WebSVN – ALCASAR – Path Comparison – /

Ignore whitespace Rev 1703 → Rev 1704

 /alcasar.sh
 ,7 → 1402,7
                 [ -e /lib/systemd/system/ulogd-$log_type.service ] || cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
                 [ -e /var/log/firewall/$log_type.log ] || echo "" > /var/log/firewall/$log_type.log
                 cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
-                $SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
+                $SED "s?^group=.*?group=$nl?g" /etc/ulogd-$log_type.conf
                 if [ "$ARCH" == "i586" ]; then $SED "s/lib64/lib/g" /etc/ulogd-$log_type.conf; fi
                 cat << EOF >> /etc/ulogd-$log_type.conf
 [emu1]
 ,9 → 1980,6
         chown -R root:apache $DIR_DEST_ETC/*
         chmod -R 660 $DIR_DEST_ETC/*
         chmod ug+x $DIR_DEST_ETC/digest
-# Apply and save the firewall rules
-        sh $DIR_DEST_BIN/alcasar-iptables.sh
-        sleep 2
         cd $DIR_INSTALL
         echo ""
         echo "#############################################################################"

 /conf/ulogd-sample.conf
 ,7 → 26,7
 # 1. load the plugins _first_ from the global section
 # 2. options for each plugin in seperate section below
-plugin="/usr/lib64/ulogd/ulogd_inppkt_ULOG.so"
+plugin="/usr/lib64/ulogd/ulogd_inppkt_NFLOG.so"
 plugin="/usr/lib64/ulogd/ulogd_filter_IFINDEX.so"
 plugin="/usr/lib64/ulogd/ulogd_filter_IP2STR.so"
 plugin="/usr/lib64/ulogd/ulogd_filter_PRINTPKT.so"
 ,7 → 35,7
 plugin="/usr/lib64/ulogd/ulogd_raw2packet_BASE.so"
 # this is a stack for ULOG packet-based logging via LOGEMU
-stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
+stack=log1:NFLOG,base1:BASE,ifil:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU
-[ulog1]
-nlgroup=CHANGEVALUE
+[log1]
+group=CHANGEVALUE

 /scripts/alcasar-iptables.sh
 ,12 → 150,12
 # Marquage (et journalisation) des paquets qui tentent d'accéder directement au 8080 (DansGuardian) pour pouvoir les rejeter en INPUT
 # mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j NFLOG --nfog-prefix "RULE direct-proxy -- DENY "
 $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
 # Marquage (et journalisation) des paquets qui tentent d'accéder directement au port 8090 (tinyproxy) pour pouvoir les rejeter en INPUT
 # Mark (and log) the 8090 direct attempts to REJECT them in INPUT rules
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8090 -j NFLOG --nflog-prefix "RULE direct-proxy -- DENY "
 $IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8090 -j MARK --set-mark 2
 # Marquage des paquets qui tentent d'accéder directement au port udp 54 (DNS-blacklist) pour pouvoir les rejeter en INPUT
 ,7 → 180,7
 # Journalisation HTTP_Internet des usagers 'havp_bl' (paquets SYN uniquement). Les autres protocoles sont journalisés en FORWARD par netflow.
 # Log Internet HTTP of 'havp_bl' users" (only syn packets). Other protocols are logged in FORWARD by netflow
-$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set havp_bl_set src ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_http -- ACCEPT "
 # Redirection HTTP des usagers 'havp_bl' cherchant à joindre les IP de la blacklist vers ALCASAR (page 'accès interdit')
 # Redirect HTTP of 'havp_bl' users who want blacklist IP to ALCASAR ('access denied' page)
 ,9 → 289,9
 # SSHD rules if activate
 if [ $SSH = on ]
         then
-        $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
+        $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j NFLOG --nflog-nlgroup 2 --nflog-prefix "RULE ssh-from-LAN -- ACCEPT"
         $IPTABLES -A INPUT -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
-        $IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
+        $IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j NFLOG --nflog-nlgroup 2 --nflog-prefix "RULE ssh-from-WAN -- ACCEPT"
         $IPTABLES -A INPUT -i $EXTIF -s $SSH_ADMIN_FROM -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW -j ACCEPT
 fi
 ,18 → 303,18
 # Journalisation et rejet des connexions (autres que celles autorisées) effectuées depuis le LAN
 # Deny and log on INPUT from the LAN
-$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j ULOG --ulog-prefix "RULE rej-int -- REJECT "
+$IPTABLES -A INPUT -i $TUNIF -m state --state NEW -j NFLOG --nflog-prefix "RULE rej-int -- REJECT "
 $IPTABLES -A INPUT -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
 $IPTABLES -A INPUT -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
 # Interdiction d'accès à INTIF (n'est utile que lorsque chilli est arrêté).
 # Reject INTIF access (only when chilli is down)
-$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT "
+$IPTABLES -A INPUT -i $INTIF -j NFLOG --nflog-prefix "RULE Protect1 -- REJECT "
 $IPTABLES -A INPUT -i $INTIF -j REJECT
 # Journalisation et rejet des connexions initiées depuis le réseau extérieur (test des effets du paramètre --limit en cours)
 # On EXTIF, the access attempts are log in channel 2 (we should test --limit option to avoid deny of service)
-$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j ULOG --ulog-nlgroup 3 --ulog-qthreshold 10 --ulog-prefix "RULE rej-ext -- DROP"
+$IPTABLES -A INPUT -i $EXTIF -m state --state NEW -j NFLOG --nflog-nlgroup 3 --nflog-qthreshold 10 --nflog-prefix "RULE rej-ext -- DROP"
 #############################
 #        FORWARD            #
 ,7 → 343,7
                 while read ip_allowed_line
                 do
                         ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
-                        $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
+                        $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NFLOG --nflog-prefix "RULE IP-allowed -- ACCEPT "
                         $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
                         $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
                 done < /usr/local/etc/alcasar-uamallowed
 ,7 → 350,7
         fi
         # Autorisation du HTTP et des protocoles non commentés
         # Allow HTTP and non comment protocols
-        $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
+        $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
         $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j NETFLOW
         $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport http -m state --state NEW -j ACCEPT
         while read svc_line
 ,10 → 366,10
                                 $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
                         else
-                                $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
+                                $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
                                 $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
                                 $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
-                                $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
+                                $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NFLOG --nflog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
                                 $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
                                 $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
                         fi
 ,7 → 377,7
         done < /usr/local/etc/alcasar-services
         # Rejet explicite des autres protocoles
         # reject the others protocols
-        $IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
+        $IPTABLES -A FORWARD -i $TUNIF -j NFLOG --nflog-prefix "RULE F_filter -- REJECT "
         $IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
         $IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
         $IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT

Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1703 → Rev 1704