Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1331 → Rev 1332

/scripts/alcasar-iptables.sh
29,7 → 29,7
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
DNS_FILTERING=${DNS_FILTERING:=off}
BL_IP_CAT="/usr/local/share/iptables-bl" # categories files of the BlackListed IP
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
QOS=${QOS:=off}
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
73,7 → 73,7
$IPTABLES -t nat -P OUTPUT ACCEPT
 
# destruction de tous les SET
# destroy all the SET
# destroy all SET
ipset destroy
 
# Création et peuplement du SET alcasar_ip_blocked
107,19 → 107,27
done
IFS=$OLDIFS
 
# Création et peuplement du SET blacklist_ip_blocked
# creation and first populating of blacklist_ip_blocked SET
# It take a lot of time (try to do this during the blacklist import process)
#ipset create blacklist_ip_blocked hash:net hashsize 1024
#cd $BL_IP_CAT
#for category in `ls -1 | cut -d"@" -f1`
#do
# while read ip_blocked
# do
# ipset add blacklist_ip_blocked $ip_blocked
# done < $BL_IP_CAT/$category
#done
# Calcul de la taille du SET blacklist_ip_blocked
# Computing the length of the blacklist_ip_blocked set
cd $BL_IP_CAT
ipset_length=$(wc -l * | awk '{print $1}' | tail -n 1)
 
# Ajout du delta (ip entrées manuellement)
# Addition of the delta (ip entered manually)
((ipset_length=$ipset_length+10))
 
# Création du fichier ipset temporaire, remplissage, chargement et suppression
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $ipset_length" > ipset_save
for category in `ls -1 | cut -d '@' -f1`
do
cat $BL_IP_CAT/$category >> ipset_save
done
ipset -! restore < ipset_save
rm -f ipset_save
 
# Sauvegarde de tous les ipset (pour restaurer après redémarrage)
ipset save > /etc/sysconfig/ipset_save
 
#############################
# PREROUTING #
#############################
155,9 → 163,9
 
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit')
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window)
#if [ $DNS_FILTERING = on ]; then
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
#fi
if [ $DNS_FILTERING = on ]; then
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
fi
 
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
270,11 → 278,11
 
# Blocage des IPs du SET blacklist_ip_blocked
# Deny IPs of the SET blacklist_ip_blocked
#if [ $DNS_FILTERING = on ]; then
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset
#fi
if [ $DNS_FILTERING = on ]; then
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset
fi
 
# Autorisation des retours de connexions légitimes
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
/scripts/sbin/alcasar-bl.sh
186,8 → 186,11
chown dansguardian:apache $PATH_FILE/urls
fi
$SED "s/\.\{2,10\}/\./g" $PATH_FILE/domains $PATH_FILE/urls # correct some syntax errors
# retrieve the ip addresses for iptables
egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" $PATH_FILE/domains > $FILE_ip_tmp
# create an ipset save for the selected category
awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/{print "add blacklist_ip_blocked " $0}' $PATH_FILE/domains > $FILE_ip_tmp
 
# for dnsmask, remove IP addesses, accented characters and commented lines.
egrep -v "^([0-9]{1,3}\.){3}[0-9]{1,3}$" $PATH_FILE/domains > $FILE_tmp
$SED "/[äâëêïîöôüû]/d" $FILE_tmp
/web/acc/admin/bl_categories_help2.php
File deleted
/web/acc/admin/bl_categories_help.php
4,56 → 4,105
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<?
$bl_dir="/etc/dansguardian/lists/blacklists/";
$bl_iptables_dir="/usr/local/share/iptables-bl/";
$bl_dnsmasq_dir="/usr/local/share/dnsmasq-bl/";
$wl_dnsmasq_dir="/usr/local/share/dnsmasq-wl/";
# Choice of language
$Language = 'en';
if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])){
$Langue = explode(",",$_SERVER['HTTP_ACCEPT_LANGUAGE']);
$Language = strtolower(substr(chop($Langue[0]),0,2)); }
if($Language == 'fr'){
$l_title = "Catégories de la liste noire";
$l_error_open_file="Erreur d'ouverture du fichier";
$l_close="Fermer";
$l_description_cat="Cette catégorie n'est pas décrite";
$l_nb_domains="Nombre de noms de domaine filtrés :";
$l_nb_urls="Nombre d'URL filtrés :";
$l_nb_ip="Nombre d'IP filtrées :";
if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE']))
{
$Langue = explode(",",$_SERVER['HTTP_ACCEPT_LANGUAGE']);
$Language = strtolower(substr(chop($Langue[0]),0,2));
}
else {
$l_title = "Blacklist categories";
$l_error_open_file="Error opening the file";
$l_close="Close";
$l_description_cat="This category isn't describe";
$l_nb_domains="Number of filtered domain names :";
$l_nb_urls="Number of filtered URL :";
$l_nb_ip="Number of filtered IP :";
if($Language == 'fr')
{
$l_title = "Catégories de la liste noire";
$l_error_open_file="Erreur d'ouverture du fichier";
$l_close="Fermer";
$l_description_cat="Cette catégorie n'est pas décrite";
$l_description_ossi="Catégorie personnelle";
$l_nb_domains="Nombre de noms de domaine filtrés :";
$l_nb_urls="Nombre d'URL filtrés :";
$l_nb_ip="Nombre d'IP filtrées :";
$l_example="Exemple(s) : ";
}
if (isset($_GET['cat'])){$categorie=$_GET['cat'];}
$bl_categorie_domain_file=$bl_dir.$categorie."/domains";
$bl_categorie_url_file=$bl_dir.$categorie."/urls";
$bl_categorie_ip_file = "/usr/local/share/iptables-bl/".$categorie;
if (file_exists($bl_categorie_domain_file))
$nb_domains = exec("grep -vE '^([0-9]{1,3}\.){3}[0-9]{1,3}$' $bl_categorie_domain_file | wc -l | cut -d' ' -f1");
else
$nb_domains=$l_error_openfile." ".$bl_categorie_domain_file;
if (file_exists($bl_categorie_url_file))
$nb_urls=exec ("wc -w $bl_categorie_url_file|cut -d' ' -f1");
{
$l_title = "Blacklist categories";
$l_error_open_file="Error opening the file";
$l_close="Close";
$l_description_cat="This category isn't describe";
$l_description_ossi="Personal category";
$l_nb_domains="Number of filtered domain names :";
$l_nb_urls="Number of filtered URL :";
$l_nb_ip="Number of filtered IP :";
$l_example="Example(s) : ";
}
if(isset($_GET['cat']))
{
$categorie = $_GET['cat'];
}
if(isset($_GET['liste']))
{
$liste = $_GET['liste'];
}
if($liste == "bl")
{
$bl_categorie_domain_file = $bl_dnsmasq_dir.$categorie.".conf";
$bl_categorie_url_file = $bl_dir.$categorie."/urls";
$bl_categorie_ip_file = $bl_iptables_dir.$categorie;
if(isset($_GET['nb_domains']) && isset($_GET['nb_urls']) && isset($_GET['nb_ip']))
{
$nb_domains = $_GET['nb_domains'];
$nb_urls = $_GET['nb_urls'];
$nb_ip = $_GET['nb_ip'];
}
else
{
if (file_exists($bl_categorie_domain_file))
$nb_domains = exec("wc -l $bl_categorie_domain_file | cut -d ' ' -f1");
else
$nb_domains = $l_error_open_file." ".$bl_categorie_domain_file;
if (file_exists($bl_categorie_url_file))
$nb_urls = exec ("wc -l $bl_categorie_url_file | cut -d ' ' -f1");
else
$nb_urls = $l_error_open_file." ".$bl_categorie_url_file;
if(file_exists($bl_categorie_ip_file))
$nb_ip = exec("wc -l $bl_categorie_ip_file | cut -d ' ' -f1");
else
$nb_ip = $l_error_open_file." ".$bl_categorie_ip_file;
}
}
else
$nb_urls=$l_error_openfile." ".$bl_categorie_url_file;
if(file_exists($bl_categorie_ip_file))
$nb_ip = exec("wc -w $bl_categorie_ip_file | cut -d' ' -f1");
else
$nb_ip = $l_error_openfile." ".$bl_categorie_ip_file;
{
$wl_categorie_domain_file = $wl_dnsmasq_dir.$categorie.".conf";
$wl_categorie_url_file = "";
$wl_categorie_ip_file = "";
if (file_exists($wl_categorie_domain_file))
$nb_domains = exec("wc -l $wl_categorie_domain_file | cut -d ' ' -f1");
else
$nb_domains = $l_error_open_file." ".$wl_categorie_domain_file;
$nb_urls = 0;
$nb_ip = 0;
}
$global_usage = file($bl_dir."global_usage");
$langue = strtoupper($Language);
for($i=0; $i<count($global_usage); $i++)
if($categorie == "ossi")
{
if(preg_match("#^NAME:.$categorie$#", $global_usage[$i]) == 1)
$l_description_cat = $l_description_ossi;
}
else
{
for($i=0; $i<count($global_usage); $i++)
{
$i++;
while(preg_match("#^DESC.$langue:#", $global_usage[$i]) == 0)
if(preg_match("#^NAME:.$categorie$#", $global_usage[$i]) == 1)
{
$i++;
$l_description_cat = preg_replace("#^DESC.$langue:.#", "", $global_usage[$i]);
break;
while(preg_match("#^DESC.$langue:#", $global_usage[$i]) == 0)
$i++;
$l_description_cat = preg_replace("#^DESC.$langue:.#", "", $global_usage[$i]);
break;
}
}
}
echo "<TITLE>$l_title</TITLE>";
66,17 → 115,64
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" height="2"></td></tr>
</TABLE>
<TABLE width="100%" border=1 cellspacing=0 cellpadding=1>
<tr><td valign="middle" align="left">
<?php
$compat_categorie=strtr($categorie,"-","_");
echo "<br><center><b>$l_description_cat</b></center><br>";
echo "$l_nb_domains <b><a href='./bl_categories_help2.php?cat=$categorie&filtre=$bl_categorie_domain_file'>$nb_domains</a></b><br>";
echo "$l_nb_urls <b><a href='./bl_categories_help2.php?cat=$categorie&filtre=$bl_categorie_url_file'>$nb_urls</a></b><br>";
echo "$l_nb_ip <b><a href='./bl_categories_help2.php?cat=$categorie&filtre=$bl_categorie_ip_file'>$nb_ip</a></b><br>";
?>
</td></tr>
<tr><td valign="middle" align="left">
<?php
if(isset($_GET["filtre"]))
{
$filtre = $_GET["filtre"];
}
else
{
$filtre = $liste == "bl" ? $bl_categorie_domain_file : $wl_categorie_domain_file;
}
$filtre_domain = $liste == "bl" ? $bl_categorie_domain_file : $wl_categorie_domain_file;
$filtre_url = $liste == "bl" ? $bl_categorie_url_file : $wl_categorie_url_file;
$filtre_ip = $liste == "bl" ? $bl_categorie_ip_file : $wl_categorie_ip_file;
$compat_categorie=strtr($categorie,"-","_");
echo "<br><center><b>$l_description_cat</b></center><br>";
echo "$l_nb_domains <b><a href='?liste=$liste&cat=$categorie&filtre=$filtre_domain&titre=domain&nb_domains=$nb_domains&nb_urls=$nb_urls&nb_ip=$nb_ip'>$nb_domains</a></b><br>";
echo "$l_nb_urls <b><a href='?liste=$liste&cat=$categorie&filtre=$filtre_url&titre=url&nb_domains=$nb_domains&nb_urls=$nb_urls&nb_ip=$nb_ip'>$nb_urls</a></b><br>";
echo "$l_nb_ip <b><a href='?liste=$liste&cat=$categorie&filtre=$filtre_ip&titre=ip&nb_domains=$nb_domains&nb_urls=$nb_urls&nb_ip=$nb_ip'>$nb_ip</a></b><br>";
?>
</td></tr>
</TABLE>
<br>
<TABLE width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><th>
<?php
if(isset($_GET["titre"]))
{
$titre = $_GET["titre"];
}
else
{
$titre = "domain";
}
echo $l_example.$titre;
?>
</th></tr>
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" height="2"></td></tr>
</TABLE>
<TABLE width="100%" border=1 cellspacing=0 cellpadding=1>
<tr><td valign="middle" align="left">
<?php
if($titre == "domain")
{
exec("head -n 15 $filtre | cut -d '/' -f2", $resultat);
}
elseif($titre == "ip")
{
exec("head -n 15 $filtre | cut -d ' ' -f3", $resultat);
}
else
{
exec("head -n 15 $filtre", $resultat);
}
for($i=0; $i<15; $i++)
echo $resultat[$i]."<br/>";
?>
</td></tr>
</TABLE>
<center><a href="javascript:window.close();"><b><?php echo "$l_close"; ?></b></a></center>
</BODY>
</HTML>
/web/acc/admin/bl_filter.php
59,6 → 59,7
$l_safe_searching="Activer le contrôle scolaire/parental des moteurs de recherche : google, yahoo, bing, metacrawler et Youtube.";
$l_safe_youtube="Pour Youtube, entrez votre identifiant ici : ";
$l_youtube_id="(<a href='http://www.youtube.com/education_signup' target='cat_help' onclick=window.open('http://www.youtube.com/education_signup','cat_help','width=800,height=600,toolbar=no,scrollbars=yes,resizable=yes') title='Youtube for school'>lien pour créer un identifiant Youtube (Id)</a>)";
$l_error_open_file="Erreur d'ouverture du fichier";
}
else {
$l_title1="Domain names and URL filtering";
99,6 → 100,7
$l_safe_searching="Enabling school/parental control for the search engines google, yahoo, bing, metacrawler and Youtube.";
$l_safe_youtube="For Youtube, enter your ID here : ";
$l_youtube_id="(<a href='http://www.youtube.com/education_signup' target='cat_help' onclick=window.open('http://www.youtube.com/education_signup','cat_help','width=800,height=600,toolbar=no,scrollbars=yes,resizable=yes') title='Youtube for school'>link to create a Youtube Id</a>)";
$l_error_open_file="Error opening file";
}
$dir_etc="/usr/local/etc/";
$dir_dg="/etc/dansguardian/lists/";
148,7 → 150,7
unlink ("$dir_tmp/blacklists.tar.gz"); unlink ("$dir_tmp/md5sum");
break;
case 'MAJ_cat_bl' :
$tab=file($bl_categories_enabled);
$tab=file($bl_categories_enabled);
if ($tab)
{
$pointeur=fopen($bl_categories_enabled, "w+");
159,6 → 161,7
$line=str_replace('chk-','',$key)."\n";
fwrite($pointeur,$line);
}
echo "$key<br/>";
}
fclose($pointeur);
}
/web/acc/admin/bl_filter2.php
69,7 → 69,7
{
if ($cols == 1) { echo "<tr>";}
$categorie=trim(basename($ligne));
echo "<td><a href='bl_categories_help.php?cat=$categorie' target='cat_help' onclick=window.open('bl_categories_help.php','cat_help','width=600,height=450,toolbar=no,scrollbars=no,resizable=yes') title='categories help page'>$categorie</a><br>";
echo "<td><a href='bl_categories_help.php?liste=bl&cat=$categorie' target='cat_help' onclick=window.open('bl_categories_help.php','cat_help','width=600,height=450,toolbar=no,scrollbars=yes,resizable=yes') title='categories help page'>$categorie</a><br>";
echo "<input type='checkbox' name='chk-$categorie'";
// si la ligne est commentée -> categorie non selectionnée
if (preg_match('/^#/',$ligne, $r)) { echo ">";}
138,7 → 138,7
{
if ($cols == 1) { echo "<tr>";}
$categorie=trim(basename($ligne));
echo "<td><a href='bl_categories_help.php?cat=$categorie' target='cat_help' onclick=window.open('bl_categories_help.php','cat_help','width=600,height=150,toolbar=no,scrollbars=no,resizable=yes') title='categories help page'>$categorie</a><br>";
echo "<td><a href='bl_categories_help.php?liste=wl&cat=$categorie' target='cat_help' onclick=window.open('bl_categories_help.php','cat_help','width=600,height=450,toolbar=no,scrollbars=yes,resizable=yes') title='categories help page'>$categorie</a><br>";
echo "<input type='checkbox' name='chk-$categorie'";
// si la ligne est commentée -> categorie non selectionnée
if (preg_match('/^#/',$ligne, $r)) { echo ">";}