/scripts/alcasar-conup.sh |
---|
13,7 → 13,7 |
#do |
# echo "$i : ${!i}" >> /tmp/debug-conup.txt |
#done |
ipset del user_not_connected_yet $FRAMED_IP_ADDRESS |
# Add user to the SET (function of his filtering level) |
case $FILTER_ID in |
# HAVP |
/scripts/alcasar-iptables.sh |
---|
62,6 → 62,8 |
ipset save havp_set >> $TMP_users_set_save |
ipset save havp_bl_set >> $TMP_users_set_save |
ipset save havp_wl_set >> $TMP_users_set_save |
ipset save user_not_connected_yet >> $TMP_users_set_save |
ipset save ipset_users >> $TMP_users_set_save |
fi |
# loading of NetFlow probe (ipt_NETFLOW kernel module) |
137,6 → 139,15 |
ipset create havp_set hash:net hashsize 1024 |
ipset create havp_bl_set hash:net hashsize 1024 |
ipset create havp_wl_set hash:net hashsize 1024 |
#utilisé pour l'interception des utilisateurs non authentifiés au réseau |
#used for intercepting users not connected to the network |
ipset create user_not_connected_yet hash:net hashsize 1024 |
ipset create ipset_users_list list:set |
ipset add ipset_users_list havp_set |
ipset add ipset_users_list havp_wl_set |
ipset add ipset_users_list havp_bl_set |
ipset add ipset_users_list no_filtering_set |
ipset add ipset_users_list user_not_connected_yet |
fi |
############################# |
201,6 → 212,11 |
# Redirect NTP request in local NTP server |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123 |
# Redirection des requetes DNS des utilisateurs non connectés dans le DNS-Blackhole |
# Redirect users not connected DNS requests in DNS-Blackhole |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56 |
############################# |
# INPUT # |
############################# |
/scripts/alcasar-watchdog.sh |
---|
114,6 → 114,8 |
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $noresponse_ip|grep "Unicast reply"|wc -l` |
if [[ $(expr $arp_reply) -eq 0 ]] |
then |
#on vide les ip inactifs de l'ipset user_not_connected_yet |
ipset del user_not_connected_yet $noresponse_ip |
logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) can't be contact. Alcasar disconnects the user ($noresponse_user)." |
/usr/sbin/chilli_query logout $noresponse_mac |
if [[ $noresponse_user == $noresponse_mac ]] # for @mac auth equipments, we must remove the arp entry |
136,8 → 138,9 |
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip|grep "Unicast reply"|wc -l` |
# store @IP of quiet equipments |
if [[ $(expr $arp_reply) -eq 0 ]] |
then |
then |
echo "$active_ip $active_mac $active_user" >> $tmp_file |
fi |
# disconnect users whose equipement is usurped (@MAC) |
if [[ $(expr $arp_reply) -gt 2 ]] |
/web/acc/admin/bl_filter.php |
---|
61,6 → 61,28 |
echo $resultat[$i]."\n"; |
} |
} |
#maximum length for top-level DNS |
function max_tld() |
{ |
$url_tld = "http://data.iana.org/TLD/tlds-alpha-by-domain.txt"; |
$result_tld = file_get_contents($url_tld,false); |
$max_tld = 18; #valeur de base si le site ne répond plus |
if($result_tld !== FALSE){ |
foreach(explode("\n", $result_tld) as $line) |
{ |
if((strpos($line,'-') === false) and (strpos($line,'#') === false)) |
{ |
if(strlen($line) > $max_tld) |
{ |
$max_tld = strlen($line); |
} |
} |
} |
} |
return $max_tld; |
} |
# Choice of language |
$Language = 'en'; |
if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])){ |
204,8 → 226,7 |
unlink ("$dir_tmp/blacklists.tar.gz"); unlink ("$dir_tmp/md5sum"); |
break; |
case 'MAJ_cat_bl' : |
$tab=file($bl_categories_enabled); |
if ($tab) |
if (file_exists($bl_categories_enabled)) |
{ |
$pointeur=fopen($bl_categories_enabled, "w+"); |
foreach ($_POST as $key => $value) |
277,9 → 298,11 |
# On adapte le fichier à la sauvegarde du set |
exec("sed -i \"s/^/add blacklist_ip_blocked /g\" $upload_dir_ip\ossi-$nom"); |
# On extrait uniquement les noms de domaine |
exec("grep -Eo '([a-zA-Z0-9_-]+\.){1,2}[a-zA-Z]{2,3}' $upload_dir_ip$nom > $upload_dir_domain_names\ossi-domain_names"); |
# max_tld() retourne le nombre max de charactere pour un top-level dns |
exec("grep -Eo '([a-zA-Z0-9_-]+\.){1,2}[a-zA-Z]{2,".max_tld()."}' $upload_dir_ip$nom > $upload_dir_domain_names\ossi-domain_names"); |
# Suppression des doublons |
exec("sort -u $upload_dir_domain_names\ossi-domain_names > $upload_dir_domain_names\ossi-$nom && rm -f $upload_dir_domain_names\ossi-domain_names"); |
/web/acc/admin/wl_filter.php |
---|
114,8 → 114,7 |
switch ($choix) |
{ |
case 'MAJ_cat_wl' : |
$tab=file($wl_categories_enabled); |
if ($tab) |
if (file_exists($wl_categories_enabled)) |
{ |
$pointeur=fopen($wl_categories_enabled, "w+"); |
foreach ($_POST as $key => $value) |
/web/index.php |
---|
54,12 → 54,15 |
$connection_history = ""; |
$nb_connection_history = 3; |
# Obtenir l'état de connexion de l'utilisateur. 1 si connecté sinon 0. |
exec ("sudo /usr/sbin/chilli_query list|grep $remote_ip" , $tab); |
$user = explode (" ", $tab[0]); |
# on discrimine les accès directs sur Alcasar par rapport aux redirections (blacklist ou pannes rso) |
if (($_SERVER['HTTP_HOST'] == $_SERVER['SERVER_ADDR']) || preg_match ("/^alcasar$/", $_SERVER['HTTP_HOST']) || preg_match ("/^$hostname$/", $_SERVER['HTTP_HOST']) || preg_match ("/^$organisme$/", $_SERVER['HTTP_HOST'])) |
{ |
$direct_access=True; |
exec ("sudo /usr/sbin/chilli_query list|grep $remote_ip" , $tab); |
$user = explode (" ", $tab[0]); |
} |
#### Affichage des 3 dernières connexions de $user[5] |
function secondsToDuration($seconds = null){ |
98,6 → 101,20 |
} |
} |
} |
else |
{ |
# cas où l'utilisateur non-loggué décide de joindre une page HTTP ou HTTPS ou alcasar (on va l'intercepter en le redirigeant sur index.php afin qu'il puisse se logguer) |
# on place l'utilisateur dans un ipset user_not_connected pour ne pas boucler |
# si il ne joint pas ALCASAR, on le redirige vers celui ci |
exec("sudo /usr/sbin/ipset add user_not_connected_yet $remote_ip"); |
if(!$direct_access) |
{ |
header("Location: http://alcasar"); |
exit; |
} |
} |
#### |
# Choice of language |