/alcasar.sh |
---|
1402,7 → 1402,7 |
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default |
$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance |
[ -e /etc/dnsmasq.conf.default ] || cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default |
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on. |
# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on. |
cat << EOF > /etc/dnsmasq.conf |
# Configuration file for "dnsmasq in forward mode" |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions |
1433,13 → 1433,14 |
cat << EOF > /etc/dnsmasq-blacklist.conf |
# Configuration file for "dnsmasq with blacklist" |
# Add Toulouse blacklist domains |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions |
conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions |
pid-file=/var/run/dnsmasq-blacklist.pid |
listen-address=$PRIVATE_IP |
port=54 |
no-dhcp-interface=$INTIF |
no-dhcp-interface=tun0 |
no-dhcp-interface=lo |
bind-interfaces |
cache-size=256 |
domain=$DOMAIN |
1454,13 → 1455,14 |
cat << EOF > /etc/dnsmasq-whitelist.conf |
# Configuration file for "dnsmasq with whitelist" |
# Inclusion de la whitelist <domains> de Toulouse dans la configuration |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions |
conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux |
pid-file=/var/run/dnsmasq-whitelist.pid |
listen-address=$PRIVATE_IP |
pid-file=/var/run/dnsmasq-whitelist.pid |
port=55 |
no-dhcp-interface=$INTIF |
no-dhcp-interface=tun0 |
no-dhcp-interface=lo |
bind-interfaces |
cache-size=256 |
domain=$DOMAIN |
1468,18 → 1470,39 |
expand-hosts |
bogus-priv |
filterwin2k |
address=/#/$PRIVATE_IP |
ipset=/#/whitelist_ip_allowed |
address=/#/$PRIVATE_IP # for Domain name without local resolution (WL) |
ipset=/#/whitelist_ip_allowed # dynamicly add the resolv IP address in the Firewall rules |
EOF |
# 4th dnsmasq listen on udp 56 ("blackhole") |
cat << EOF > /etc/dnsmasq-blackhole.conf |
# Configuration file for "dnsmasq as a blackhole" |
conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions |
address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address |
pid-file=/var/run/dnsmasq-blackhole.pid |
listen-address=$PRIVATE_IP |
port=56 |
no-dhcp-interface=$INTIF |
no-dhcp-interface=tun0 |
no-dhcp-interface=lo |
bind-interfaces |
cache-size=256 |
domain=$DOMAIN |
domain-needed |
expand-hosts |
bogus-priv |
filterwin2k |
EOF |
# Start after chilli (which create tun0) |
$SED "s?^After=.*?After=syslog.target network.target chilli.service?g" /lib/systemd/system/dnsmasq.service |
# Create dnsmasq-blacklist and dnsmasq-whitelist unit |
cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-blacklist.service |
cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-whitelist.service |
cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-blacklist.service /lib/systemd/system/dnsmasq-whitelist.service /lib/systemd/system/dnsmasq-blackhole.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-blacklist.conf?g" /lib/systemd/system/dnsmasq-blacklist.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service |
$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-blackhole.conf?g" /lib/systemd/system/dnsmasq-blackhole.service |
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-blacklist.pid?g" /lib/systemd/system/dnsmasq-blacklist.service |
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service |
$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-blackhole.pid?g" /lib/systemd/system/dnsmasq-blackhole.service |
} # End dnsmasq |
########################################################## |
1792,7 → 1815,7 |
/sbin/chkconfig --add $i |
done |
# processes launched at boot time (Systemctl) |
for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban |
for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban |
do |
systemctl -q enable $i.service |
done |
1840,14 → 1863,6 |
do |
/bin/systemctl -q disable $svc |
done |
# for rm_users in games |
# do |
# user=`cat /etc/passwd|grep $rm_users|cut -d":" -f1` |
# if [ "$user" == "$rm_users" ] |
# then |
# /usr/sbin/userdel -r $rm_users |
# fi |
# done |
# Load and apply the previous conf file |
if [ "$mode" = "update" ] |
then |
/scripts/alcasar-iptables.sh |
---|
149,22 → 149,26 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 pour pouvoir les rejeter en INPUT |
# Mark (and log) the udp 54 direct attempts to REJECT them in INPUT rules |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 (DNS-blacklist) pour pouvoir les rejeter en INPUT |
# Mark (and log) the udp 54 direct attempts (DNS-blacklist) to REJECT them in INPUT rules |
# $IPTABLES -A PREROUTING -t nat -i $TUNIF -p udp -d $PRIVATE_IP -m udp --dport 54 -j ULOG --ulog-prefix "RULE DNS-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 2 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 55 pour pouvoir les rejeter en INPUT |
# Mark (and log) the udp 55 direct attempts to REJECT them in INPUT rules |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 55 (DNS-Whitelist) pour pouvoir les rejeter en INPUT |
# Mark (and log) the udp 55 direct attempts (DNS-whitelist) to REJECT them in INPUT rules |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 3 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 56 (DNS-Blackhole) pour pouvoir les rejeter en INPUT |
# Mark (and log) the udp 55 direct attempts (DNS-whitelist) to REJECT them in INPUT rules |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 56 -j MARK --set-mark 4 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 pour pouvoir les rejeter en INPUT |
# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 4 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 5 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8091 pour pouvoir les rejeter en INPUT |
# Mark (and log) the 8091 direct attempts to REJECT them in INPUT rules |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8091 -j MARK --set-mark 5 |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8091 -j MARK --set-mark 6 |
# havp_bl_set --> redirection vers le port 54 |
# havp_bl_set --> redirect to port 54 |
239,21 → 243,25 |
# Allow connections for DansGuardian |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT |
# On interdit les connexions directes au port UDP 54. Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on UDP 54. The concerned paquets are marked in mangle table (PREROUTING) |
# On interdit les connexions directes au port UDP 54 (DNS-blacklist). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on UDP 54 (DNS-blacklist). The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable |
# On interdit les connexions directes au port UDP 55. Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on UDP 55. The concerned paquets are marked in mangle table (PREROUTING) |
# On interdit les connexions directes au port UDP 55 (DNS-whitelist). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on UDP 55 (DNS-whitelist). The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 3 -j REJECT --reject-with icmp-port-unreachable |
# On interdit les connexions directes au port UDP 56 (DNS-Blackhole). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on UDP 56 (DNS-blackhole). The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 4 -j REJECT --reject-with icmp-port-unreachable |
# On interdit les connexions directes au port 8090. Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on 8090. The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 4 -j REJECT --reject-with tcp-reset |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 5 -j REJECT --reject-with tcp-reset |
# On interdit les connexions directes au port 8091. Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on 8091. The concerned paquets are marked in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8091 -m mark --mark 5 -j REJECT --reject-with tcp-reset |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8091 -m mark --mark 6 -j REJECT --reject-with tcp-reset |
# Autorisation des connexions légitimes à HAVP |
# Allow connections for HAVP |
271,6 → 279,10 |
# Allow connections for DNSMASQ (with whitelist) |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 55 -j ACCEPT |
# autorisation des connexion légitime à DNSMASQ (mode blackhole) |
# Allow connections for DNSMASQ (blackhole mode) |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 56 -j ACCEPT |
# Accès direct aux services internes |
# Internal services access |
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j ACCEPT # DNS non filtré # DNS without blacklist |
/scripts/alcasar-watchdog.sh |
---|
23,6 → 23,8 |
tmp_file="/tmp/watchdog.txt" |
DIR_WEB="/var/www/html" |
Index_Page="$DIR_WEB/index.php" |
IPTABLES="/sbin/iptables" |
TUNIF="tun0" # listen device for chilli daemon |
OLDIFS=$IFS |
IFS=$'\n' |
41,13 → 43,11 |
/bin/sed -i "s?diagnostic =.*?diagnostic = \"can't contact the default router\";?g" $Index_Page |
;; |
esac |
net_pb=`cat /etc/dnsmasq.conf|grep "address=/#/"|wc -l` |
if [ $net_pb = "0" ] # user alert |
net_pb=`grep "network_pb = True;" $Index_Page|wc -l` |
if [ $net_pb = "0" ] # user alert (only the first time) |
then |
/bin/sed -i "s?^\$network_pb.*?\$network_pb = True;?g" $Index_Page |
/bin/sed -i "s?^conf-dir=.*?address=\/#\/$PRIVATE_IP?g" /etc/dnsmasq-blacklist.conf |
/bin/sed -i "1i\address=\/#\/$PRIVATE_IP" /etc/dnsmasq.conf |
/etc/init.d/dnsmasq restart |
$IPTABLES -I PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56 |
fi |
} |
62,7 → 62,7 |
fi |
# EXTIF testing |
LAN_DOWN="0" |
if [ "`/usr/sbin/ethtool $EXTIF|grep Link|cut -d' ' -f3`" != "yes" ] && [ "`/sbin/mii-tool $EXTIF | grep -i link | awk '{print $NF}'`" != "ok" ] |
if [ `/sbin/ip link | grep $EXTIF|grep "NO-CARRIER" | wc -l` -eq "1" ] |
then |
LAN_DOWN="1" |
fi |
83,13 → 83,11 |
# else switch in normal mode |
else |
echo "Internet access is OK for now" |
net_pb=`cat /etc/dnsmasq.conf|grep "address=/#/"|wc -l` |
net_pb=`grep "network_pb = True;" $Index_Page|wc -l` |
if [ $net_pb != "0" ] |
then |
/bin/sed -i "s?^\$network_pb.*?\$network_pb = False;?g" $Index_Page |
/bin/sed -i "s?^address=\/#\/.*?conf-dir=/usr/local/share/dnsmasq-bl-enabled?g" /etc/dnsmasq-blacklist.conf |
/bin/sed -i "/^address=/d" /etc/dnsmasq.conf |
/etc/init.d/dnsmasq restart |
$IPTABLES -D PREROUTING -t nat -i $TUNIF -p udp --dport domain -j REDIRECT --to-port 56 |
fi |
fi |
} |
/scripts/sbin/alcasar-uninstall.sh |
---|
16,13 → 16,13 |
echo |
#services_stop |
echo -n "Stop ALCASAR main services : " |
for i in havp gammu-smsd |
for i in havp gammu-smsd |
do |
[ -e /etc/init.d/$i ] && /sbin/chkconfig --del $i && /etc/init.d/$i stop && killall $i 2>/dev/null |
done |
for i in alcasar-load_balancing.service nfsen.service mysqld.service ntpd.service iptables.service ulogd-ext-access.service ulogd-ssh.service ulogd-traceability.service dansguardian.service httpd.service radiusd.service freshclam.service dnsmasq.service dnsmasq-blacklist.service dnsmasq-whitelist.service dhcpd.service chilli.service |
for i in alcasar-load_balancing nfsen mysqld ntpd fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability dansguardian httpd radiusd freshclam dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole dhcpd chilli |
do |
[ -e /lib/systemd/system/$i ] && systemctl disable $i && systemctl stop $i 1>/dev/null && echo -n "." |
[ -e /lib/systemd/system/$i.service ] && systemctl disable $i.service && systemctl stop $i.service 1>/dev/null && echo -n "." |
done |
echo "Stop ALCASAR main functions : " |
139,7 → 139,7 |
sleep 1 |
#DnsMasq |
echo -en "\n- dnsmasq(6) : " |
echo -en "\n- dnsmasq(8) : " |
if [ -e /lib/systemd/system/dnsmasq.service ] |
then |
[ -e /etc/sysconfig/dnsmasq.default ] && mv /etc/sysconfig/dnsmasq.default /etc/sysconfig/dnsmasq && echo -n "1, " |
146,8 → 146,10 |
[ -e /etc/dnsmasq.conf.default ] && mv /etc/dnsmasq.conf.default /etc/dnsmasq.conf && echo -n "2, " |
[ -e /etc/dnsmasq-blacklist.conf ] && rm /etc/dnsmasq-blacklist.conf && echo -n "3, " |
[ -e /etc/dnsmasq-whitelist.conf ] && rm /etc/dnsmasq-whitelist.conf && echo -n "4, " |
[ -e /lib/systemd/system/dnsmasq-blacklist.service ] && rm /lib/systemd/system/dnsmasq-blacklist.service && echo -n "5, " |
[ -e /lib/systemd/system/dnsmasq-whitelist.service ] && rm /lib/systemd/system/dnsmasq-whitelist.service && echo -n "6" |
[ -e /etc/dnsmasq-blackhole.conf ] && rm /etc/dnsmasq-blackhole.conf && echo -n "5, " |
[ -e /lib/systemd/system/dnsmasq-blacklist.service ] && rm /lib/systemd/system/dnsmasq-blacklist.service && echo -n "6, " |
[ -e /lib/systemd/system/dnsmasq-whitelist.service ] && rm /lib/systemd/system/dnsmasq-whitelist.service && echo -n "7, " |
[ -e /lib/systemd/system/dnsmasq-blackhole.service ] && rm /lib/systemd/system/dnsmasq-blackhole.service && echo -n "8" |
else echo -n "uninstalled" |
fi |