WebSVN – ALCASAR – Path Comparison – / – /scripts/ Rev 1331 and /scripts/ Rev 1332

Ignore whitespace Rev 1331 → Rev 1332

 /scripts/alcasar-iptables.sh
 ,7 → 29,7
 PROTOCOLS_FILTERING=${PROTOCOLS_FILTERING:=off}
 DNS_FILTERING=`grep DNS_FILTERING= $conf_file|cut -d"=" -f2`            # DNS and URLs filter (on/off)
 DNS_FILTERING=${DNS_FILTERING:=off}
-BL_IP_CAT="/usr/local/share/iptables-bl"                                # categories files of the BlackListed IP
+BL_IP_CAT="/usr/local/share/iptables-bl-enabled"                        # categories files of the BlackListed IP
 QOS=`grep QOS= $conf_file|cut -d"=" -f2`                                # QOS (on/off)
 QOS=${QOS:=off}
 SSH=`grep SSH= $conf_file|cut -d"=" -f2`                                # sshd active (on/off)
 ,7 → 73,7
 $IPTABLES -t nat -P OUTPUT ACCEPT
 # destruction de tous les SET
-# destroy all the SET
+# destroy all SET
 ipset destroy
 # Création et peuplement du SET alcasar_ip_blocked
 ,19 → 107,27
 done
 IFS=$OLDIFS
-# Création et peuplement du SET blacklist_ip_blocked
-# creation and first populating of blacklist_ip_blocked SET
-# It take a lot of time (try to do this during the blacklist import process)
-#ipset create blacklist_ip_blocked hash:net hashsize 1024
-#cd $BL_IP_CAT
-#for category in `ls -1 | cut -d"@" -f1`
-#do
-#       while read ip_blocked
-#       do
-#               ipset add blacklist_ip_blocked $ip_blocked
-#       done < $BL_IP_CAT/$category
-#done
+# Calcul de la taille du SET blacklist_ip_blocked
+# Computing the length of the blacklist_ip_blocked set
+cd $BL_IP_CAT
+ipset_length=$(wc -l * | awk '{print $1}' | tail -n 1)
+# Ajout du delta (ip entrées manuellement)
+# Addition of the delta (ip entered manually)
+((ipset_length=$ipset_length+10))
+# Création du fichier ipset temporaire, remplissage, chargement et suppression
+echo "create blacklist_ip_blocked hash:net family inet hashsize 1024 maxelem $ipset_length" > ipset_save
+for category in `ls -1 | cut -d '@' -f1`
+do
+        cat $BL_IP_CAT/$category >> ipset_save
+done
+ipset -! restore < ipset_save
+rm -f ipset_save
+# Sauvegarde de tous les ipset (pour restaurer après redémarrage)
+ipset save > /etc/sysconfig/ipset_save
 #############################
 #       PREROUTING          #
 #############################
 ,9 → 163,9
 # Redirection des requêtes HTTP des IP de la blacklist vers ALCASAR (page 'accès interdit')
 # Redirect HTTP requests of blacklist ip to ALCASAR (access deny window)
-#if [ $DNS_FILTERING = on ]; then
-#$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
-#fi
+if [ $DNS_FILTERING = on ]; then
+$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK -m set --match-set blacklist_ip_blocked dst -p tcp --dport http -j REDIRECT --to-port 80
+fi
 # Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD par netflow
 ## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD by netflow
 ,11 → 278,11
 # Blocage des IPs du SET blacklist_ip_blocked
 # Deny IPs of the SET blacklist_ip_blocked
-#if [ $DNS_FILTERING = on ]; then
-#       $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
-#       $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
-#       $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset
-#fi
+if [ $DNS_FILTERING = on ]; then
+        $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
+        $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked dst -p udp -j REJECT --reject-with icmp-port-unreachable
+        $IPTABLES -A FORWARD -i $TUNIF -m set --match-set blacklist_ip_blocked -p tcp -j REJECT --reject-with tcp-reset
+fi
 # Autorisation des retours de connexions légitimes
 $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

 /scripts/sbin/alcasar-bl.sh
 ,8 → 186,11
                                         chown dansguardian:apache $PATH_FILE/urls
                                 fi
                                 $SED "s/\.\{2,10\}/\./g" $PATH_FILE/domains $PATH_FILE/urls # correct some syntax errors
                                 # retrieve the ip addresses for iptables
-                                egrep  "^([0-9]{1,3}\.){3}[0-9]{1,3}$" $PATH_FILE/domains > $FILE_ip_tmp
+                                # create an ipset save for the selected category
+                                awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/{print "add blacklist_ip_blocked " $0}' $PATH_FILE/domains > $FILE_ip_tmp
                                 # for dnsmask, remove IP addesses, accented characters and commented lines.
                                 egrep  -v "^([0-9]{1,3}\.){3}[0-9]{1,3}$" $PATH_FILE/domains > $FILE_tmp
                                 $SED "/[äâëêïîöôüû]/d" $FILE_tmp

Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 1331 → Rev 1332