Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 869 → Rev 870

/web/acc/admin/net_filter.php
151,7 → 151,11
foreach ($tab as $line) // test if IP address doesn't already exist
{
$IP_f=explode(" ", $line);
if (trim($_POST['add_ip']) == trim(trim($IP_f[0],"#"))) {$insert = false;}
if (strcmp (trim($_POST['add_ip']),trim(trim($IP_f[0],"#"))) == 0)
{
$insert = false;
break;
}
}
}
if ($insert == true)
/web/acc/admin/auth_exceptions.php
7,133 → 7,293
</HEAD>
<body>
<?
$mac_allowed_list="/usr/local/etc/alcasar-macallowed";
/********************
* TEST CONF FILES *
*********************/
define ("DOMAIN_ALLOWED_LIST", "/usr/local/etc/alcasar-uamdomain");
define ("IP_ALLOWED_LIST", "/usr/local/etc/alcasar-uamallowed");
$conf_files=array(DOMAIN_ALLOWED_LIST,IP_ALLOWED_LIST);
foreach ($conf_files as $file){
if (!file_exists($file)){
exit("Requested file ".$file." isn't present");}
if (!is_readable($file)){
exit("Can't read the file ".$file);}
}
$domain_allowed_list="/usr/local/etc/alcasar-uamdomain";
$url_allowed_list="/usr/local/etc/alcasar-uamallowed";
# Choice of language
$Language = 'en';
if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])){
$Langue = explode(",",$_SERVER['HTTP_ACCEPT_LANGUAGE']);
$Language = strtolower(substr(chop($Langue[0]),0,2)); }
$Langue = explode(",",$_SERVER['HTTP_ACCEPT_LANGUAGE']);
$Language = strtolower(substr(chop($Langue[0]),0,2)); }
if($Language == 'fr'){
$l_error_open_file = "Erreur d'ouverture du fichier";
$l_trusted_sites = "Noms de domaine et adresses IP Internet de confiance";
$l_trusted_sites_explain1 = "Entrez ici les noms de domaine ou les adresses IP situés sur Internet pouvant &ecirc;tre joints sans authentification";
$l_trusted_sites_explain2 = "Entrez un nom de domaine ou une adresse IP par ligne";
$l_trusted_sites_list = "Liste des noms de domaine de confiance";
$l_trusted_urls_list = "Liste d'adresses IP ou d'adresses de réseau de confiance";
$l_submit = "Enregistrer";
$l_error_open_file = "Erreur d'ouverture du fichier";
$l_trusted_domain = "Noms de domaine Internet de confiance";
$l_domain = "Noms de domaine";
$l_comment_explain = "Lien de la page d'interception";
$l_comment_explain2 = "Laissez vide si non affiché";
$l_remove = "Retirer de la liste";
$l_trusted_ip = "adresses IP de confiance";
$l_comment = "Commentaires";
$l_trusted_domain_explain = "Gérez ici les noms de domaine Internet pouvant &ecirc;tre joints sans authentification";
$l_trusted_ip_explain = "Gérez ici les adresses IP de systèmes ou de réseaux pouvant être joints sans authentification";
$l_submit = "Enregistrer";
$l_add_to_list = "Ajouter à la liste";
$l_apply = "Appliquer les changements";
}
else {
$l_error_open_file = "File open error";
$l_trusted_sites = "Trusted Internet domain names and IP addresses";
$l_trusted_sites_explain1 = "Enter domain names or IP addresses situated on Internet that could be joined without authentication";
$l_trusted_sites_explain2 = "Enter one domain name ou one IP address per line";
$l_trusted_sites_list = "Trusted Internet domain names list";
$l_trusted_urls_list = "Trusted IP addresses or networks addresses list";
$l_submit = "Submit";
$l_error_open_file = "File open error";
$l_trusted_domain = "Trusted Internet domain names";
$l_domain = "Domain names";
$l_comment_explain = "Link showed in intercep page";
$l_comment_explain2 = "Let empty for no link";
$l_remove = "Remove from list";
$l_trusted_ip = "Trusted Internet domain and IP addresses";
$l_comment = "Comments";
$l_trusted_domain_explain = "Manage Internet domain names that can be joined without authentication";
$l_trusted_ip_explain = "Manage systems or networks IP addresses that can be joined without authentication";
$l_submit = "Submit";
$l_add_to_list = "Add to list";
$l_apply = "Apply changes";
}
if (isset($_POST['choix'])){
switch ($_POST['choix'])
{
case 'MAJ_UAMALLOWED' :
$tab_domains = explode ("\n", $_POST['trusted_domains']);
$fichier=fopen($domain_allowed_list,"w+");
foreach ($tab_domains as $domain ){
$tr_domain=trim($domain);
if ($tr_domain != ""){
fputs ($fichier, "uamdomain=\"".$tr_domain."\"\n");}
}
fclose($fichier);
unset($_POST['trusted_domains']);
$tab_urls = explode ("\n", $_POST['trusted_urls']);
$fichier=fopen($url_allowed_list,"w+");
foreach ($tab_urls as $url ){
$tr_url=trim($url);
if ($tr_url != ""){
fputs ($fichier, "uamallowed=\"".$tr_url."\"\n");}
case 'new_uamdomain' :
if (trim($_POST['add_uamdomain']) != "")
{
$tab=file(DOMAIN_ALLOWED_LIST);
$insert = true;
if ($tab) // file isn't empty
{
foreach ($tab as $line) // test if domain address doesn't already exist
{
$domain=explode("\"", $line);
if (strcmp(trim($_POST['add_uamdomain']),$domain[1]) == 0)
{
$insert = false;
break;
}
}
}
fclose($fichier);
unset($_POST['trusted_urls']);
exec ("sudo service chilli restart");
unset ($_POST['choix']);
break;
}
if ($insert == true)
{
$line ="\nuamdomain=\"" . trim($_POST['add_uamdomain']) . "\" #" . trim($_POST['add_domain_comment']);
$pointeur=fopen(DOMAIN_ALLOWED_LIST,"a");
fwrite ($pointeur, $line);
fclose ($pointeur);
exec ("sudo /usr/local/bin/alcasar-file-clean.sh");
exec ("sudo service chilli restart");
}
}
break;
case 'change_uamdomain' :
$tab=file(DOMAIN_ALLOWED_LIST);
if ($tab)
{
$pointeur=fopen(DOMAIN_ALLOWED_LIST,"w+");
foreach ($tab as $ligne)
{
$uamdomain1=explode("\"", $ligne);
$remove_line = false;
foreach ($_POST as $key => $value)
{
$key = str_replace ("_",".",$key); // dot are replace by '_' in post request
if (strstr($key,'del-'))
{
$uamdomain2 = str_replace('del-','',$key);
if (strcmp($uamdomain1[1],$uamdomain2) == 0)
{
$remove_line = True;
break;
}
}
}
if (! $remove_line)
{
fwrite($pointeur,$ligne);
}
}
fclose($pointeur);
}
exec ("sudo service chilli restart");
break;
case 'new_ip' :
if (trim($_POST['add_ip']) != "")
{
$tab=file(IP_ALLOWED_LIST);
$insert = true;
if ($tab) // file isn't empty
{
foreach ($tab as $line) // test if domain address doesn't already exist
{
$ip=explode("\"", $line);
if (strcmp(trim($_POST['add_ip']),$ip[1]) == 0)
{
$insert = false;
break;
}
}
}
if ($insert == true)
{
$line ="\nuamallowed=\"" . trim($_POST['add_ip']) ."\" #" . trim($_POST['add_ip_comment']);
$pointeur=fopen(IP_ALLOWED_LIST,"a");
fwrite ($pointeur, $line);
fclose ($pointeur);
exec ("sudo /usr/local/bin/alcasar-file-clean.sh");
exec ("sudo service chilli restart");
}
}
break;
case 'change_ip' :
$tab=file(IP_ALLOWED_LIST);
if ($tab)
{
$pointeur=fopen(IP_ALLOWED_LIST,"w+");
foreach ($tab as $ligne)
{
$ip1=explode("\"", $ligne);
$remove_line = false;
foreach ($_POST as $key => $value)
{
$key = str_replace ("_",".",$key); // dot are replace by '_' in post request
if (strstr($key,'del-'))
{
$ip2 = str_replace('del-','',$key);
if (strcmp($ip1[1],$ip2) == 0)
{
$remove_line = True;
break;
}
}
}
if (! $remove_line)
{
fwrite($pointeur,$ligne);
}
}
fclose($pointeur);
}
exec ("sudo service chilli restart");
break;
}
}
?>
<TABLE width="100%" border=0 cellspacing=0 cellpadding=0>
<tr><th><?echo "$l_trusted_domain";?></th></tr>
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" height="2"></td></tr>
</table>
<table width="100%" border=1 cellspacing=0 cellpadding=1>
<tr><td colspan=2 align="center">
<?
echo "$l_trusted_domain_explain</td></tr>";
echo "<tr><td align='center' valign='middle'>";
echo "<table cellspacing=2 cellpadding=2 border=1>";
echo "<FORM action='$_SERVER[PHP_SELF]' method='POST'>";
echo "<tr><th>$l_domain<th>$l_comment_explain<th>$l_remove</tr>";
// Read the "Domain alowed" file
$tab=file(DOMAIN_ALLOWED_LIST);
if ($tab) # the file isn't empty
{
foreach ($tab as $line)
{
if (trim($line) != '') # the line isn't empty
{
$domain_allowed=explode("#", $line);
$uamdomain=trim($domain_allowed[0],"#");
$domain=explode("\"", $uamdomain);
echo "<tr><td>$domain[1]";
echo "<td>";
if (isset ($domain_allowed[1])) {
echo trim($domain_allowed[1]);}
else echo "&nbsp";
echo "<td>";
echo "<input type='checkbox' name='del-$domain[1]'>";
echo "</tr>";
}
}
}
echo "</table>";
if ($tab)
{
echo "<input type='hidden' name='choix' value='change_uamdomain'>";
echo "<input type='submit' value='$l_apply'>";
}
?>
</form>
</td><td valign='middle' align='center'>
<form action='<?echo"$_SERVER[PHP_SELF]"?>' method='POST'>
<table cellspacing=2 cellpadding=3 border=1>
<tr><th><?echo"$l_domain</th><th>$l_comment_explain";?>
<td></td></tr>
<tr><td>exemple1 : www.mydomain.com <br>exemple2 : .yourdomain.net</td>
<td>My domain<br><?echo"$l_comment_explain2";?></td></tr>
<tr><td><input type='text' name='add_uamdomain' size='20'></td>
<td><input type='text' name='add_domain_comment' size='15'></td>
<input type='hidden' name='choix' value='new_uamdomain'>
<td><input type='submit' value='<?echo"$l_add_to_list";?>'></td>
</tr></table>
</form>
</td></tr>
</table>
<TABLE width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><th><?php echo $l_trusted_sites ;?></th></tr>
<tr><th><?php echo $l_trusted_ip ;?></th></tr>
<tr bgcolor="#FFCC66"><td><img src="/images/pix.gif" width="1" height="2"></td></tr>
</TABLE>
<TABLE width="100%" border=0 cellspacing=0 cellpadding=1>
<tr bgcolor="#666666"><td>
<TABLE width="100%" border=0 cellspacing=0 cellpadding=2>
<tr><td valign="middle" align="left">
<center><?php
echo "$l_trusted_sites_explain1 <BR>";
echo "$l_trusted_sites_explain2" ;
echo "<FORM action='$_SERVER[PHP_SELF]' method='POST'>";?>
<TABLE cellspacing=2 cellpadding=3 border=1>
<tr><td width=50% height=100% align=center>
<H3><?php echo $l_trusted_sites_list ;?></H3>
exemple1 : www.domain1.org<BR>
exemple2 : domain2.net<BR>
<?php
echo "<textarea name='trusted_domains' rows=5 cols=40>";
$ouvre=fopen($domain_allowed_list,"r");
if ($ouvre)
{
while (!feof ($ouvre))
{
$tampon = fgets($ouvre, 4096);
$domain_list_l = substr($tampon,10);
$domain_list = trim ($domain_list_l,"\"\n\t ");
$tab_domains = explode (",", $domain_list);
foreach ($tab_domains as $domain ){
if ($domain) { echo $domain."\n";}
}
}
}
else {
echo "failed to open $domain_allowed_list";
}
fclose($ouvre);
echo "</textarea>";
?>
</td>
<td width=50% height=100% align=center>
<H3><?php echo $l_trusted_urls_list ;?></H3>
exemple1 : 192.168.0.10<BR>
exemple2 : 172.16.20.0/24<BR>
<?php
echo "<textarea name='trusted_urls' rows=5 cols=40>";
$ouvre=fopen($url_allowed_list,"r");
if ($ouvre)
{
while (!feof ($ouvre))
{
$tampon = fgets($ouvre, 4096);
$url_list_l = substr($tampon,11);
$url_list = trim ($url_list_l,"\"\n\t ");
$tab_urls = explode (",", $url_list);
foreach ($tab_urls as $url ){
if ($url) echo $url."\n";
}
}
}
else {
echo "failed to open $url_allowed_list";
}
fclose($ouvre);
echo "</textarea>";
?>
</td></tr>
</TABLE>
<input type='hidden' name='choix' value='MAJ_UAMALLOWED'>
<input type='submit' value='<?php echo $l_submit ;?>'>
</FORM>
</td></tr>
</TABLE>
</TABLE>
<table width="100%" border=1 cellspacing=0 cellpadding=1>
<tr><td colspan=2 align="center">
<?
echo "$l_trusted_ip_explain</td></tr>";
echo "<tr><td align='center' valign='middle'>";
echo "<table cellspacing=2 cellpadding=2 border=1>";
echo "<FORM action='$_SERVER[PHP_SELF]' method='POST'>";
echo "<tr><th>$l_trusted_ip<th>$l_comment<th>$l_remove</tr>";
// Read the "ip alowed" file
$tab=file(IP_ALLOWED_LIST);
if ($tab) # the file isn't empty
{
foreach ($tab as $line)
{
if (trim($line) != '') # the line isn't empty
{
$ip_allowed=explode("#", $line);
$ip_a=trim($ip_allowed[0],"#");
$ip=explode("\"", $ip_a);
echo "<tr><td>$ip[1]";
echo "<td>";
if (isset($ip_allowed[1]))
echo trim($ip_allowed[1]);
else echo "&nbsp;";
echo "<td><input type='checkbox' name='del-$ip[1]'>";
echo "</tr>";
}
}
}
echo "</table>";
if ($tab)
{
echo "<input type='hidden' name='choix' value='change_ip'>";
echo "<input type='submit' value='$l_apply'>";
}
?>
</form>
</td><td valign='middle' align='center'>
<form action='<?echo"$_SERVER[PHP_SELF]"?>' method='POST'>
<table cellspacing=2 cellpadding=3 border=1>
<tr><th><?echo"$l_trusted_ip</th><th>$l_comment";?>
<td></td></tr>
<tr><td>exemple1 : 170.25.23.10 <br>exemple2 : 15.20.20.0/16</td>
<td>my_web_server <br>my_dmz</td>
<tr><td><input type='text' name='add_ip' size='20'></td>
<td><input type='text' name='add_ip_comment' size='15'></td>
<input type='hidden' name='choix' value='new_ip'>
<td><input type='submit' value='<?echo"$l_add_to_list";?>'></td>
</tr></table>
</form>
</td></tr>
</table>
</BODY>
</HTML>
/conf/etc/alcasar-iptables-local.sh
1,6 → 1,5
#!/bin/sh
# $Id$
 
# script de mise en place des regles personnalisées du parefeu d'Alcasar
# Rexy - 3abtux - CPN
# version 2.0 (05/2011)
7,9 → 6,11
# changelog :
# + autorisation de l'ICMP vers eth0
# + autorisation SMTP vers serveur extérieur (SMTP_IP)
# + autorisation PAT depuis l'extérieur
 
 
# On autorise le ping (echo & request) (icmp N°0 & 8) en provenance de l'extérieur vers ALCASAR
# ping (echo & request) (icmp N°0 & 8) is allowed on EXTIF
#$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -p icmp --icmp-type 8 -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXTIF -d $Admin_from_IP -p icmp --icmp-type 0 -j ACCEPT
 
18,6 → 19,10
#$IPTABLES -A OUTPUT -p tcp -d $SMTP_IP --dport smtp -m state --state NEW,ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT -p tcp -s $SMTP_IP --sport smtp -m state --state ESTABLISHED -j ACCEPT
 
# On autorise du PAT (Port Adresse Translation) afin de pouvoir joindre des équipement du LAN depuis Internet
#m_ports=5000,5001; to_ip=192.168.182.3
#$IPTABLES -A PREROUTING -i $EXTIF -t nat -p tcp -d $PUBLIC_IP -m multiport --dports $m_ports -j DNAT --to $to_ip
#$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $to_ip -m multiport --dports $m_ports -j ACCEPT
 
# Fin du script des règles du parefeu
 
/CHANGELOG
19,6 → 19,7
- the filtering of LAN betwenne ALCASAR and the Internet GW is no more need.
- DHCP service is more flexible : it can be {off | half | full}
- ACC : admin can now export the curent tracability file
- ACC : admin can define the exception domains that will be showed in intercept page
---------------------- 2.5 --------------------
Bugs
- watchdog of Daemons for service's test
/scripts/alcasar-file-clean.sh
1,6 → 1,6
#/bin/bash
 
# alcasar-nf.sh
# alcasar-file-clean.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
 
12,11 → 12,13
ALCASAR_SERVICES="$DIR_CONF/alcasar-services"
ALCASAR_EXCEPTIONS="$DIR_CONF/alcasar-filter-exceptions"
ALCASAR_IP_BLOCKED="$DIR_CONF/alcasar-ip-blocked"
ALCASAR_UAMDOMAIN="$DIR_CONF/alcasar-uamdomain"
ALCASAR_UAMALLOWED="$DIR_CONF/alcasar-uamallowed"
ALCASAR_CONF="$DIR_CONF/alcasar.conf"
 
 
# sort file content
for file in $ALCASAR_SERVICES $ALCASAR_IP_BLOCKED
for file in $ALCASAR_SERVICES $ALCASAR_IP_BLOCKED $ALCASAR_UAMDOMAIN $ALCASAR_UAMALLOWED
do
sort -k2n $file > /tmp/alcasar-tmp-sort
mv -f /tmp/alcasar-tmp-sort $file
23,9 → 25,8
done
 
# remove empty lines and put rights
for file in $ALCASAR_SERVICES $ALCASAR_EXCEPTIONS $ALCASAR_IP_BLOCKED $ALCASAR_CONF
for file in $ALCASAR_SERVICES $ALCASAR_EXCEPTIONS $ALCASAR_IP_BLOCKED $ALCASAR_CONF $ALCASAR_UAMDOMAIN $ALCASAR_UAMALLOWED
do
echo $file
$SED "/^$/d" $file
chown root:apache $file
chmod 660 $file