Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1061 → Rev 1062

/readme.txt
5,17 → 5,19
*********** English **********
- New installation : Need the CD dual architecture (32b and 64b) of Linux Mageia2 (Mageia-2-dual-CD.iso).
--> Follow the installation documentation.
- Update an earlier version (see the §9.4 of the exploitation documentation) :
--> via the control center of the running version, create and retrieve the system-backup (ie : "alcasar-conf-20130106-17h00.tar.gz")
--> after the installation of the new Linux system (mageia2), copy this file in the folder "/tmp"
--> download, extract and launch alcasar installation (like for a new installation)
- Update an earlier version
--> 1 - Run the installation of the new version (it will stop after the creation of a configuration file
--> 2 - Retreve this configuration file (/tmp/alcasar-conf.tar.gz)
--> 3 - Install Linux-Mageia2 (cf. installation doc)
--> 4 - Copy the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR
 
*********** Français ********
 
- Nouvelle installation : elle s'effectue sur la base CD double architectures (32b et 64b) de Linux Mageia2 (Mageia-2-dual-CD.iso).
--> Suivez la procédure d'installation.
- mise à jour d'une ancienne version (voir le §9.4 de la doc d'exploitation) :
--> à partir du centre de contrôle de la version actuelle, créez et récupérez l'archive système (ex : "alcasar-conf-20130106-17h00.tar.gz")
--> après avoir installé le nouveau système Linux (mageia2), copiez ce fichier dans le répertoire "/tmp"
--> récupérez, désarchivez et lancez l'installation d'ALCASAR (comme pour une nouvelle installation)
- Mise à jour d'une ancienne version :
--> 1 - Lancez l'installation de la nouvelle version (celle-ci s'arrétera après avoir créé un fichier de configuration)
--> 2 - Récupérez ce fichier de configuration (/tmp/alcasar-conf.tar.gz)
--> 3 - Installez Linux-Mageia2 (cf. doc d'installation)
--> 4 - copiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancez l'installation d'ALCASAR
 
/alcasar.sh
1476,7 → 1476,7
$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
echo "SSH=off" >> $CONF_FILE
echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE
echo 'SSH_ADMIN_from=0.0.0.0/0.0.0.0' >> $CONF_FILE
echo "QOS=off" >> $CONF_FILE
echo "LDAP=off" >> $CONF_FILE
echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1705,6 → 1705,7
nb_args=1
args="-h"
fi
chmod -R u+x $DIR_SCRIPTS/*
case $args in
-\? | -h* | --h*)
echo "$usage"
1737,7 → 1738,6
rm -f /tmp/alcasar-conf*
else
# Create a backup of running version importants files
chmod u+x $DIR_SCRIPTS/alcasar-conf.sh
$DIR_SCRIPTS/alcasar-conf.sh --create
mode="update"
fi
/scripts/sbin/alcasar-bypass.sh
24,7 → 24,7
;;
--on | -on)
# activation du contournement
for i in chilli squid dansguardian havp mysqld radiusd httpd freshclam dnsmasq
for i in chilli dansguardian havp mysqld radiusd httpd freshclam dnsmasq squid
do
if (pgrep $i) > /dev/null ; then /etc/init.d/$i stop ; fi
done
46,7 → 46,7
$SED "s?^#conf-dir=.*?conf-dir=/usr/local/share/dnsmasq-bl-enabled?g" /etc/dnsmasq-blackhole.conf
$SED "s?^#no-dhcp-interface=.*?no-dhcp-interface=eth1?g" /etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf
rm -f /etc/sysconfig/network-scripts/ifcfg-eth1
for i in chilli squid dansguardian havp mysqld radiusd httpd freshclam dnsmasq
for i in chilli dansguardian havp mysqld radiusd httpd freshclam dnsmasq squid
do
if ! (pgrep $i) > /dev/null ; then /etc/init.d/$i start ; fi
done
/scripts/alcasar-iptables-bypass.sh
18,7 → 18,14
INTIF="eth1"
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24)
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address
public_ip_mask=`grep PUBLIC_IP= $conf_file|cut -d"=" -f2` # ALCASAR WAN IP address
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1`
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
SSH=${SSH:=off}
SSH_ADMIN_IP=`grep SSH_ADMIN_IP= $conf_file|cut -d"=" -f2`
SSH_ADMIN_IP=${SSH_ADMIN_IP:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
 
 
# On vide (flush) toutes les règles existantes
# Flush all existing rules
$IPTABLES -F
49,14 → 56,16
# Insertion de règles de blocage (Devel)
# Here, we add block rules (Devel)
if [ -s /usr/local/etc/alcasar-iptables-block ]; then
while read ip_blocked
do
echo "Network Address blocked : $ip_blocked"
$IPTABLES -A FORWARD -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
$IPTABLES -A FORWARD -d $ip_blocked -j REJECT
$IPTABLES -A FORWARD -s $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
$IPTABLES -A FORWARD -s $ip_blocked -j REJECT
done < /usr/local/etc/alcasar-iptables-block
while read ip_line
do
ip_on=`echo $ip_line|cut -b1`
if [ $ip_on != "#" ]
then
ip_blocked=`echo $ip_line|cut -d" " -f1`
$IPTABLES -A FORWARD -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
$IPTABLES -A FORWARD -d $ip_blocked -j REJECT
fi
done < /usr/local/etc/alcasar-iptables-block
fi
 
# SSHD rules if activate
64,11 → 73,17
then
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
fi
 
# Insertion de règles locales
# Here, we add local rules (i.e. VPN from Internet)
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then
. /usr/local/etc/alcasar-iptables-local.sh
fi
 
# on autorise les requêtes dhcp
# accept dhcp
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
95,10 → 110,9
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert -- ACCEPT "
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT
 
# On autorise les flux entrant ntp, dns et ssh via INTIF
# On autorise les flux entrant ntp et dns via INTIF
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
 
# On autorise le retour des connexions entrante déjà acceptées
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/scripts/alcasar-iptables.sh
33,7 → 33,8
QOS=${QOS:=off}
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
SSH=${SSH:=off}
Admin_from_IP=${Admin_from_IP:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
SSH_ADMIN_IP=`grep SSH_ADMIN_IP= $conf_file|cut -d"=" -f2`
SSH_ADMIN_IP=${SSH_ADMIN_IP:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side)
LDAP=`grep LDAP= $conf_file|cut -d"=" -f2` # LDAP external server active (on/off)
LDAP=${LDAP:=off}
LDAP_IP=`grep LDAP_IP= $conf_file|cut -d"=" -f2` # WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side)
/scripts/alcasar-conf.sh
34,7 → 34,7
MAJ_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f1`
MIN_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f2|cut -c1`
UPD_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f3`
DOMAIN=`grep DOMAIN $CONF_FILE|cut -d"=" -f2`
DOMAIN=`grep DOMAIN $CONF_FILE|cut -d"=" -f2` 2>/dev/null # Error if (Version < 2.2) (no conf file)
DOMAIN=${DOMAIN:=localdomain}
DATE=`date '+%d %B %Y - %Hh%M'`
private_network_calc ()
69,7 → 69,7
[ -d $DIR_UPDATE ] && rm -rf $DIR_UPDATE
mkdir $DIR_UPDATE
# Sauvegarde de la base des usagers
/usr/local/sbin/alcasar-mysql.sh -dump
$DIR_SBIN/alcasar-mysql.sh -dump
cp /var/Save/base/`ls /var/Save/base|tail -1` $DIR_UPDATE
# Sauvegarde du logo
cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE
160,6 → 160,7
else
echo "SSH=off" >> $CONF_FILE
fi
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE
echo "QOS=off" >> $CONF_FILE
echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
if [ `grep ^ldap /etc/raddb/sites-available/alcasar | wc -l` -eq "0" ]; then
167,6 → 168,7
else
echo "LDAP=on" >> $CONF_FILE
fi
echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
PROTOCOLS_FILTERING=`grep ^PROTO_FILTERING /usr/local/bin/alcasar-iptables.sh | cut -d"=" -f2`
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:="no"}
if [ $PROTOCOLS_FILTERING = "no" ]; then
183,6 → 185,8
fi
fi
# since V2.6
# SSH_ADMIN_FROM is redefined
$SED "s?^Admin_from_IP=.*?SSH_ADMIN_FROM=0.0.0.0/0.0.0.0?" $CONF_FILE
# macallowed is replaced with macauth
rm -f $DIR_UPDATE/etc/alcasar-macallowed
# DHCP mode can be "off/half/full"
/scripts/alcasar-urpmi.sh
68,7 → 68,7
if [ $Lang == "fr" ]
then
echo "La migration automatique d'ALCASAR ne peut pas être réalisée."
echo "Le système d'exploitation doit être remplacer"
echo "Le système d'exploitation doit être remplacé"
else
echo "The automatic update of ALCASAR can't be performed."
echo "The OS must be replaced"
80,7 → 80,7
then
echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
echo "2 - Installez Linux-Mageia2 (cf. doc d'installation)"
echo "3 - copiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancez l'installation d'ALCASAR"
echo "3 - copiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
else
echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
echo "2 - Install Linux-Mageia2 (cf. installation doc)"