| /alcasar.sh |
|---|
| 1402,7 → 1402,7 |
| [ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default |
| $SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance |
| [ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default |
| # 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on. |
| # 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on. |
| cat << EOF > /etc/dnsmasq.conf |
| # Configuration file for "dnsmasq in forward mode" |
| conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions |
| 1433,13 → 1433,14 |
| cat << EOF > /etc/dnsmasq-blacklist.conf |
| # Configuration file for "dnsmasq with blacklist" |
| # Add Toulouse blacklist domains |
| conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions |
| conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled |
| conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions |
| pid-file=/var/run/dnsmasq-blacklist.pid |
| listen-address=$PRIVATE_IP |
| port=54 |
| no-dhcp-interface=$INTIF |
| no-dhcp-interface=tun0 |
| no-dhcp-interface=lo |
| bind-interfaces |
| cache-size=256 |
| domain=$DOMAIN |
| 1454,13 → 1455,14 |
| cat << EOF > /etc/dnsmasq-whitelist.conf |
| # Configuration file for "dnsmasq with whitelist" |
| # Inclusion de la whitelist <domains> de Toulouse dans la configuration |
| conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions |
| conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled |
| conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux |
| pid-file=/var/run/dnsmasq-whitelist.pid |
| listen-address=$PRIVATE_IP |
| pid-file=/var/run/dnsmasq-whitelist.pid |
| port=55 |
| no-dhcp-interface=$INTIF |
| no-dhcp-interface=tun0 |
| no-dhcp-interface=lo |
| bind-interfaces |
| cache-size=256 |
| domain=$DOMAIN |
| 1468,18 → 1470,39 |
| expand-hosts |
| bogus-priv |
| filterwin2k |
| address=/#/$PRIVATE_IP |
| ipset=/#/whitelist_ip_allowed |
| address=/#/$PRIVATE_IP # for Domain name without local resolution (WL) |
| ipset=/#/whitelist_ip_allowed # dynamicly add the resolv IP address in the Firewall rules |
| EOF |
| # 4th dnsmasq listen on udp 56 ("blackhole") |
| cat << EOF > /etc/dnsmasq-blackhole.conf |
| # Configuration file for "dnsmasq as a blackhole" |
| conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions |
| address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address |
| pid-file=/var/run/dnsmasq-blackhole.pid |
| listen-address=$PRIVATE_IP |
| port=56 |
| no-dhcp-interface=$INTIF |
| no-dhcp-interface=tun0 |
| no-dhcp-interface=lo |
| bind-interfaces |
| cache-size=256 |
| domain=$DOMAIN |
| domain-needed |
| expand-hosts |
| bogus-priv |
| filterwin2k |
| EOF |
| # Start after chilli (which create tun0) |
| $SED "s?^After=.*?After=syslog.target network.target chilli.service?g" /lib/systemd/system/dnsmasq.service |
| # Create dnsmasq-blacklist and dnsmasq-whitelist unit |
| cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-blacklist.service |
| cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-whitelist.service |
| cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-blacklist.service /lib/systemd/system/dnsmasq-whitelist.service /lib/systemd/system/dnsmasq-blackhole.service |
| $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-blacklist.conf?g" /lib/systemd/system/dnsmasq-blacklist.service |
| $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service |
| $SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-blackhole.conf?g" /lib/systemd/system/dnsmasq-blackhole.service |
| $SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-blacklist.pid?g" /lib/systemd/system/dnsmasq-blacklist.service |
| $SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service |
| $SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-blackhole.pid?g" /lib/systemd/system/dnsmasq-blackhole.service |
| } # End dnsmasq |
| ########################################################## |
| 1792,7 → 1815,7 |
| /sbin/chkconfig --add $i |
| done |
| # processes launched at boot time (Systemctl) |
| for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban |
| for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban |
| do |
| systemctl -q enable $i.service |
| done |
| 1840,14 → 1863,6 |
| do |
| /bin/systemctl -q disable $svc |
| done |
| # for rm_users in games |
| # do |
| # user=`cat /etc/passwd|grep $rm_users|cut -d":" -f1` |
| # if [ "$user" == "$rm_users" ] |
| # then |
| # /usr/sbin/userdel -r $rm_users |
| # fi |
| # done |
| # Load and apply the previous conf file |
| if [ "$mode" = "update" ] |
| then |
| /scripts/alcasar-iptables.sh |
|---|
| 149,22 → 149,26 |
| $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY " |
| $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1 |
| # Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 pour pouvoir les rejeter en INPUT |
| # Mark (and log) the udp 54 direct attempts to REJECT them in INPUT rules |
| # Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 (DNS-blacklist) pour pouvoir les rejeter en INPUT |
| # Mark (and log) the udp 54 direct attempts (DNS-blacklist) to REJECT them in INPUT rules |
| # $IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -d $PRIVATE_IP -m udp --dport 54 -j ULOG --ulog-prefix "RULE DNS-proxy -- DENY " |
| $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 2 |
| # Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 55 pour pouvoir les rejeter en INPUT |
| # Mark (and log) the udp 55 direct attempts to REJECT them in INPUT rules |
| # Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 55 (DNS-Whitelist) pour pouvoir les rejeter en INPUT |
| # Mark (and log) the udp 55 direct attempts (DNS-whitelist) to REJECT them in INPUT rules |
| $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 3 |
| # Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 56 (DNS-Blackhole) pour pouvoir les rejeter en INPUT |
| # Mark (and log) the udp 55 direct attempts (DNS-whitelist) to REJECT them in INPUT rules |
| $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 56 -j MARK --set-mark 4 |
| # Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 pour pouvoir les rejeter en INPUT |
| # Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules |
| $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 4 |
| $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 5 |
| # Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8091 pour pouvoir les rejeter en INPUT |
| # Mark (and log) the 8091 direct attempts to REJECT them in INPUT rules |
| $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8091 -j MARK --set-mark 5 |
| $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8091 -j MARK --set-mark 6 |
| # havp_bl_set --> redirection vers le port 54 |
| # havp_bl_set --> redirect to port 54 |
| 239,21 → 243,25 |
| # Allow connections for DansGuardian |
| $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT |
| # On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
| # Deny direct connections on UDP 54. The concerned paquets are marked in mangle table (PREROUTING) |
| # On interdit les connexions directes au port UDP 54 (DNS-blacklist). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
| # Deny direct connections on UDP 54 (DNS-blacklist). The concerned paquets are marked in mangle table (PREROUTING) |
| $IPTABLES -A INPUT -i $TUNIF -p tcp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable |
| # On interdit les connexions directes au port UDP 55. Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
| # Deny direct connections on UDP 55. The concerned paquets are marked in mangle table (PREROUTING) |
| # On interdit les connexions directes au port UDP 55 (DNS-whitelist). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
| # Deny direct connections on UDP 55 (DNS-whitelist). The concerned paquets are marked in mangle table (PREROUTING) |
| $IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 3 -j REJECT --reject-with icmp-port-unreachable |
| # On interdit les connexions directes au port UDP 56 (DNS-Blackhole). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
| # Deny direct connections on UDP 56 (DNS-blackhole). The concerned paquets are marked in mangle table (PREROUTING) |
| $IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 4 -j REJECT --reject-with icmp-port-unreachable |
| # On interdit les connexions directes au port 8090. Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
| # Deny direct connections on 8090. The concerned paquets are marked in mangle table (PREROUTING) |
| $IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 4 -j REJECT --reject-with tcp-reset |
| $IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 5 -j REJECT --reject-with tcp-reset |
| # On interdit les connexions directes au port 8091. Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
| # Deny direct connections on 8091. The concerned paquets are marked in mangle table (PREROUTING) |
| $IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8091 -m mark --mark 5 -j REJECT --reject-with tcp-reset |
| $IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8091 -m mark --mark 6 -j REJECT --reject-with tcp-reset |
| # Autorisation des connexions légitimes à HAVP |
| # Allow connections for HAVP |
| 271,6 → 279,10 |
| # Allow connections for DNSMASQ (with whitelist) |
| $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT |
| # autorisation des connexion légitime à DNSMASQ (mode blackhole) |
| # Allow connections for DNSMASQ (blackhole mode) |
| $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT |
| # Accès direct aux services internes |
| # Internal services access |
| $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS non filtré # DNS without blacklist |
| /scripts/alcasar-watchdog.sh |
|---|
| 23,6 → 23,8 |
| tmp_file="/tmp/watchdog.txt" |
| DIR_WEB="/var/www/html" |
| Index_Page="$DIR_WEB/index.php" |
| IPTABLES="/sbin/iptables" |
| TUNIF="tun0" # listen device for chilli daemon |
| OLDIFS=$IFS |
| IFS=$'\n' |
| 41,13 → 43,11 |
| /bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page |
| ;; |
| esac |
| net_pb=`cat /etc/dnsmasq.conf|grep "address=/#/"|wc -l` |
| if [ $net_pb = "0" ] # user alert |
| net_pb=`grep "network_pb = True;" $Index_Page|wc -l` |
| if [ $net_pb = "0" ] # user alert (only the first time) |
| then |
| /bin/sed -i "s?^\$network_pb.*?\$network_pb = True;?g" $Index_Page |
| /bin/sed -i "s?^conf-dir=.*?address=\/#\/$PRIVATE_IP?g" /etc/dnsmasq-blacklist.conf |
| /bin/sed -i "1i\address=\/#\/$PRIVATE_IP" /etc/dnsmasq.conf |
| /etc/init.d/dnsmasq restart |
| $IPTABLES -I PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56 |
| fi |
| } |
| 62,7 → 62,7 |
| fi |
| # EXTIF testing |
| LAN_DOWN="0" |
| if [ "`/usr/sbin/ethtool $EXTIF|grep Link|cut -d' ' -f3`" != "yes" ] && [ "`/sbin/mii-tool $EXTIF | grep -i link | awk '{print $NF}'`" != "ok" ] |
| if [ `/sbin/ip link | grep $EXTIF|grep "NO-CARRIER" | wc -l` -eq "1" ] |
| then |
| LAN_DOWN="1" |
| fi |
| 83,13 → 83,11 |
| # else switch in normal mode |
| else |
| echo "Internet access is OK for now" |
| net_pb=`cat /etc/dnsmasq.conf|grep "address=/#/"|wc -l` |
| net_pb=`grep "network_pb = True;" $Index_Page|wc -l` |
| if [ $net_pb != "0" ] |
| then |
| /bin/sed -i "s?^\$network_pb.*?\$network_pb = False;?g" $Index_Page |
| /bin/sed -i "s?^address=\/#\/.*?conf-dir=/usr/local/share/dnsmasq-bl-enabled?g" /etc/dnsmasq-blacklist.conf |
| /bin/sed -i "/^address=/d" /etc/dnsmasq.conf |
| /etc/init.d/dnsmasq restart |
| $IPTABLES -D PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56 |
| fi |
| fi |
| } |
| /scripts/sbin/alcasar-uninstall.sh |
|---|
| 16,13 → 16,13 |
| echo |
| #services_stop |
| echo -n "Stop ALCASAR main services : " |
| for i in havp gammu-smsd |
| for i in havp gammu-smsd |
| do |
| [ -e /etc/init.d/$i ] && /sbin/chkconfig --del $i && /etc/init.d/$i stop && killall $i 2>/dev/null |
| done |
| for i in alcasar-load_balancing.service nfsen.service mysqld.service ntpd.service iptables.service ulogd-ext-access.service ulogd-ssh.service ulogd-traceability.service dansguardian.service httpd.service radiusd.service freshclam.service dnsmasq.service dnsmasq-blacklist.service dnsmasq-whitelist.service dhcpd.service chilli.service |
| for i in alcasar-load_balancing nfsen mysqld ntpd fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability dansguardian httpd radiusd freshclam dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole dhcpd chilli |
| do |
| [ -e /lib/systemd/system/$i ] && systemctl disable $i && systemctl stop $i 1>/dev/null && echo -n "." |
| [ -e /lib/systemd/system/$i.service ] && systemctl disable $i.service && systemctl stop $i.service 1>/dev/null && echo -n "." |
| done |
| echo "Stop ALCASAR main functions : " |
| 139,7 → 139,7 |
| sleep 1 |
| #DnsMasq |
| echo -en "\n- dnsmasq(6) : " |
| echo -en "\n- dnsmasq(8) : " |
| if [ -e /lib/systemd/system/dnsmasq.service ] |
| then |
| [ -e /etc/sysconfig/dnsmasq.default ] && mv /etc/sysconfig/dnsmasq.default /etc/sysconfig/dnsmasq && echo -n "1, " |
| 146,8 → 146,10 |
| [ -e /etc/dnsmasq.conf.default ] && mv /etc/dnsmasq.conf.default /etc/dnsmasq.conf && echo -n "2, " |
| [ -e /etc/dnsmasq-blacklist.conf ] && rm /etc/dnsmasq-blacklist.conf && echo -n "3, " |
| [ -e /etc/dnsmasq-whitelist.conf ] && rm /etc/dnsmasq-whitelist.conf && echo -n "4, " |
| [ -e /lib/systemd/system/dnsmasq-blacklist.service ] && rm /lib/systemd/system/dnsmasq-blacklist.service && echo -n "5, " |
| [ -e /lib/systemd/system/dnsmasq-whitelist.service ] && rm /lib/systemd/system/dnsmasq-whitelist.service && echo -n "6" |
| [ -e /etc/dnsmasq-blackhole.conf ] && rm /etc/dnsmasq-blackhole.conf && echo -n "5, " |
| [ -e /lib/systemd/system/dnsmasq-blacklist.service ] && rm /lib/systemd/system/dnsmasq-blacklist.service && echo -n "6, " |
| [ -e /lib/systemd/system/dnsmasq-whitelist.service ] && rm /lib/systemd/system/dnsmasq-whitelist.service && echo -n "7, " |
| [ -e /lib/systemd/system/dnsmasq-blackhole.service ] && rm /lib/systemd/system/dnsmasq-blackhole.service && echo -n "8" |
| else echo -n "uninstalled" |
| fi |