/scripts/alcasar-iptables.sh |
---|
29,7 → 29,7 |
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off} |
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off) |
DNS_FILTERING=${DNS_FILTERING:=off} |
BL_IP_CAT="/usr/local/share/iptables-bl" # categories files of the BlackListed IP |
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP |
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off) |
QOS=${QOS:=off} |
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off) |
73,7 → 73,7 |
$IPTABLES -t nat -P OUTPUT ACCEPT |
# destruction de tous les SET |
# destroy all the SET |
# destroy all SET |
ipset destroy |
# Création et peuplement du SET alcasar_ip_blocked |
107,19 → 107,27 |
done |
IFS=$OLDIFS |
# Création et peuplement du SET blacklist_ip_blocked |
# creation and first populating of blacklist_ip_blocked SET |
# It take a lot of time (try to do this during the blacklist import process) |
#ipset create blacklist_ip_blocked hash:net hashsize 1024 |
#cd $BL_IP_CAT |
#for category in `ls -1 | cut -d"@" -f1` |
#do |
# while read ip_blocked |
# do |
# ipset add blacklist_ip_blocked $ip_blocked |
# done < $BL_IP_CAT/$category |
#done |
# Calcul de la taille du SET blacklist_ip_blocked |
# Computing the length of the blacklist_ip_blocked set |
cd $BL_IP_CAT |
ipset_length=$(wc -l * | awk '{print $1}' | tail -n 1) |
# Ajout du delta (ip entrées manuellement) |
# Addition of the delta (ip entered manually) |
((ipset_length=$ipset_length+10)) |
# Création du fichier ipset temporaire, remplissage, chargement et suppression |
echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $ipset_length" > ipset_save |
for category in `ls -1 | cut -d '@' -f1` |
do |
cat $BL_IP_CAT/$category >> ipset_save |
done |
ipset -! restore < ipset_save |
rm -f ipset_save |
# Sauvegarde de tous les ipset (pour restaurer après redémarrage) |
ipset save > /etc/sysconfig/ipset_save |
############################# |
# PREROUTING # |
############################# |
155,9 → 163,9 |
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') |
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window) |
#if [ $DNS_FILTERING = on ]; then |
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
#fi |
if [ $DNS_FILTERING = on ]; then |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80 |
fi |
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow |
270,11 → 278,11 |
# Blocage des IPs du SET blacklist_ip_blocked |
# Deny IPs of the SET blacklist_ip_blocked |
#if [ $DNS_FILTERING = on ]; then |
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable |
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset |
#fi |
if [ $DNS_FILTERING = on ]; then |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset |
fi |
# Autorisation des retours de connexions légitimes |
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
/scripts/sbin/alcasar-bl.sh |
---|
186,8 → 186,11 |
chown dansguardian:apache $PATH_FILE/urls |
fi |
$SED "s/\.\{2,10\}/\./g" $PATH_FILE/domains $PATH_FILE/urls # correct some syntax errors |
# retrieve the ip addresses for iptables |
egrep "^([0-9]{1,3}\.){3}[0-9]{1,3}$" $PATH_FILE/domains > $FILE_ip_tmp |
# create an ipset save for the selected category |
awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/{print "add blacklist_ip_blocked " $0}' $PATH_FILE/domains > $FILE_ip_tmp |
# for dnsmask, remove IP addesses, accented characters and commented lines. |
egrep -v "^([0-9]{1,3}\.){3}[0-9]{1,3}$" $PATH_FILE/domains > $FILE_tmp |
$SED "/[äâëêïîöôüû]/d" $FILE_tmp |
/web/acc/admin/bl_categories_help2.php |
---|
File deleted |
/web/acc/admin/bl_categories_help.php |
---|
4,56 → 4,105 |
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> |
<? |
$bl_dir="/etc/dansguardian/lists/blacklists/"; |
$bl_iptables_dir="/usr/local/share/iptables-bl/"; |
$bl_dnsmasq_dir="/usr/local/share/dnsmasq-bl/"; |
$wl_dnsmasq_dir="/usr/local/share/dnsmasq-wl/"; |
# Choice of language |
$Language = 'en'; |
if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])){ |
$Langue = explode(",",$_SERVER['HTTP_ACCEPT_LANGUAGE']); |
$Language = strtolower(substr(chop($Langue[0]),0,2)); } |
if($Language == 'fr'){ |
$l_title = "Catégories de la liste noire"; |
$l_error_open_file="Erreur d'ouverture du fichier"; |
$l_close="Fermer"; |
$l_description_cat="Cette catégorie n'est pas décrite"; |
$l_nb_domains="Nombre de noms de domaine filtrés :"; |
$l_nb_urls="Nombre d'URL filtrés :"; |
$l_nb_ip="Nombre d'IP filtrées :"; |
if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) |
{ |
$Langue = explode(",",$_SERVER['HTTP_ACCEPT_LANGUAGE']); |
$Language = strtolower(substr(chop($Langue[0]),0,2)); |
} |
else { |
$l_title = "Blacklist categories"; |
$l_error_open_file="Error opening the file"; |
$l_close="Close"; |
$l_description_cat="This category isn't describe"; |
$l_nb_domains="Number of filtered domain names :"; |
$l_nb_urls="Number of filtered URL :"; |
$l_nb_ip="Number of filtered IP :"; |
if($Language == 'fr') |
{ |
$l_title = "Catégories de la liste noire"; |
$l_error_open_file="Erreur d'ouverture du fichier"; |
$l_close="Fermer"; |
$l_description_cat="Cette catégorie n'est pas décrite"; |
$l_description_ossi="Catégorie personnelle"; |
$l_nb_domains="Nombre de noms de domaine filtrés :"; |
$l_nb_urls="Nombre d'URL filtrés :"; |
$l_nb_ip="Nombre d'IP filtrées :"; |
$l_example="Exemple(s) : "; |
} |
if (isset($_GET['cat'])){$categorie=$_GET['cat'];} |
$bl_categorie_domain_file=$bl_dir.$categorie."/domains"; |
$bl_categorie_url_file=$bl_dir.$categorie."/urls"; |
$bl_categorie_ip_file = "/usr/local/share/iptables-bl/".$categorie; |
if (file_exists($bl_categorie_domain_file)) |
$nb_domains = exec("grep -vE '^([0-9]{1,3}\.){3}[0-9]{1,3}$' $bl_categorie_domain_file | wc -l | cut -d' ' -f1"); |
else |
$nb_domains=$l_error_openfile." ".$bl_categorie_domain_file; |
if (file_exists($bl_categorie_url_file)) |
$nb_urls=exec ("wc -w $bl_categorie_url_file|cut -d' ' -f1"); |
{ |
$l_title = "Blacklist categories"; |
$l_error_open_file="Error opening the file"; |
$l_close="Close"; |
$l_description_cat="This category isn't describe"; |
$l_description_ossi="Personal category"; |
$l_nb_domains="Number of filtered domain names :"; |
$l_nb_urls="Number of filtered URL :"; |
$l_nb_ip="Number of filtered IP :"; |
$l_example="Example(s) : "; |
} |
if(isset($_GET['cat'])) |
{ |
$categorie = $_GET['cat']; |
} |
if(isset($_GET['liste'])) |
{ |
$liste = $_GET['liste']; |
} |
if($liste == "bl") |
{ |
$bl_categorie_domain_file = $bl_dnsmasq_dir.$categorie.".conf"; |
$bl_categorie_url_file = $bl_dir.$categorie."/urls"; |
$bl_categorie_ip_file = $bl_iptables_dir.$categorie; |
if(isset($_GET['nb_domains']) && isset($_GET['nb_urls']) && isset($_GET['nb_ip'])) |
{ |
$nb_domains = $_GET['nb_domains']; |
$nb_urls = $_GET['nb_urls']; |
$nb_ip = $_GET['nb_ip']; |
} |
else |
{ |
if (file_exists($bl_categorie_domain_file)) |
$nb_domains = exec("wc -l $bl_categorie_domain_file | cut -d ' ' -f1"); |
else |
$nb_domains = $l_error_open_file." ".$bl_categorie_domain_file; |
if (file_exists($bl_categorie_url_file)) |
$nb_urls = exec ("wc -l $bl_categorie_url_file | cut -d ' ' -f1"); |
else |
$nb_urls = $l_error_open_file." ".$bl_categorie_url_file; |
if(file_exists($bl_categorie_ip_file)) |
$nb_ip = exec("wc -l $bl_categorie_ip_file | cut -d ' ' -f1"); |
else |
$nb_ip = $l_error_open_file." ".$bl_categorie_ip_file; |
} |
} |
else |
$nb_urls=$l_error_openfile." ".$bl_categorie_url_file; |
if(file_exists($bl_categorie_ip_file)) |
$nb_ip = exec("wc -w $bl_categorie_ip_file | cut -d' ' -f1"); |
else |
$nb_ip = $l_error_openfile." ".$bl_categorie_ip_file; |
{ |
$wl_categorie_domain_file = $wl_dnsmasq_dir.$categorie.".conf"; |
$wl_categorie_url_file = ""; |
$wl_categorie_ip_file = ""; |
if (file_exists($wl_categorie_domain_file)) |
$nb_domains = exec("wc -l $wl_categorie_domain_file | cut -d ' ' -f1"); |
else |
$nb_domains = $l_error_open_file." ".$wl_categorie_domain_file; |
$nb_urls = 0; |
$nb_ip = 0; |
} |
$global_usage = file($bl_dir."global_usage"); |
$langue = strtoupper($Language); |
for($i=0; $i<count($global_usage); $i++) |
if($categorie == "ossi") |
{ |
if(preg_match("#^NAME:.$categorie$#", $global_usage[$i]) == 1) |
$l_description_cat = $l_description_ossi; |
} |
else |
{ |
for($i=0; $i<count($global_usage); $i++) |
{ |
$i++; |
while(preg_match("#^DESC.$langue:#", $global_usage[$i]) == 0) |
if(preg_match("#^NAME:.$categorie$#", $global_usage[$i]) == 1) |
{ |
$i++; |
$l_description_cat = preg_replace("#^DESC.$langue:.#", "", $global_usage[$i]); |
break; |
while(preg_match("#^DESC.$langue:#", $global_usage[$i]) == 0) |
$i++; |
$l_description_cat = preg_replace("#^DESC.$langue:.#", "", $global_usage[$i]); |
break; |
} |
} |
} |
echo "<TITLE>$l_title</TITLE>"; |
66,17 → 115,64 |
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" height="2"></td></tr> |
</TABLE> |
<TABLE width="100%" border=1 cellspacing=0 cellpadding=1> |
<tr><td valign="middle" align="left"> |
<?php |
$compat_categorie=strtr($categorie,"-","_"); |
echo "<br><center><b>$l_description_cat</b></center><br>"; |
echo "$l_nb_domains <b><a href='./bl_categories_help2.php?cat=$categorie&filtre=$bl_categorie_domain_file'>$nb_domains</a></b><br>"; |
echo "$l_nb_urls <b><a href='./bl_categories_help2.php?cat=$categorie&filtre=$bl_categorie_url_file'>$nb_urls</a></b><br>"; |
echo "$l_nb_ip <b><a href='./bl_categories_help2.php?cat=$categorie&filtre=$bl_categorie_ip_file'>$nb_ip</a></b><br>"; |
?> |
</td></tr> |
<tr><td valign="middle" align="left"> |
<?php |
if(isset($_GET["filtre"])) |
{ |
$filtre = $_GET["filtre"]; |
} |
else |
{ |
$filtre = $liste == "bl" ? $bl_categorie_domain_file : $wl_categorie_domain_file; |
} |
$filtre_domain = $liste == "bl" ? $bl_categorie_domain_file : $wl_categorie_domain_file; |
$filtre_url = $liste == "bl" ? $bl_categorie_url_file : $wl_categorie_url_file; |
$filtre_ip = $liste == "bl" ? $bl_categorie_ip_file : $wl_categorie_ip_file; |
$compat_categorie=strtr($categorie,"-","_"); |
echo "<br><center><b>$l_description_cat</b></center><br>"; |
echo "$l_nb_domains <b><a href='?liste=$liste&cat=$categorie&filtre=$filtre_domain&titre=domain&nb_domains=$nb_domains&nb_urls=$nb_urls&nb_ip=$nb_ip'>$nb_domains</a></b><br>"; |
echo "$l_nb_urls <b><a href='?liste=$liste&cat=$categorie&filtre=$filtre_url&titre=url&nb_domains=$nb_domains&nb_urls=$nb_urls&nb_ip=$nb_ip'>$nb_urls</a></b><br>"; |
echo "$l_nb_ip <b><a href='?liste=$liste&cat=$categorie&filtre=$filtre_ip&titre=ip&nb_domains=$nb_domains&nb_urls=$nb_urls&nb_ip=$nb_ip'>$nb_ip</a></b><br>"; |
?> |
</td></tr> |
</TABLE> |
<br> |
<TABLE width="100%" border="0" cellspacing="0" cellpadding="0"> |
<tr><th> |
<?php |
if(isset($_GET["titre"])) |
{ |
$titre = $_GET["titre"]; |
} |
else |
{ |
$titre = "domain"; |
} |
echo $l_example.$titre; |
?> |
</th></tr> |
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" height="2"></td></tr> |
</TABLE> |
<TABLE width="100%" border=1 cellspacing=0 cellpadding=1> |
<tr><td valign="middle" align="left"> |
<?php |
if($titre == "domain") |
{ |
exec("head -n 15 $filtre | cut -d '/' -f2", $resultat); |
} |
elseif($titre == "ip") |
{ |
exec("head -n 15 $filtre | cut -d ' ' -f3", $resultat); |
} |
else |
{ |
exec("head -n 15 $filtre", $resultat); |
} |
for($i=0; $i<15; $i++) |
echo $resultat[$i]."<br/>"; |
?> |
</td></tr> |
</TABLE> |
<center><a href="javascript:window.close();"><b><?php echo "$l_close"; ?></b></a></center> |
</BODY> |
</HTML> |
/web/acc/admin/bl_filter.php |
---|
59,6 → 59,7 |
$l_safe_searching="Activer le contrôle scolaire/parental des moteurs de recherche : google, yahoo, bing, metacrawler et Youtube."; |
$l_safe_youtube="Pour Youtube, entrez votre identifiant ici : "; |
$l_youtube_id="(<a href='http://www.youtube.com/education_signup' target='cat_help' onclick=window.open('http://www.youtube.com/education_signup','cat_help','width=800,height=600,toolbar=no,scrollbars=yes,resizable=yes') title='Youtube for school'>lien pour créer un identifiant Youtube (Id)</a>)"; |
$l_error_open_file="Erreur d'ouverture du fichier"; |
} |
else { |
$l_title1="Domain names and URL filtering"; |
99,6 → 100,7 |
$l_safe_searching="Enabling school/parental control for the search engines google, yahoo, bing, metacrawler and Youtube."; |
$l_safe_youtube="For Youtube, enter your ID here : "; |
$l_youtube_id="(<a href='http://www.youtube.com/education_signup' target='cat_help' onclick=window.open('http://www.youtube.com/education_signup','cat_help','width=800,height=600,toolbar=no,scrollbars=yes,resizable=yes') title='Youtube for school'>link to create a Youtube Id</a>)"; |
$l_error_open_file="Error opening file"; |
} |
$dir_etc="/usr/local/etc/"; |
$dir_dg="/etc/dansguardian/lists/"; |
148,7 → 150,7 |
unlink ("$dir_tmp/blacklists.tar.gz"); unlink ("$dir_tmp/md5sum"); |
break; |
case 'MAJ_cat_bl' : |
$tab=file($bl_categories_enabled); |
$tab=file($bl_categories_enabled); |
if ($tab) |
{ |
$pointeur=fopen($bl_categories_enabled, "w+"); |
159,6 → 161,7 |
$line=str_replace('chk-','',$key)."\n"; |
fwrite($pointeur,$line); |
} |
echo "$key<br/>"; |
} |
fclose($pointeur); |
} |
/web/acc/admin/bl_filter2.php |
---|
69,7 → 69,7 |
{ |
if ($cols == 1) { echo "<tr>";} |
$categorie=trim(basename($ligne)); |
echo "<td><a href='bl_categories_help.php?cat=$categorie' target='cat_help' onclick=window.open('bl_categories_help.php','cat_help','width=600,height=450,toolbar=no,scrollbars=no,resizable=yes') title='categories help page'>$categorie</a><br>"; |
echo "<td><a href='bl_categories_help.php?liste=bl&cat=$categorie' target='cat_help' onclick=window.open('bl_categories_help.php','cat_help','width=600,height=450,toolbar=no,scrollbars=yes,resizable=yes') title='categories help page'>$categorie</a><br>"; |
echo "<input type='checkbox' name='chk-$categorie'"; |
// si la ligne est commentée -> categorie non selectionnée |
if (preg_match('/^#/',$ligne, $r)) { echo ">";} |
138,7 → 138,7 |
{ |
if ($cols == 1) { echo "<tr>";} |
$categorie=trim(basename($ligne)); |
echo "<td><a href='bl_categories_help.php?cat=$categorie' target='cat_help' onclick=window.open('bl_categories_help.php','cat_help','width=600,height=150,toolbar=no,scrollbars=no,resizable=yes') title='categories help page'>$categorie</a><br>"; |
echo "<td><a href='bl_categories_help.php?liste=wl&cat=$categorie' target='cat_help' onclick=window.open('bl_categories_help.php','cat_help','width=600,height=450,toolbar=no,scrollbars=yes,resizable=yes') title='categories help page'>$categorie</a><br>"; |
echo "<input type='checkbox' name='chk-$categorie'"; |
// si la ligne est commentée -> categorie non selectionnée |
if (preg_match('/^#/',$ligne, $r)) { echo ">";} |