BlueGreycalmElegant

Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

Compare Revisions

• This comparison shows the changes necessary to convert path

  → / @ 1485

  → / @ 1486

  ↔ Reverse comparison

• Compare Path:	Rev

  With Path:	Rev

Ignore whitespace Rev 1485 → Rev 1486

/alcasar.sh
1222,7 → 1222,7
groupdel havp 2>/dev/null
fi
groupadd -f havp
useradd -r -g havp -s /bin/false -c "system user for havp" havp
useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
[ -e /etc/havp/havp.config.default ] || cp /etc/havp/havp.config /etc/havp/havp.config.default
1258,12 → 1258,31
/usr/bin/freshclam --no-warnings
} # End of antivirus ()
##################################################################
## Fonction "antivirus" ##
## - configuration of havp, libclamav and freshclam ##
##################################################################
##########################################################################
## Fonction "tinyproxy" ##
## - configuration of tinyproxy (proxy between filterde users and havp) ##
##########################################################################
tinyproxy ()
{
tinyproxy_exist=`grep tinyproxy /etc/passwd|wc -l`
if [ "$tinyproxy_exist" == "1" ]
then
userdel -r tinyproxy 2>/dev/null
groupdel tinyproxy 2>/dev/null
fi
groupadd -f tinyproxy
useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" havp
mkdir -p /var/log/tinyproxy /var/run/tinyproxy
chown -R tinyproxy:tinyproxy /var/log/tinyproxy /var/run/tinyproxy
[ -e /etc/tinyproxy/tinyproxy.conf.default ] || cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port
$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)
$SED "s?^#LogFile.*?LogFile /var/log/tinyproxy/tinyproxy.log?g" /etc/tinyproxy/tinyproxy.conf
$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
} # end of tinyproxy
##################################################################################
1794,7 → 1813,7
WantedBy=multi-user.target
EOF
# processes launched at boot time (SYSV)
for i in havp
for i in havp tinyproxy
do
/sbin/chkconfig --add $i
done
2011,7 → 2030,7
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
mode="update"
fi
for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus ulogd nfsen dnsmasq BL cron fail2ban gammu_smsd post_install
for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen dnsmasq BL cron fail2ban gammu_smsd post_install
do
$func
# echo "*** 'debug' : end of function $func ***"; read a

/scripts/alcasar-iptables.sh
143,31 → 143,27
# Mark packets that attempt to directly access a server without authentication with proxy client to reject them in INPUT rules
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp -m tcp --dport 80 -m string --string 'GET http' --algo bm --from 50 --to 70 -j MARK --set-mark 10
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (DansGuardian) pour pouvoir les rejeter en INPUT
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 (tinyproxy) pour pouvoir les rejeter en INPUT
# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2
# Marquage des paquets qui tentent d'accéder directement au port udp 54 (DNS-blacklist) pour pouvoir les rejeter en INPUT
# Mark the udp 54 direct attempts (DNS-blacklist) to REJECT them in INPUT rules
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 2
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 54 -j MARK --set-mark 3
# Marquage des paquets qui tentent d'accéder directement au port udp 55 (DNS-Whitelist) pour pouvoir les rejeter en INPUT
# Mark the udp 55 direct attempts (DNS-whitelist) to REJECT them in INPUT rules
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 3
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 55 -j MARK --set-mark 4
# Marquage des paquets qui tentent d'accéder directement au port udp 56 (DNS-Blackhole) pour pouvoir les rejeter en INPUT
# Mark the udp 56 direct attempts (DNS-blackhole) to REJECT them in INPUT rules
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 56 -j MARK --set-mark 4
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp --dport 56 -j MARK --set-mark 5
# Marquage des paquets qui tentent d'accéder directement au port 8090 (HAVP) pour pouvoir les rejeter en INPUT
# Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 5
# Marquage des paquets qui tentent d'accéder directement au port 8091 pour pouvoir les rejeter en INPUT
# Mark (and log) the 8091 direct attempts to REJECT them in INPUT rules
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8091 -j MARK --set-mark 6
# havp_bl_set --> redirection vers le port 54
# havp_bl_set --> redirect to port 54
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
176,11 → 172,11
# havp_wl_set --> redirect to port 55
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 55
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit') pour le set havp_bl_set
# Redirect outbound HTTP requests from blacklist IP to ALCASAR ('access denied' page) for the set havp_bl_set
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
# Bloquage des requêtes HTTP vers les IP qui ne sont pas dans la WL. Redirection vers ALCASAR : page 'accès interdit'
# Resirection des requêtes HTTP vers les IP qui ne sont pas dans la WL. Redirection vers ALCASAR : page 'accès interdit'
# Redirect outbound HTTP requests to IP which are not in the WL. Redirection to ALCASAR : 'access denied' paae
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src -m set ! --match-set whitelist_ip_allowed dst -p tcp --dport http -j REDIRECT --to-port 80
188,16 → 184,12
# Log HTTP requests to Internet of "BL users" (only syn packets) - Other protocols are logged in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
# Redirection des requêtes HTTP sortantes des usagers "BL" vers DansGuardian (proxy transparent)
# Redirection des requêtes HTTP sortantes des usagers "BL+antivirus" vers DansGuardian
# Redirect outbound HTTP requests of "BL" users to DansGuardian (transparent proxy)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
# Redirection des requêtes HTTP sortantes vers HAVP (8091) pour le set havp_set
# Redirect outbound HTTP requests to HAVP (8091) for the set havp_set
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8091
# Redirection des requêtes HTTP sortantes vers HAVP pour le set havp_wl_set
# Redirect outbound HTTP requests to HAVP for the set havp_wl_set
# Redirection des requêtes HTTP sortantes des usager "WL+antivirus" vers Tinyproxy
# Redirect outbound HTTP requests for "WL-antivirus" users to Tinyproxy
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_wl_set src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090
# Redirection des requêtes NTP vers le serveur NTP local
225,16 → 217,12
# Drop broadcast & multicast on EXTIF to avoid log
$IPTABLES -A INPUT -i $EXTIF -m addrtype --dst-type BROADCAST,MULTICAST -j DROP
# On rejette les trames marquées dans PREROUTING MANGLE sur marqueur HTTP/header mark 3
# Tagged frames are discarded in PREROUTING MANGLE over HTTP/header marker mark 3
#$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m mark --mark 10 -j REJECT --reject-with tcp-reset
# On autorise les retours de connexions légitimes par INPUT
# Conntrack on INPUT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked and logged in mangle table (PREROUTING)
# Deny direct connections on DansGuardian port (8080). The concerned paquets have been marked and logged in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset
# Autorisation des connexions légitimes à DansGuardian
241,34 → 229,26
# Allow connections for DansGuardian
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8080 -m state --state NEW --syn -j ACCEPT
# On interdit les connexions directes au port utilisé par tinyproxy (8090). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
# Deny direct connections on tinyproxy port (8090). The concerned paquets have been marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 2 -j REJECT --reject-with tcp-reset
# Autorisation des connexions légitimes vers tinyproxy
# Allow connections to tinyproxy
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m state --state NEW --syn -j ACCEPT
# On interdit les connexions directes au port UDP 54 (DNS-blacklist). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on UDP 54 (DNS-blacklist). The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 54 -m mark --mark 2 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 54 -m mark --mark 3 -j REJECT --reject-with icmp-port-unreachable
# On interdit les connexions directes au port UDP 55 (DNS-whitelist). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on UDP 55 (DNS-whitelist). The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 3 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 55 -m mark --mark 4 -j REJECT --reject-with icmp-port-unreachable
# On interdit les connexions directes au port UDP 56 (DNS-Blackhole). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on UDP 56 (DNS-blackhole). The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 4 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 56 -m mark --mark 5 -j REJECT --reject-with icmp-port-unreachable
# On interdit les connexions directes au port 8090. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on 8090. The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8090 -m mark --mark 5 -j REJECT --reject-with tcp-reset
# On interdit les connexions directes au port 8091. Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on 8091. The concerned paquets are marked in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8091 -m mark --mark 6 -j REJECT --reject-with tcp-reset
# Autorisation des connexions légitimes à HAVP
# Allow connections for HAVP
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8090 -m state --state NEW --syn -j ACCEPT
# Autorisation des connexions légitimes à HAVP
# Allow connections for HAVP
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport 8091 -m state --state NEW --syn -j ACCEPT
# autorisation des connexion légitime à DNSMASQ (avec blacklist)
# Allow connections for DNSMASQ (with blacklist)
$IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport 54 -j ACCEPT

/scripts/sbin/alcasar-uninstall.sh
20,7 → 20,7
do
[ -e /etc/init.d/$i ] && /sbin/chkconfig --del $i && /etc/init.d/$i stop && killall $i 2>/dev/null
done
for i in alcasar-load_balancing nfsen mysqld ntpd fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability dansguardian httpd radiusd freshclam dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole dhcpd chilli
for i in alcasar-load_balancing nfsen mysqld ntpd fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability tinyproxy dansguardian httpd radiusd freshclam dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole dhcpd chilli
do
[ -e /lib/systemd/system/$i.service ] && systemctl disable $i.service && systemctl stop $i.service 1>/dev/null
done
107,20 → 107,30
sleep 1
#antivirus
echo -en "\n- antivirus(6) : "
echo -en "\n- antivirus(4) : "
if [ -e /etc/init.d/havp ]
then
[ -e /etc/havp/havp.config.default ] && mv /etc/havp/havp.config.default /etc/havp/havp.config && echo -n "1, "
[ -e /etc/havp/havp2.config ] && rm -f /etc/havp/havp2.config && echo -n "2, "
userdel -r havp 2>/dev/null && echo -n "3, "
userdel -r havp 2>/dev/null && echo -n "2, "
[ `grep havp /etc/fstab|wc -l` -ne "0" ] && $SED "/havp/d" /etc/fstab # anciennes versions (mémoire tampon sur disque)
[ -e /etc/init.d/havp.default ] && mv /etc/init.d/havp.default /etc/init.d/havp && echo -n "4, "
[ -e /etc/init.d/havp2 ] && rm -f /etc/init.d/havp2 && echo -n "5, "
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "6"
[ -e /etc/init.d/havp.default ] && mv /etc/init.d/havp.default /etc/init.d/havp && echo -n "3, "
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "4"
else echo -n "uninstalled"
fi
sleep 1
#tinyproxy
echo -en "\n- tinyproxy(2) : "
if [ -e /etc/init.d/tinyproxy ]
then
[ -e /etc/tinyproxy/tinyproxy.conf.default ] && mv /etc/tinyproxy/tinyproxy.conf.default /etc/tinyproxy.conf && echo -n "1, "
userdel -r tinyproxy 2>/dev/null && echo -n "2, "
else echo -n "uninstalled"
fi
sleep 1
#param_ulogd
echo -en "\n- ulogd(6) : "
i=0