --> remplacement par nouvelle règle
else
cmd="ip route replace default scope global"
IFINDEX=1
suffix=""
# Pour chaque interface --> traitement et application de la règle de routage
for iface in $WANIFACE ; do
echo "-------------------------"
echo "iface=$iface"
echo "Index = " $IFINDEX
FAILIF=0
# Pour chaque interface down -->
echo "Interfaces DOWN = $DOWN"
for lnkdwn in $DOWN ; do
echo "LINKDOWN = "$lnkdown
if [ $lnkdwn -eq $IFINDEX ]; then
FAILIF=1
break
else
continue
fi
done # End linkdown in DOWN
# Interface en etat normal --> rajout de la règle en mode nexthop
if [ $FAILIF -eq 0 ]; then
IP=`ifconfig $iface |grep "inet adr" |cut -f 2 -d ":" |awk '{print $1}'`
if [ $iface != "$EXTIF" ]; then
GW=`grep "$iface," $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F, '{ print $4}'` # @GW
WT=`grep "$iface," $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F, '{ print $5}'` # @GW
else
GW=`grep "^GW=" $CONF_FILE | awk -F= '{print $2}'` # @GW
fi
echo "GW=$GW"
echo "WT=$WT"
echo "suffix=$sufix"
suffix="${suffix} nexthop via ${GW} dev ${iface} weight ${WT:-1}"
fi # End interface = noFAIL
IFINDEX=$(($IFINDEX + 1))
done # End iface IN WANIFACE
# Commande globale
cmd="ip route replace default scope global $suffix"
 
if [ $VERBOSE -eq 1 ]; then
set -x
# echo "Avec commentaire : " ${cmd}
${cmd}
set +x
echo
else
${cmd} 2>/dev/null
echo ${cmd}
fi # end Application de la commande de routage globale
fi #
DOWN_BAK=$DOWN # Enregistrement de l'etat
fi # End
done
} # End of Failover
 
 
#################
# Main
#################
 
echo "[] Load balancer for multiple WAN interfaces - v2.1"
echo "[] (c) 2011 Pau Oliva Fora <pof> @eslack.org"
echo "[] (c) 2013 3abtux ALCASAR <3abtux> @alcasar.net"
echo
 
case $1 in
create)
create_eth
;;
delete)
delete_eth
;;
start)
if [ "$MULTIWAN" != "on" ] && [ "$MULTIWAN" != "On" ]; then
echo "The MultiGateway is not activated !"
exit 0
fi
PARAM="add"
create_eth
ip route flush cache
if [ $FAILOVER -eq 0 ]; then
echo "The MultiWAN Mode is actived but not failover connectivity !"
exit 0
fi
echo "Starting down $prog: "
pid=`pidof -x "alcasar-load_balancing.sh"`
if [ $pid != "" ]; then
echo $pid > $pidfile
fi
touch /var/lock/subsys/alcasar-load_balancing
failover
;;
stop)
PARAM="del"
echo "Shutting down $prog: "
if [ -f $pidfile ]; then
pid=`cat $pidfile`
kill -9 $pid
else
echo "$prog is not running."
exit 1
fi
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $pidfile && rm -f /var/lock/subsys/alcasar-load_balancing
echo "Delete of virtual interfaces"
delete_eth
echo "Network restart"
service network restart 2>&1 > /dev/null
ip route
 
;;
status)
echo "Checking $prog : "
if [ -f $pidfile ]; then
pid=`cat $pidfile`
CHECK=`ps -p $pid --no-heading | awk {'printf $1'}`
if [ "$CHECK" = "" ]; then
echo "$prog is NOT running."
else
echo "$prog is running !"
fi
else
echo "$prog is Not running."
fi
;;
fail)
failover
;;
*)
echo "Usage: $0 [start|stop|status|create|delete]" ; echo ; exit 1
;;
esac
 
exit 0
Property changes:
Added: svn:eol-style
+LF
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property
Added: svn:keywords
+Id Author Date
\ No newline at end of property