Subversion Repositories ALCASAR

Compare Revisions

No changes between revisions

Ignore whitespace Rev 1293 → Rev 1294

/scripts/alcasar-iptables.sh
6,10 → 6,10
#
# Reminders
# There are four channels for log :
# 1 tracability with The 'Netflow' kernel module (iptables target = NETFLOW);
# 1 tracability of the consultation equipment with The 'Netflow' kernel module (iptables target = NETFLOW);
# 2 protection of ALCASAR with the Ulog group 1 (default group)
# 3 SSH with the ulog group 2;
# 4 extern access attempts with the ulog group 3.
# 3 SSH on ALCASAR with the Ulog group 2;
# 4 extern access attempts on ALCASAR with the Ulog group 3.
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova
conf_file="/usr/local/etc/alcasar.conf"
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
29,7 → 29,7
PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2` # DNS and URLs filter (on/off)
DNS_FILTERING=${DNS_FILTERING:=off}
BL_IP_CAT="/usr/local/share/iptables-bl-enabled" # categories files of the BlackListed IP
BL_IP_CAT="/usr/local/share/iptables-bl" # categories files of the BlackListed IP
QOS=`grep QOS= $conf_file|cut -d"=" -f2` # QOS (on/off)
QOS=${QOS:=off}
SSH=`grep SSH= $conf_file|cut -d"=" -f2` # sshd active (on/off)
76,8 → 76,8
# destroy all the SET
ipset destroy
 
# Création du SET alcasar_ip_blocked et premier peuplement
# creation of alcasar_ip_blocked SET and first populating
# Création et peuplement du SET alcasar_ip_blocked
# creation and first populating of alcasar_ip_blocked SET
ipset create alcasar_ip_blocked hash:net hashsize 1024
if [ -s /usr/local/etc/alcasar-ip-blocked ]; then
while read ip_line
86,12 → 86,40
if [ $ip_on != "#" ]
then
ip_blocked=`echo $ip_line|cut -d" " -f1`
echo $ip_blocked
ipset add alcasar_ip_blocked $ip_blocked
fi
done < /usr/local/etc/alcasar-ip-blocked
fi
 
# Création et initialisation du SET authenticated_ip (dynamiquement peuplé par les scripts conup/condown)
# creation and initialization of authenticated_ip_ SET (populated dynamicly by conup/condown scripts)
ipset create authenticated_ip hash:net hashsize 1024
OLDIFS=$IFS
IFS=$'\n'
for equipment in `/usr/sbin/chilli_query list |grep -v "\.0\.0\.0"`
do
active_ip=`echo $equipment |cut -d" " -f2`
active_session=`echo $equipment |cut -d" " -f5`
if [[ $(expr $active_session) -eq 1 ]]
then
ipset add authenticated_ip $active_ip
fi
done
IFS=$OLDIFS
 
# Création et peuplement du SET blacklist_ip_blocked
# creation and first populating of blacklist_ip_blocked SET
# wait for a better blacklist adapt process
#ipset create blacklist_ip_blocked hash:net hashsize 1024
#cd $BL_IP_CAT
#for category in `ls -1 | cut -d"@" -f1`
#do
# while read ip_blocked
# do
# ipset add blacklist_ip_blocked $ip_blocked
# done < $BL_IP_CAT/$category
#done
 
#############################
# PREROUTING #
#############################
121,10 → 149,20
fi
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 54
fi
# Redirection des requêtes HTTP des IP bloquées vers ALCASAR (page 'accès interdit')
# Redirect HTTP requests of banned ip to ALCASAR (access deny window)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
# Redirection des requêtes HTTP des IP admin bannies vers ALCASAR (page 'accès interdit')
# Redirect HTTP requests of admin banned ip to ALCASAR (access deny window)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port http
 
# Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit')
# Redirect HTTP requests of blacklist ip to ALCASAR (access deny window)
#if [ $DNS_FILTERING = on ]; then
#$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
#fi
 
# Redirection des requêtes HTTPS des IP sans utilisateurs authentifiés vers ALCASAR (page d'interception)
# Redirect HTTPS requests of IP that don't have authenticate user to ALCASAR (intercept page)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set ! --match-set authenticated_ip src ! -d $PRIVATE_IP -p tcp --dport https -j REDIRECT --to-port https
 
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
230,26 → 268,16
 
# Blocage des IPs du SET alcasar_ip_blocked
# Deny IPs of the SET alcasar_ip_blocked
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set alcasar_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p icmp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -m set --match-set alcasar_ip_blocked dst -p tcp -j REJECT --reject-with tcp-reset
 
# Si le filtrage de domain est activé, blocage des IP de la BL
# If DNS filter is on, reject IP of BL
# Comment : loading time is too long and iptables should become oveloaded !!! should use "ipset" instead
# Blocage des IPs du SET blacklist_ip_blocked
# Deny IPs of the SET blacklist_ip_blocked
#if [ $DNS_FILTERING = on ]; then
# cd $BL_IP_CAT
# for category in `ls -1 | cut -d"@" -f1`
# do
# while read ip_blocked
# do
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p udp -j REJECT --reject-with icmp-port-unreachable
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset
# done < $BL_IP_CAT/$category
# done
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
# $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset
#fi
 
# Autorisation des retours de connexions légitimes
/scripts/alcasar-conup.sh
8,8 → 8,11
# Ce script est lancé à chaque connexion d'usager (authentification réussi)
 
# Debug : show all the coova parse variables. There are declared in /src/chilli.c
echo "parse coova variables" > /tmp/debug-conup.txt
for i in LAYER3 DEV NET MASK ADDR USER_NAME NAS_IP_ADDRESS SERVICE_TYPE FRAMED_IP_ADDRESS FILTER_ID STATE CLASS CUI SESSION_TIMEOUT IDLE_TIMEOUT CALLING_STATION_ID CALLED_STATION_ID NAS_ID NAS_PORT_TYPE ACCT_SESSION_ID ACCT_INTERIM_INTERVAL WISPR_LOCATION_ID WISPR_LOCATION_NAME WISPR_BANDWIDTH_MAX_UP WISPR_BANDWIDTH_MAX_DOWN WISPR-SESSION_TERMINATE_TIME CHILLISPOT_MAX_INPUT_OCTETS CHILLISPOT_MAX_OUTPUT_OCTETS CHILLISPOT_MAX_TOTAL_OCTETS INPUT_OCTETS OUTPUT_OCTETS SESSION_TIME IDLE_TIME LOCATION OLD_LOCATION TERMINATE_CAUSE
do
echo "$i : ${!i}" >> /tmp/debug-conup.txt
done
#echo "parse coova variables" > /tmp/debug-conup.txt
#for i in LAYER3 DEV NET MASK ADDR USER_NAME NAS_IP_ADDRESS SERVICE_TYPE FRAMED_IP_ADDRESS FILTER_ID STATE CLASS CUI SESSION_TIMEOUT IDLE_TIMEOUT CALLING_STATION_ID CALLED_STATION_ID NAS_ID NAS_PORT_TYPE ACCT_SESSION_ID ACCT_INTERIM_INTERVAL WISPR_LOCATION_ID WISPR_LOCATION_NAME WISPR_BANDWIDTH_MAX_UP WISPR_BANDWIDTH_MAX_DOWN WISPR-SESSION_TERMINATE_TIME CHILLISPOT_MAX_INPUT_OCTETS CHILLISPOT_MAX_OUTPUT_OCTETS CHILLISPOT_MAX_TOTAL_OCTETS INPUT_OCTETS OUTPUT_OCTETS SESSION_TIME IDLE_TIME LOCATION OLD_LOCATION TERMINATE_CAUSE
#do
# echo "$i : ${!i}" >> /tmp/debug-conup.txt
#done
 
# user https flows are no more redirected to be intercepted (see alcasar-iptables.sh in 'prerouting')
ipset add authenticated_ip $FRAMED_IP_ADDRESS
/scripts/alcasar-condown.sh
0,0 → 1,18
#!/bin/sh
 
# alcasar-conup.sh
# by Rexy
# This script is distributed under the Gnu General Public License (GPL)
 
# This script is launched after each successfull login
# Ce script est lancé à chaque connexion d'usager (authentification réussi)
 
# Debug : show all the coova parse variables. There are declared in /src/chilli.c
#echo "parse coova variables" > /tmp/debug-conup.txt
#for i in LAYER3 DEV NET MASK ADDR USER_NAME NAS_IP_ADDRESS SERVICE_TYPE FRAMED_IP_ADDRESS FILTER_ID STATE CLASS CUI SESSION_TIMEOUT IDLE_TIMEOUT CALLING_STATION_ID CALLED_STATION_ID NAS_ID NAS_PORT_TYPE ACCT_SESSION_ID ACCT_INTERIM_INTERVAL WISPR_LOCATION_ID WISPR_LOCATION_NAME WISPR_BANDWIDTH_MAX_UP WISPR_BANDWIDTH_MAX_DOWN WISPR-SESSION_TERMINATE_TIME CHILLISPOT_MAX_INPUT_OCTETS CHILLISPOT_MAX_OUTPUT_OCTETS CHILLISPOT_MAX_TOTAL_OCTETS INPUT_OCTETS OUTPUT_OCTETS SESSION_TIME IDLE_TIME LOCATION OLD_LOCATION TERMINATE_CAUSE
#do
# echo "$i : ${!i}" >> /tmp/debug-conup.txt
#done
 
# user https flows are now redirected to be intercepted (see alcasar-iptables.sh in prerouting)
ipset del authenticated_ip $FRAMED_IP_ADDRESS
Property changes:
Added: svn:eol-style
+native
\ No newline at end of property
Added: svn:executable
+*
\ No newline at end of property