/readme.txt |
---|
5,17 → 5,19 |
*********** English ********** |
- New installation : Need the CD dual architecture (32b and 64b) of Linux Mageia2 (Mageia-2-dual-CD.iso). |
--> Follow the installation documentation. |
- Update an earlier version (see the §9.4 of the exploitation documentation) : |
--> via the control center of the running version, create and retrieve the system-backup (ie : "alcasar-conf-20130106-17h00.tar.gz") |
--> after the installation of the new Linux system (mageia2), copy this file in the folder "/tmp" |
--> download, extract and launch alcasar installation (like for a new installation) |
- Update an earlier version |
--> 1 - Run the installation of the new version (it will stop after the creation of a configuration file |
--> 2 - Retreve this configuration file (/tmp/alcasar-conf.tar.gz) |
--> 3 - Install Linux-Mageia2 (cf. installation doc) |
--> 4 - Copy the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR |
*********** Français ******** |
- Nouvelle installation : elle s'effectue sur la base CD double architectures (32b et 64b) de Linux Mageia2 (Mageia-2-dual-CD.iso). |
--> Suivez la procédure d'installation. |
- mise à jour d'une ancienne version (voir le §9.4 de la doc d'exploitation) : |
--> à partir du centre de contrôle de la version actuelle, créez et récupérez l'archive système (ex : "alcasar-conf-20130106-17h00.tar.gz") |
--> après avoir installé le nouveau système Linux (mageia2), copiez ce fichier dans le répertoire "/tmp" |
--> récupérez, désarchivez et lancez l'installation d'ALCASAR (comme pour une nouvelle installation) |
- Mise à jour d'une ancienne version : |
--> 1 - Lancez l'installation de la nouvelle version (celle-ci s'arrétera après avoir créé un fichier de configuration) |
--> 2 - Récupérez ce fichier de configuration (/tmp/alcasar-conf.tar.gz) |
--> 3 - Installez Linux-Mageia2 (cf. doc d'installation) |
--> 4 - copiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancez l'installation d'ALCASAR |
/alcasar.sh |
---|
1476,7 → 1476,7 |
$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config |
# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on) |
echo "SSH=off" >> $CONF_FILE |
echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE |
echo 'SSH_ADMIN_from=0.0.0.0/0.0.0.0' >> $CONF_FILE |
echo "QOS=off" >> $CONF_FILE |
echo "LDAP=off" >> $CONF_FILE |
echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE |
1705,6 → 1705,7 |
nb_args=1 |
args="-h" |
fi |
chmod -R u+x $DIR_SCRIPTS/* |
case $args in |
-\? | -h* | --h*) |
echo "$usage" |
1737,7 → 1738,6 |
rm -f /tmp/alcasar-conf* |
else |
# Create a backup of running version importants files |
chmod u+x $DIR_SCRIPTS/alcasar-conf.sh |
$DIR_SCRIPTS/alcasar-conf.sh --create |
mode="update" |
fi |
/scripts/sbin/alcasar-bypass.sh |
---|
24,7 → 24,7 |
;; |
--on | -on) |
# activation du contournement |
for i in chilli squid dansguardian havp mysqld radiusd httpd freshclam dnsmasq |
for i in chilli dansguardian havp mysqld radiusd httpd freshclam dnsmasq squid |
do |
if (pgrep $i) > /dev/null ; then /etc/init.d/$i stop ; fi |
done |
46,7 → 46,7 |
$SED "s?^#conf-dir=.*?conf-dir=/usr/local/share/dnsmasq-bl-enabled?g" /etc/dnsmasq-blackhole.conf |
$SED "s?^#no-dhcp-interface=.*?no-dhcp-interface=eth1?g" /etc/dnsmasq.conf /etc/dnsmasq-blackhole.conf |
rm -f /etc/sysconfig/network-scripts/ifcfg-eth1 |
for i in chilli squid dansguardian havp mysqld radiusd httpd freshclam dnsmasq |
for i in chilli dansguardian havp mysqld radiusd httpd freshclam dnsmasq squid |
do |
if ! (pgrep $i) > /dev/null ; then /etc/init.d/$i start ; fi |
done |
/scripts/alcasar-iptables-bypass.sh |
---|
18,7 → 18,14 |
INTIF="eth1" |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24) |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
public_ip_mask=`grep PUBLIC_IP= $conf_file|cut -d"=" -f2` # ALCASAR WAN IP address |
PUBLIC_IP=`echo $public_ip_mask | cut -d"/" -f1` |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off) |
SSH=${SSH:=off} |
SSH_ADMIN_IP=`grep SSH_ADMIN_IP= $conf_file|cut -d"=" -f2` |
SSH_ADMIN_IP=${SSH_ADMIN_IP:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side) |
# On vide (flush) toutes les règles existantes |
# Flush all existing rules |
$IPTABLES -F |
49,14 → 56,16 |
# Insertion de règles de blocage (Devel) |
# Here, we add block rules (Devel) |
if [ -s /usr/local/etc/alcasar-iptables-block ]; then |
while read ip_blocked |
do |
echo "Network Address blocked : $ip_blocked" |
$IPTABLES -A FORWARD -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT " |
$IPTABLES -A FORWARD -d $ip_blocked -j REJECT |
$IPTABLES -A FORWARD -s $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT " |
$IPTABLES -A FORWARD -s $ip_blocked -j REJECT |
done < /usr/local/etc/alcasar-iptables-block |
while read ip_line |
do |
ip_on=`echo $ip_line|cut -b1` |
if [ $ip_on != "#" ] |
then |
ip_blocked=`echo $ip_line|cut -d" " -f1` |
$IPTABLES -A FORWARD -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT " |
$IPTABLES -A FORWARD -d $ip_blocked -j REJECT |
fi |
done < /usr/local/etc/alcasar-iptables-block |
fi |
# SSHD rules if activate |
64,11 → 73,17 |
then |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT" |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT |
$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT" |
$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT" |
$IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT |
fi |
# Insertion de règles locales |
# Here, we add local rules (i.e. VPN from Internet) |
if [ -f /usr/local/etc/alcasar-iptables-local.sh ]; then |
. /usr/local/etc/alcasar-iptables-local.sh |
fi |
# on autorise les requêtes dhcp |
# accept dhcp |
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT |
95,10 → 110,9 |
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ULOG --ulog-prefix "RULE Transfert -- ACCEPT " |
$IPTABLES -A FORWARD -i $INTIF -m state --state NEW -j ACCEPT |
# On autorise les flux entrant ntp, dns et ssh via INTIF |
# On autorise les flux entrant ntp et dns via INTIF |
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport domain -j ACCEPT |
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p udp --dport ntp -j ACCEPT |
$IPTABLES -A INPUT -i $INTIF -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT |
# On autorise le retour des connexions entrante déjà acceptées |
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
/scripts/alcasar-iptables.sh |
---|
33,7 → 33,8 |
QOS=${QOS:=off} |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off) |
SSH=${SSH:=off} |
Admin_from_IP=${Admin_from_IP:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side) |
SSH_ADMIN_IP=`grep SSH_ADMIN_IP= $conf_file|cut -d"=" -f2` |
SSH_ADMIN_IP=${SSH_ADMIN_IP:="0.0.0.0/0.0.0.0"} # WAN IP address to reduce ssh access (all ip allowed on LAN side) |
LDAP=`grep LDAP= $conf_file|cut -d"=" -f2` # LDAP external server active (on/off) |
LDAP=${LDAP:=off} |
LDAP_IP=`grep LDAP_IP= $conf_file|cut -d"=" -f2` # WAN IP address to reduce LDAP WAN access (all ip allowed on LAN side) |
/scripts/alcasar-conf.sh |
---|
34,7 → 34,7 |
MAJ_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f1` |
MIN_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f2|cut -c1` |
UPD_RUNNING_VERSION=`echo $RUNNING_VERSION|cut -d"." -f3` |
DOMAIN=`grep DOMAIN $CONF_FILE|cut -d"=" -f2` |
DOMAIN=`grep DOMAIN $CONF_FILE|cut -d"=" -f2` 2>/dev/null # Error if (Version < 2.2) (no conf file) |
DOMAIN=${DOMAIN:=localdomain} |
DATE=`date '+%d %B %Y - %Hh%M'` |
private_network_calc () |
69,7 → 69,7 |
[ -d $DIR_UPDATE ] && rm -rf $DIR_UPDATE |
mkdir $DIR_UPDATE |
# Sauvegarde de la base des usagers |
/usr/local/sbin/alcasar-mysql.sh -dump |
$DIR_SBIN/alcasar-mysql.sh -dump |
cp /var/Save/base/`ls /var/Save/base|tail -1` $DIR_UPDATE |
# Sauvegarde du logo |
cp -f $DIR_WEB/images/organisme.png $DIR_UPDATE |
160,6 → 160,7 |
else |
echo "SSH=off" >> $CONF_FILE |
fi |
echo "SSH_ADMIN_FROM=0.0.0.0/0.0.0.0" >> $CONF_FILE |
echo "QOS=off" >> $CONF_FILE |
echo "WEB_ANTIVIRUS=on" >> $CONF_FILE |
if [ `grep ^ldap /etc/raddb/sites-available/alcasar | wc -l` -eq "0" ]; then |
167,6 → 168,7 |
else |
echo "LDAP=on" >> $CONF_FILE |
fi |
echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE |
PROTOCOLS_FILTERING=`grep ^PROTO_FILTERING /usr/local/bin/alcasar-iptables.sh | cut -d"=" -f2` |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:="no"} |
if [ $PROTOCOLS_FILTERING = "no" ]; then |
183,6 → 185,8 |
fi |
fi |
# since V2.6 |
# SSH_ADMIN_FROM is redefined |
$SED "s?^Admin_from_IP=.*?SSH_ADMIN_FROM=0.0.0.0/0.0.0.0?" $CONF_FILE |
# macallowed is replaced with macauth |
rm -f $DIR_UPDATE/etc/alcasar-macallowed |
# DHCP mode can be "off/half/full" |
/scripts/alcasar-urpmi.sh |
---|
68,7 → 68,7 |
if [ $Lang == "fr" ] |
then |
echo "La migration automatique d'ALCASAR ne peut pas être réalisée." |
echo "Le système d'exploitation doit être remplacer" |
echo "Le système d'exploitation doit être remplacé" |
else |
echo "The automatic update of ALCASAR can't be performed." |
echo "The OS must be replaced" |
80,7 → 80,7 |
then |
echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)." |
echo "2 - Installez Linux-Mageia2 (cf. doc d'installation)" |
echo "3 - copiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancez l'installation d'ALCASAR" |
echo "3 - copiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR" |
else |
echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)" |
echo "2 - Install Linux-Mageia2 (cf. installation doc)" |