BlueGreycalmElegant

Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

Compare Revisions

• This comparison shows the changes necessary to convert path

  → /scripts/ @ 1817

  → /scripts/ @ 1818

  ↔ Reverse comparison

• Compare Path:	Rev

  With Path:	Rev

Ignore whitespace Rev 1817 → Rev 1818

/scripts/alcasar-conup.sh
13,7 → 13,7
#do
# echo "$i : ${!i}" >> /tmp/debug-conup.txt
#done
ipset del user_not_connected_yet $FRAMED_IP_ADDRESS
# Add user to the SET (function of his filtering level)
case $FILTER_ID in
# HAVP

/scripts/alcasar-iptables.sh
62,6 → 62,8
ipset save havp_set >> $TMP_users_set_save
ipset save havp_bl_set >> $TMP_users_set_save
ipset save havp_wl_set >> $TMP_users_set_save
ipset save user_not_connected_yet >> $TMP_users_set_save
ipset save ipset_users >> $TMP_users_set_save
fi
# loading of NetFlow probe (ipt_NETFLOW kernel module)
137,6 → 139,15
ipset create havp_set hash:net hashsize 1024
ipset create havp_bl_set hash:net hashsize 1024
ipset create havp_wl_set hash:net hashsize 1024
#utilisé pour l'interception des utilisateurs non authentifiés au réseau
#used for intercepting users not connected to the network
ipset create user_not_connected_yet hash:net hashsize 1024
ipset create ipset_users_list list:set
ipset add ipset_users_list havp_set
ipset add ipset_users_list havp_wl_set
ipset add ipset_users_list havp_bl_set
ipset add ipset_users_list no_filtering_set
ipset add ipset_users_list user_not_connected_yet
fi
#############################
201,6 → 212,11
# Redirect NTP request in local NTP server
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123
# Redirection des requetes DNS des utilisateurs non connectés dans le DNS-Blackhole
# Redirect users not connected DNS requests in DNS-Blackhole
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 56
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set ! --match-set ipset_users_list src -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 56
#############################
# INPUT #
#############################

/scripts/alcasar-watchdog.sh
114,6 → 114,8
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c1 -w4 $noresponse_ip|grep "Unicast reply"|wc -l`
if [[ $(expr $arp_reply) -eq 0 ]]
then
#on vide les ip inactifs de l'ipset user_not_connected_yet
ipset del user_not_connected_yet $noresponse_ip
logger "alcasar-watchdog $noresponse_ip ($noresponse_mac) can't be contact. Alcasar disconnects the user ($noresponse_user)."
/usr/sbin/chilli_query logout $noresponse_mac
if [[ $noresponse_user == $noresponse_mac ]] # for @mac auth equipments, we must remove the arp entry
136,8 → 138,9
arp_reply=`/usr/sbin/arping -b -I$INTIF -s$PRIVATE_IP -c2 -w4 $active_ip|grep "Unicast reply"|wc -l`
# store @IP of quiet equipments
if [[ $(expr $arp_reply) -eq 0 ]]
then
then
echo "$active_ip $active_mac $active_user" >> $tmp_file
fi
# disconnect users whose equipement is usurped (@MAC)
if [[ $(expr $arp_reply) -gt 2 ]]