14,12 → 14,14 |
# - load the backup of configuration files during the update process (alcasar-conf -load). If needed, it's here we update files between versions |
# - apply ALCASAR central configuration file "/usr/local/etc/alcasar.conf" when hot modification are needed (alcasar-conf -apply) |
|
new="$(date +%G%m%d-%Hh%M)" # date et heure des fichiers |
fichier="alcasar-conf-$new.tar.gz" # nom du fichier de sauvegarde |
DIR_UPDATE="/var/tmp/conf" # répertoire de stockage des fichier de conf pour une mise à jour |
DIR_WEB="/var/www/html" # répertoire du centre de gestion |
DIR_BIN="/usr/local/bin" # scripts directory |
DIR_ETC="/usr/local/etc" # conf directory |
DIR_E2G="/etc/e2guardian/lists" # Toulouse BL directory |
DIR_BLACKLIST="$DIR_E2G/blacklists" # Toulouse BL directory |
DIR_SHARE="/usr/local/share" # data directory |
DIR_BLACKLIST="/etc/e2guardian/lists/blacklists" # Toulouse BL directory |
CONF_FILE="$DIR_ETC/alcasar.conf" # main alcasar conf file |
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` # EXTernal InterFace |
INTIF=`grep ^INTIF= $CONF_FILE|cut -d"=" -f2` # INTernal InterFace |
32,6 → 34,7 |
SED="/bin/sed -i" |
DNS1=`grep ^DNS1= $CONF_FILE | cut -d'=' -f2` # server DNS1 (for WL domain names) |
DOMAIN=${DOMAIN:=localdomain} |
DATE=`date '+%d %B %Y - %Hh%M'` |
|
private_network_calc () |
{ |
38,11 → 41,13 |
PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP $PRIVATE_NETMASK |cut -d"=" -f2` # prefixe du réseau (ex. 24) |
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP $PRIVATE_NETMASK| cut -d"=" -f2` # @ réseau de consultation (ex.: 192.168.182.0) |
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # @ + masque du réseau de consult (192.168.182.0/24) |
classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; # classes de réseau (ex.: 2=classe B, 3=classe C) |
classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # classes de réseau (ex.: 2=classe B, 3=classe C) |
PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`. # @ compatible hosts.allow et hosts.deny (ex.: 192.168.182.) |
PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255) |
private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup` # last octet of LAN address |
private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup` # last octet of LAN broadcast |
private_ip_ending=`echo $PRIVATE_IP | cut -d"." -f4` # last octet of LAN address |
PRIVATE_FIRST_IP=$PRIVATE_IP # First network address (ex.: 192.168.182.1) |
PRIVATE_SECOND_IP=`echo $PRIVATE_IP | cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2) |
PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254) |
PRIVATE_MAC=`/sbin/ip link show $INTIF | grep ether | cut -d" " -f6| sed 's/:/-/g'| awk '{print toupper($0)}'` # MAC address of INTIF |
61,12 → 66,12 |
echo "$usage" |
exit 0 |
;; |
--create|-create) |
--create|-create) |
[ -d $DIR_UPDATE ] && rm -rf $DIR_UPDATE |
mkdir $DIR_UPDATE |
# backup the users database (test to delete in future version) |
$DIR_BIN/alcasar-mysql.sh --dump |
cp /var/Save/base/"$(ls -1t /var/Save/base|head -1)" $DIR_UPDATE |
cp /var/Save/base/`ls -1t /var/Save/base|head -1` $DIR_UPDATE |
# backup the logo |
cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE |
# backup BL/WL custom files |
77,7 → 82,7 |
cp /etc/dansguardian/lists/$i $DIR_UPDATE/custom_bl/ # before V3.3 |
cp -rf /etc/dansguardian/lists/blacklists/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null |
else |
cp $DIR_E2G/$i $DIR_UPDATE/custom_bl/ # since V3.3 |
cp /etc/e2guardian/lists/$i $DIR_UPDATE/custom_bl/ # since V3.3 |
cp -rf $DIR_BLACKLIST/ossi-* $DIR_UPDATE/custom_bl/ 2>/dev/null |
fi |
done |
96,35 → 101,8 |
else |
cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.crt |
fi |
# pureip & safesearch status |
[ -d /etc/dansguardian ] && dg_path=/etc/dansguardian || dg_path=/etc/e2guardian |
|
if ! grep -Eq '^WL_SAFESEARCH=' $DIR_UPDATE/etc/alcasar.conf; then |
if [ -f /etc/dnsmasq-whitelist.conf ] && grep -iq "SafeSearch" /etc/dnsmasq-whitelist.conf; then |
echo 'WL_SAFESEARCH=on' >> $DIR_UPDATE/etc/alcasar.conf |
else |
echo 'WL_SAFESEARCH=off' >> $DIR_UPDATE/etc/alcasar.conf |
fi |
fi |
|
if ! grep -Eq '^BL_SAFESEARCH=' $DIR_UPDATE/etc/alcasar.conf; then |
if [ -f /etc/dnsmasq-blacklist.conf ] && grep -iq "SafeSearch" /etc/dnsmasq-blacklist.conf; then |
echo 'BL_SAFESEARCH=on' >> $DIR_UPDATE/etc/alcasar.conf |
else |
echo 'BL_SAFESEARCH=off' >> $DIR_UPDATE/etc/alcasar.conf |
fi |
fi |
|
if ! grep -Eq '^BL_PUREIP=' $DIR_UPDATE/etc/alcasar.conf; then |
if grep -Eq "^\*ip" $dg_path/lists/bannedsitelist; then |
echo 'BL_PUREIP=on' >> $DIR_UPDATE/etc/alcasar.conf |
else |
echo 'BL_PUREIP=off' >> $DIR_UPDATE/etc/alcasar.conf |
fi |
fi |
|
# archive file creation |
cd /var/tmp || { echo "Unable to find /var/tmp directory"; } |
cd /var/tmp |
tar -cf alcasar-conf.tar conf/ |
gzip -f alcasar-conf.tar |
rm -rf $DIR_UPDATE |
131,7 → 109,7 |
;; |
|
--load|-load) |
cd /var/tmp || { echo "Unable to find /var/tmp directory"; } |
cd /var/tmp |
tar -xf alcasar-conf*.tar.gz |
######################### modifications between versions ####################### |
# Retrieve the previous version |
145,7 → 123,7 |
HOSTNAME=`grep ^HOSTNAME= $CONF_FILE|cut -d"=" -f2-` |
domainNames="$HOSTNAME $HOSTNAME.$DOMAIN" |
[ "$HOSTNAME" != 'alcasar' ] && domainNames="alcasar $domainNames" |
if [ "$(grep -c "$PRIVATE_IP\s$domainNames" $DIR_UPDATE/etc/hosts )" -eq 0 ]; then |
if [ $(grep -c "$PRIVATE_IP\s$domainNames" $DIR_UPDATE/etc/hosts ) -eq 0 ]; then |
cat << EOF > $DIR_UPDATE/etc/hosts |
127.0.0.1 localhost |
$PRIVATE_IP $domainNames |
152,7 → 130,7 |
EOF |
fi |
## apache & dansguardian are replaced with lighttpd & E²guardian |
if [ "$(rpm -qa | grep '^\(apache\|apache-mod_php\|apache-mod_ssl\|dansguardian\)-' | wc -l)" -ne 0 ]; then |
if [ $(rpm -qa | grep '^\(apache\|apache-mod_php\|apache-mod_ssl\|dansguardian\)-' | wc -l) -ne 0 ]; then |
rm_rpm="apache apache-mod_php apache-mod_ssl dansguardian" |
/usr/sbin/urpme --auto -a $rm_rpm 2>/dev/null |
/usr/sbin/urpme --auto --auto-orphans |
162,17 → 140,12 |
[ ! -f $DIR_UPDATE/alcasar.pem ] && (cat $DIR_UPDATE/alcasar.key; echo; cat $DIR_UPDATE/alcasar.crt) > $DIR_UPDATE/alcasar.pem |
## From 3.3.0 ## |
# add "SMS=off" in conf file |
if [ "$(grep -c '^SMS=' $DIR_UPDATE/etc/alcasar.conf)" -eq 0 ]; then |
if [ $(grep -c '^SMS=' $DIR_UPDATE/etc/alcasar.conf) -eq 0 ]; then |
echo "SMS=off" >> $DIR_UPDATE/etc/alcasar.conf |
fi |
if [ "$(grep -c '^SMS_NUM=' $DIR_UPDATE/etc/alcasar.conf)" -eq 0 ]; then |
if [ $(grep -c '^SMS_NUM=' $DIR_UPDATE/etc/alcasar.conf) -eq 0 ]; then |
echo "SMS_NUM=" >> $DIR_UPDATE/etc/alcasar.conf |
fi |
## From 3.4.0 ## |
# Fix subdomain dot position (.domain.org to domain.org.) for Unbound |
for file in $DIR_E2G/exceptionsitelist $DIR_BLACKLIST/ossi-bl*/domains $DIR_BLACKLIST/ossi-wl*/domains; do |
[ -f $file ] && $SED "s/^\.\(.*\)$/\1./g" $file |
done |
###################### End of modifications between versions ####################### |
# Retrieve the logo |
[ -e $DIR_UPDATE/organisme.png ] && cp -f $DIR_UPDATE/organisme.png $DIR_WEB/images/ |
182,26 → 155,26 |
cp -f $DIR_UPDATE/alcasar-ca.key /etc/pki/CA/private/ |
cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/ |
cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/ |
cp -f $DIR_UPDATE/alcasar.pem /etc/pki/tls/private/ |
cp -f $DIR_UPDATE/alcasar.pem /etc/pki/tls/private/ |
[ -e $DIR_UPDATE/server-chain.crt ] && cp -f $DIR_UPDATE/server-chain.crt* /etc/pki/tls/certs/ # autosigned and official if exist |
chown -R root:apache /etc/pki |
chmod -R 750 /etc/pki |
# Import of the users database |
$DIR_BIN/alcasar-mysql.sh --import "$(ls $DIR_UPDATE/alcasar-users-database*)" |
$DIR_BIN/alcasar-mysql.sh --import `ls $DIR_UPDATE/alcasar-users-database*` |
# Retrieve local parameters |
cp -rf $DIR_UPDATE/etc/* $DIR_ETC/ |
mv -f $DIR_UPDATE/etc/hosts /etc/hosts |
chmod 755 /etc/hosts |
# Retrieve BL/WL custom files |
cp -f $DIR_UPDATE/custom_bl/exceptioniplist $DIR_E2G/ |
cp -f $DIR_UPDATE/custom_bl/exceptionsitelist $DIR_E2G/ |
cp -f $DIR_UPDATE/custom_bl/urlregexplist $DIR_E2G/ |
cp -f $DIR_UPDATE/custom_bl/bannedsitelist $DIR_E2G/ |
cp -f $DIR_UPDATE/custom_bl/exceptionurllist $DIR_E2G/ |
cp -f $DIR_UPDATE/custom_bl/bannedurllist $DIR_E2G/ |
cp -f $DIR_UPDATE/custom_bl/exceptioniplist /etc/e2guardian/lists/ |
cp -f $DIR_UPDATE/custom_bl/exceptionsitelist /etc/e2guardian/lists/ |
cp -f $DIR_UPDATE/custom_bl/urlregexplist /etc/e2guardian/lists/ |
cp -f $DIR_UPDATE/custom_bl/bannedsitelist /etc/e2guardian/lists/ |
cp -f $DIR_UPDATE/custom_bl/exceptionurllist /etc/e2guardian/lists/ |
cp -f $DIR_UPDATE/custom_bl/bannedurllist /etc/e2guardian/lists/ |
cp -rf $DIR_UPDATE/custom_bl/ossi-* $DIR_BLACKLIST/ 2>/dev/null |
chown -R e2guardian:apache $DIR_E2G |
chmod -R g+rw $DIR_E2G |
chown -R e2guardian:apache /etc/e2guardian/lists |
chmod -R g+rw /etc/e2guardian/lists |
# Adapt DNS/URL filtering |
PARENT_SCRIPT=`basename $0` |
export PARENT_SCRIPT |
224,8 → 197,9 |
--apply|-apply) |
PTN="\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([012]?[0-9]|3[0-2])\b" |
PRIVATE_IP_MASK=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2` |
if ! echo $PRIVATE_IP_MASK | egrep -q $PTN |
then |
check=$(echo $PRIVATE_IP_MASK | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
echo "Syntax error for PRIVATE_IP_MASK ($PRIVATE_IP_MASK)" |
exit 0 |
fi |
236,8 → 210,9 |
PUBLIC_GATEWAY="dhcp" |
|
else |
if ! echo $PUBLIC_IP_MASK | egrep -q $PTN |
then |
check=$(echo $PUBLIC_IP_MASK | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
echo "Syntax error for PUBLIC_IP_MASK ($PUBLIC_IP_MASK)" |
exit 0 |
fi |
244,21 → 219,24 |
PUBLIC_IP=`echo $PUBLIC_IP_MASK | cut -d"/" -f1` |
PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK | cut -d"=" -f2` |
PUBLIC_GATEWAY=`grep ^GW= $CONF_FILE|cut -d"=" -f2` |
if ! echo $PUBLIC_GATEWAY | egrep -q $PTN |
then |
check=$(echo $PUBLIC_GATEWAY | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
echo "Syntax error for the Gateway IP ($PUBLIC_GATEWAY)" |
exit 0 |
fi |
fi |
DNS1=`grep ^DNS1= $CONF_FILE|cut -d"=" -f2` |
if ! echo $DNS1 | egrep -q $PTN |
then |
check=$(echo $DNS1 | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
echo "Syntax error for the IP address of the first DNS server ($DNS1)" |
exit 0 |
fi |
DNS2=`grep ^DNS2= $CONF_FILE|cut -d"=" -f2` |
if ! echo $DNS2 | egrep -q $PTN |
then |
check=$(echo $DNS2 | egrep $PTN) |
if [[ "$?" -ne 0 ]] |
then |
echo "Syntax error for the IP address of the second DNS server ($DNS2)" |
exit 0 |
fi |
267,13 → 245,10 |
private_network_calc |
INSTALL_DATE=`grep ^INSTALL_DATE= $CONF_FILE|cut -d"=" -f2` |
ORGANISME=`grep ^ORGANISM= $CONF_FILE|cut -d"=" -f2-` |
BL_SAFESEARCH=`grep ^BL_SAFESEARCH= $CONF_FILE|cut -d"=" -f2` |
WL_SAFESEARCH=`grep ^WL_SAFESEARCH= $CONF_FILE|cut -d"=" -f2` |
BL_PUREIP=`grep ^BL_PUREIP= $CONF_FILE|cut -d"=" -f2` |
DHCP_mode=`grep ^DHCP= $CONF_FILE|cut -d"=" -f2` |
if [ "$PARENT_SCRIPT" != "alcasar.sh" ] # don't launch on install stage |
then |
if [ "$DHCP_mode" = "off" ] || [ "$DHCP_mode" = "Off" ] || [ "$DHCP_mode" = "OFF" ] |
if [ $DHCP_mode = "off" ] || [ $DHCP_mode = "Off" ] || [ $DHCP_mode = "OFF" ] |
then |
$DIR_BIN/alcasar-dhcp.sh --off |
else |
281,7 → 256,7 |
fi |
|
# Set the local DNS (or not) |
if [ "$INT_DNS_mode" = "on" ] || [ "$INT_DNS_mode" = "On" ] || [ "$INT_DNS_mode" = "ON" ] |
if [ $INT_DNS_mode = "on" ] || [ $INT_DNS_mode = "On" ] || [ $INT_DNS_mode = "ON" ] |
then |
$DIR_BIN/alcasar-dns-local.sh --on |
else |
288,40 → 263,11 |
$DIR_BIN/alcasar-dns-local.sh --off |
fi |
|
# Set the pure ip option (or not) |
if [ "$BL_PUREIP" = "off" ] || [ "$BL_PUREIP" = "Off" ] || [ "$BL_PUREIP" = "OFF" ] |
then |
bl_filter_param+="--pureip_off" |
else |
bl_filter_param+="--pureip_on" |
fi |
|
# Set the safesearch options (or not) |
bl_filter_param="" |
if [ "$BL_SAFESEARCH" = "on" ] || [ "$BL_SAFESEARCH" = "On" ] || [ "$BL_SAFESEARCH" = "ON" ] |
then |
bl_filter_param+="--safesearch_on " |
else |
bl_filter_param+="--safesearch_off " |
fi |
|
$DIR_BIN/alcasar-url_filter_bl.sh $bl_filter_param |
|
if [ "$WL_SAFESEARCH" = "on" ] || [ "$WL_SAFESEARCH" = "On" ] || [ "$WL_SAFESEARCH" = "ON" ] |
then |
$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_on |
else |
$DIR_BIN/alcasar-url_filter_wl.sh --safesearch_off |
fi |
|
# Reload the local dns configuration |
$DIR_BIN/alcasar-dns-local.sh --reload |
|
# Logout everybody |
$DIR_BIN/alcasar-logout.sh all |
$DIR_BIN/alcasar-logout.sh all |
# Services stop |
echo -n "Stop services : " |
for i in ntpd tinyproxy e2guardian unbound unbound-whitelist dnsmasq-whitelist unbound-blacklist unbound-blackhole chilli network lighttpd |
for i in ntpd tinyproxy e2guardian dnsmasq dnsmasq-whitelist dnsmasq-blacklist dnsmasq-blackhole chilli network lighttpd |
do |
/usr/bin/systemctl stop $i && echo -n "$i, " |
done |
346,7 → 292,7 |
MTU=$MTU |
NOZEROCONF=yes |
EOF |
else |
else |
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
DEVICE=$EXTIF |
BOOTPROTO=static |
371,7 → 317,7 |
$SED "s?^NETMASK=.*?NETMASK=$PRIVATE_NETMASK?" /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF |
# NTP server |
$SED "/127.0.0.1/!s?^restrict.*?restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap?g" /etc/ntp.conf |
# host.allow |
# host.allow |
cat <<EOF > /etc/hosts.allow |
ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP |
sshd: ALL |
389,9 → 335,9 |
# MOTD |
$SED "s@'https://\(.\+\)/acc'@'https://$HOSTNAME.$DOMAIN/acc'@" /etc/mageia-release |
# Lighttpd |
$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$PRIVATE_IP"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$PRIVATE_IP\"/g" /etc/lighttpd/vhosts.d/alcasar.conf |
$SED "s?^server\.bind.*?server\.bind = \"$HOSTNAME.$DOMAIN\"?g" /etc/lighttpd/lighttpd.conf |
$SED 's/^$SERVER\["socket"\] == ".*:443.*/$SERVER\["socket"\] == "'"$HOSTNAME.$DOMAIN"':443" {/g' /etc/lighttpd/vhosts.d/alcasar.conf |
$SED "s/^\([\t ]*\)var.server_name.*/\1var.server_name = \"$HOSTNAME.$DOMAIN\"/g" /etc/lighttpd/vhosts.d/alcasar.conf |
# FreeRADIUS Web |
$SED "s?^nas1_name:.*?nas1_name: alcasar-$ORGANISME?g" /etc/freeradius-web/naslist.conf |
$SED "s?^nas1_ip:.*?nas1_ip: $PRIVATE_IP?g" /etc/freeradius-web/naslist.conf |
398,7 → 344,7 |
# coova |
$SED "s/^uamallowed.*/uamallowed\t$HOSTNAME,$HOSTNAME.$DOMAIN/g" /etc/chilli.conf |
$SED "s/^locationname.*/locationname\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf |
[ "`grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2`" == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http" |
[ `grep ^HTTPS_LOGIN= $CONF_FILE | cut -d'=' -f2` == "on" ] && chilli_login_protocol="https" || chilli_login_protocol="http" |
$SED "s/^uamserver.*/uamserver\t$chilli_login_protocol:\/\/$HOSTNAME.$DOMAIN\/intercept.php/" /etc/chilli.conf |
$SED "s/^radiusnasid.*/radiusnasid\t$HOSTNAME.$DOMAIN/g" /etc/chilli.conf |
$SED "s?^net.*?net\t\t$PRIVATE_NETWORK_MASK?g" /etc/chilli.conf |
407,115 → 353,31 |
$SED "s?^uamlisten.*?uamlisten\t$PRIVATE_IP?g" /etc/chilli.conf |
# modify the DHCP static ip file. Reserve the second IP address for INTIF (the first one is for tun0). Keep previous entries |
$SED "s?^$PRIVATE_MAC.*?$PRIVATE_MAC $PRIVATE_SECOND_IP?" $DIR_ETC/alcasar-ethers $DIR_ETC/alcasar-ethers-info |
# dnsmasq-whitelist |
$SED "/^server=/d" /etc/dnsmasq-whitelist.conf |
echo "server=$DNS1" >> /etc/dnsmasq-whitelist.conf |
echo "server=$DNS2" >> /etc/dnsmasq-whitelist.conf |
# unbound |
# removing unbound configuration files |
rm -f /etc/unbound/conf.d/{forward,blacklist,whitelist,blackhole}/iface.* |
rm -f /etc/unbound/conf.d/common/forward-zone.conf |
find /etc/unbound/conf.d/common/local-dns/ ! -name "global.conf" -type f -delete |
|
# Configuration file for the dns servers forward-zone |
cat << EOF > /etc/unbound/conf.d/common/forward-zone.conf |
forward-zone: |
name: "." |
forward-addr: $DNS1 |
forward-addr: $DNS2 |
EOF |
|
# Configuration file of ALCASAR main domains for $INTIF |
cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
server: |
local-zone: "$HOSTNAME.$DOMAIN" static |
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP" |
local-zone: "$HOSTNAME" static |
local-data: "$HOSTNAME A $PRIVATE_IP" |
EOF |
|
# Configuration file for lo of forward unbound |
cat << EOF > /etc/unbound/conf.d/forward/iface.lo.conf |
server: |
interface: 127.0.0.1@53 |
access-control-view: 127.0.0.1/8 lo |
|
view: |
name: "lo" |
view-first: yes |
local-zone: "$HOSTNAME.$DOMAIN" static |
local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1" |
local-zone: "$HOSTNAME" static |
local-data: "$HOSTNAME A 127.0.0.1" |
local-zone: "$DOMAIN." static |
local-data: "$DOMAIN. A" |
EOF |
|
if [ "$HOSTNAME" != 'alcasar' ] |
then |
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
echo -e "\tlocal-zone: \"alcasar A $PRIVATE_IP\"" >> /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
echo -e "\tlocal-zone: \"alcasar\" static" >> /etc/unbound/conf.d/forward/iface.lo.conf |
echo -e "\tlocal-zone: \"alcasar A 127.0.0.1\"" >> /etc/unbound/conf.d/forward/iface.lo.conf |
fi |
|
# Configuration file for $INTIF of forward unbound |
cat << EOF > /etc/unbound/conf.d/forward/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@53 |
access-control-view: $PRIVATE_NETWORK_MASK $INTIF |
|
view: |
name: "$INTIF" |
view-first: yes |
EOF |
|
# Configuration file for $INTIF of blacklist unbound |
cat << EOF > /etc/unbound/conf.d/blacklist/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@54 |
access-control: $PRIVATE_IP_MASK allow |
access-control-tag: $PRIVATE_IP_MASK "blacklist" |
access-control-tag-action: $PRIVATE_IP_MASK "blacklist" redirect |
access-control-tag-data: $PRIVATE_IP_MASK "blacklist" "A $PRIVATE_IP" |
EOF |
|
# Configuration file for $INTIF of whitelist unbound |
cat << EOF > /etc/unbound/conf.d/whitelist/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@55 |
access-control: $PRIVATE_IP_MASK allow |
access-control-tag: $PRIVATE_IP_MASK "whitelist" |
access-control-tag-action: $PRIVATE_IP_MASK "whitelist" redirect |
access-control-tag-data: $PRIVATE_IP_MASK "whitelist" "A $PRIVATE_IP" |
EOF |
|
# Configuration file for $INTIF of blackhole unbound |
cat << EOF > /etc/unbound/conf.d/blackhole/iface.${INTIF}.conf |
server: |
interface: ${PRIVATE_IP}@56 |
access-control-view: $PRIVATE_NETWORK_MASK $INTIF |
|
view: |
name: "$INTIF" |
local-zone: "." redirect |
local-data: ". A $PRIVATE_IP" |
EOF |
|
# dhcpd |
cat <<EOF > /etc/dhcpd.conf |
ddns-update-style none; |
subnet $PRIVATE_NETWORK netmask $PRIVATE_NETMASK { |
option routers $PRIVATE_IP; |
option subnet-mask $PRIVATE_NETMASK; |
option domain-name-servers $PRIVATE_IP; |
|
range dynamic-bootp $PRIVATE_SECOND_IP $PRIVATE_LAST_IP; |
default-lease-time 21600; |
max-lease-time 43200; |
} |
EOF |
# tinyproxy |
# dnsmasq |
$SED "/127.0.0.1/!s?^listen-address=.*?listen-address=$PRIVATE_IP?g" /etc/dnsmasq.conf /etc/dnsmasq-blacklist.conf /etc/dnsmasq-whitelist.conf /etc/dnsmasq-blackhole.conf |
for i in /etc/dnsmasq.conf /etc/dnsmasq-blacklist.conf |
do |
$SED "/^server=/d" $i |
echo "server=$DNS1" >> $i |
echo "server=$DNS2" >> $i |
done |
$SED "s?^address=.*?address=/#/$PRIVATE_IP?g" /etc/dnsmasq-blackhole.conf |
for i in `ls $DIR_SHARE/dnsmasq-wl` |
do |
cat $DIR_SHARE/dnsmasq-wl/$i|cut -d"/" -f1,2 > /tmp/tmp_file |
$SED "s/$/\/$DNS1/" /tmp/tmp_file |
mv -f /tmp/tmp_file $DIR_SHARE/dnsmasq-wl/$i |
done |
chown root:apache $DIR_SHARE/dnsmasq-wl/* |
chmod 660 $DIR_SHARE/dnsmasq-wl/* |
$SED "s@^\([#]\?\)dhcp-range=.*@\1dhcp-range=$PRIVATE_SECOND_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h@" /etc/dnsmasq.conf |
$SED "s@^\([#]\?\)dhcp-option=option:router.*@\1dhcp-option=option:router,$PRIVATE_IP@" /etc/dnsmasq.conf |
$SED "s@^\([#]\?\)dhcp-option=option:ntp-server.*@\1dhcp-option=option:ntp-server,$PRIVATE_IP@" /etc/dnsmasq.conf |
networkDomain='localdomain' |
# networkDomain="$DOMAIN" (/!\ this domain (and its subdomains) will not be resolved by the external DNS servers) |
$SED "s?^local=.*?local=/$networkDomain/?g" $DIR_ETC/alcasar-dns-name |
$SED "s?^domain=.*?domain=$networkDomain?g" $DIR_ETC/alcasar-dns-name |
# tinyproxy |
$SED "s?^Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf |
# DG + BL |
$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" /etc/e2guardian/e2guardian.conf |
530,12 → 392,12 |
# Services start |
/usr/bin/systemctl start network && echo -n "Start service : network" && sleep 1 |
$DIR_BIN/alcasar-dhcp.sh -$DHCP_mode && echo -n ", chilli" # apply DHCP mode and start CoovaChilli |
for i in unbound unbound-blackhole tinyproxy ntpd |
for i in dnsmasq dnsmasq-blackhole tinyproxy ntpd |
do |
sleep 1 |
/usr/bin/systemctl start $i && echo -n ", $i" |
done |
$DIR_BIN/alcasar-bl.sh -reload && echo -n ", unbound-blacklist, unbound-whitelist, dnsmasq-whitelist, e2guardian, iptables" |
$DIR_BIN/alcasar-bl.sh -reload && echo -n ", dnsmasq-blacklist, dnsmasq-whitelist, e2guardian, iptables" |
/usr/bin/systemctl restart lighttpd && echo -n ", lighttpd" |
fi |
# Start / Stop SSH Daemon |
555,7 → 417,7 |
fi |
fi |
# Start / Stop LDAP authentification |
if [ $LDAP_mode = "on" ] || [ $LDAP_mode = "On" ] || [ $LDAP_mode = "ON" ] |
if [ LDAP_mode = "on" ] || [ $LDAP_mode = "On" ] || [ $LDAP_mode = "ON" ] |
then |
$DIR_BIN/alcasar-ldap.sh |
fi |
562,7 → 424,7 |
echo |
;; |
*) |
echo "Argument inconnu : $1"; |
echo "Argument inconnu :$1"; |
echo "$usage" |
exit 1 |
;; |