/scripts/alcasar-load_balancing.sh |
---|
File deleted |
Property changes: |
Deleted: svn:eol-style |
-LF |
\ No newline at end of property |
Deleted: svn:executable |
-* |
\ No newline at end of property |
Deleted: svn:keywords |
-Id Author Date |
\ No newline at end of property |
/scripts/alcasar-condown.sh |
---|
3,7 → 3,7 |
# $Id$ |
# |
# alcasar-condown.sh |
# by Rexy |
# by Rexy & Pierre RIVAULT |
# This script is distributed under the Gnu General Public License (GPL) |
# This script is started by coova after each logout |
56,6 → 56,17 |
current_users_file="/tmp/current_users.txt" |
[ -e $current_users_file ] && sed -i "/^$FRAMED_IP_ADDRESS:/d" $current_users_file |
# Remove user_IP from ipset of load balancing |
nb_gw=`grep ^WAN $CONF_FILE | wc -l` |
for (( i = 0 ; i <= $nb_gw ; i++ ));do |
gw="gw$i" |
ipset test $gw $FRAMED_IP_ADDRESS 1>/dev/null 2>&1 |
if [ $? -eq 0 ];then |
ipset del $gw $FRAMED_IP_ADDRESS |
break |
fi |
done |
############################# |
## Debug : show all the coova parse variables (+ ALCASAR-Filter + ALCASAR-Protocols-Filter). |
## see "/src/chilli.c" for the complete list of parse variables |
/scripts/alcasar-conf.sh |
---|
124,7 → 124,7 |
--load|-load) |
cd /var/tmp || { echo "Unable to find /var/tmp directory"; } |
tar -xf alcasar-conf.tar.gz |
# copy alcasar.conf parameters |
# update alcasar.conf parameters |
PREVIOUS_VERSION=`grep ^VERSION= $DIR_UPDATE/etc/alcasar.conf|cut -d"=" -f2` |
MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f1` |
MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2` |
/scripts/alcasar-conup.sh |
---|
3,13 → 3,13 |
# $Id$ |
# |
# alcasar-conup.sh |
# by Rexy |
# by Rexy & Pierre RIVAULT |
# This script is distributed under the Gnu General Public License (GPL) |
# This script is started by coova after each successfull login |
# Ce script est démarré par coova à chaque connexion d'usager (authentification réussi) |
CONF_FILE="/usr/local/etc/alcasar.conf" |
PASSWD_FILE="/root/ALCASAR-passwords.txt" |
DB_USER=`cat $PASSWD_FILE|grep ^db_user=|cut -d'=' -f2` |
DB_PASSWORD=`cat $PASSWD_FILE|grep ^db_password=|cut -d'=' -f2` |
67,6 → 67,27 |
echo "$FRAMED_IP_ADDRESS:PERM" >> $current_users_file |
fi |
# set the user_ip to an gw_ipset for load-balancing |
gw_min="gw0" |
weight=`grep ^PUBLIC_WEIGHT= $CONF_FILE | cut -d"=" -f2` |
already=`ipset list $gw_min | grep Number\ of\ entries: | cut -d":" -f2` |
#The *1000 is here to avoid working on floats in bash |
gw_min_value=$((1000 * $already / $weight)) |
nb_gw=`grep ^WAN $CONF_FILE | wc -l` |
for (( i = 1 ; i <= $nb_gw ; i++ ));do |
gw="gw${i}" |
weight=`grep ^WAN$i= $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F ',' '{ print $2 }'` |
already=`ipset list $gw | grep Number\ of\ entries: | cut -d":" -f2` |
value=$((1000 * $already / $weight)) |
if [ $value -lt $gw_min_value ] |
then |
gw_min_value=$value |
gw_min=$gw |
fi |
done |
ipset add $gw_min $FRAMED_IP_ADDRESS |
############################# |
## Debug : show all the coova parse variables (+ ALCASAR-Filter + ALCASAR-Protocols-Filter + Alcasar-Status-Page-Must-Stay-Open). |
## see "/src/chilli.c" for the complete list of parse variables |
/scripts/alcasar-iptables.sh |
---|
39,6 → 39,7 |
WL_IP_CAT="/usr/local/share/iptables-wl-enabled" # categories files of the WhiteListed IP |
TMP_users_set_save="/tmp/users_set_save" # tmp file for backup users set |
TMP_set_save="/tmp/ipset_save" # tmp file for blacklist and whitelist creation |
TMP_ip_gw_save="/tmp/ipset_ip_gw_save" # tmp file for already connected ips |
SSH=`grep ^SSH= $CONF_FILE|cut -d"=" -f2` # sshd active (on/off) |
SSH=${SSH:=off} |
SSH_ADMIN_FROM=`grep ^SSH_ADMIN_FROM= $CONF_FILE|cut -d"=" -f2` |
46,6 → 47,10 |
IPTABLES="/sbin/iptables" |
IP_REHABILITEES="/etc/e2guardian/lists/exceptioniplist" # Rehabilitated IP |
SITE_DIRECT="/usr/local/etc/alcasar-site-direct" # WEB Sites allowed for all (no av and no filtering for av_bl users) |
MULTIWAN=`grep ^MULTIWAN $CONF_FILE|cut -d"=" -f2` |
PROXY=`grep ^PROXY= $CONF_FILE|cut -d"=" -f2` |
PROXY_IP=`grep ^PROXY_IP= $CONF_FILE|cut -d"=" -f2` |
nb_gw=`grep ^WAN $CONF_FILE|wc -l` |
# Allow requests to internal DNS if activated |
if [ "$INT_DNS_ACTIVE" = "on" ] |
53,6 → 58,15 |
DNSSERVERS="$DNSSERVERS,$INT_DNS_IP" |
fi |
#ipset name list for load_balancing |
gw_list="gw0" |
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then |
for ((i=1 ; i<=$nb_gw ; i++)); do |
gw_list="${gw_list} gw$i" |
done |
fi |
# Sauvegarde des SET des utilisateurs connectés si ils existent |
# Saving SET of connected users if it exists |
ipset list not_filtered 1>/dev/null 2>&1 |
68,6 → 82,20 |
ipset save proto_3 >> $TMP_users_set_save |
fi |
# Sauvegarde de la liste de toutes les IP déjà connectées pour les réintégrer dans le load balancing |
# Saving all of the already connected IP in order to put them back in the load balancing after |
if [ ! -f $TMP_ip_gw_save ];then |
# Save only if alcasar-network.sh --save has not been executed before |
for i in $gw_list;do |
ipset list $i 1>/dev/null 2>&1 |
if [ $? -eq 0 ] |
then |
# the cut -d":" -f5 deletes all the lines with a :, i.e all the lines execpt the members |
ipset list $i | cut -d":" -f5 | sed '/^[[:space:]]*$/d' >> $TMP_ip_gw_save |
fi |
done |
fi |
# Chargement de la sonde NetFlow (module noyau ipt_NETFLOW) |
# loading of NetFlow probe (ipt_NETFLOW kernel module) |
modprobe ipt_NETFLOW destination=127.0.0.1:2055 |
160,10 → 188,41 |
ipset create proto_3 hash:ip hashsize 1024 |
fi |
#ipsets for load balancing |
for i in $gw_list; do |
ipset create $i hash:ip |
done |
cat $TMP_ip_gw_save | while read ip; do |
gw_min="gw0" |
weight=`grep ^PUBLIC_WEIGHT= $CONF_FILE | cut -d"=" -f2` |
already=`ipset list $gw_min | grep Number\ of\ entries: | cut -d":" -f2` |
#The *1000 is here to avoid working on floats in bash |
gw_min_value=$((1000 * $already / $weight)) |
i=1 |
for gw in $gw_list;do |
if [ "$gw" != "gw0" ]; then |
weight=`grep ^WAN$i= $CONF_FILE | awk -F'"' '{ print $2 }' | awk -F ',' '{ print $2 }'` |
already=`ipset list $gw | grep Number\ of\ entries: | cut -d":" -f2` |
value=$((1000 * $already / $weight)) |
if [ $value -lt $gw_min_value ] |
then |
gw_min_value=$value |
gw_min=$gw |
fi |
i=$(($i+1)) |
fi |
done |
ipset add $gw_min $ip |
done |
rm -f $TMP_ip_gw_save |
############################# |
# PREROUTING # |
############################# |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement aux ports d'écoute du proxy HTTP/HTTPS (E2Guardian) pour pouvoir les rejeter en INPUT |
# Mark (and log) the direct attempts to E2guardian listen ports in order to REJECT them in INPUT rules |
# 8080 = ipset av_bl |
196,7 → 255,7 |
# 55 = ipset av_wl |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p udp --dport domain -j REDIRECT --to-port 55 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src -p tcp --dport domain -j REDIRECT --to-port 55 |
# 53 = all other users |
# 53 = all other users |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p udp --dport domain -j REDIRECT --to-port 53 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp --dport domain -j REDIRECT --to-port 53 |
217,6 → 276,7 |
# Redirection des requêtes HTTP des usagers "av_bl + av_wl + av" vers E2guardian |
# Redirect outbound "av_bl + av_wl +av" users HTTP requests to E2guardian |
# 8080 = ipset av_bl |
#$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j MARK --set-mark 200 |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_bl src -m set ! --match-set site_direct dst ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
# 8090 = ipset av_wl & av |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -m set --match-set av_wl src ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8090 |
232,6 → 292,23 |
# Redirect NTP request in local NTP server |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p udp --dport ntp -j REDIRECT --to-port 123 |
#Récupération de la marque associée à une gw pour chaque connection |
$IPTABLES -A PREROUTING -t mangle -j CONNMARK --restore-mark |
if [ "$PROXY" == "on" ] || [ "$PROXY" == "On" ];then |
$IPTABLES -A PREROUTING -t nat -i $TUNIF ! -d $PRIVATE_IP -p tcp -m multiport --dports http,https -j DNAT --to-destination $PROXY_IP |
fi |
#Marquage pour le load balancing |
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then |
temp_index=200 |
for i in $gw_list; do |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -m set --match-set $i src -j MARK --set-mark $temp_index |
temp_index=$(($temp_index+1)) |
done |
fi |
############################# |
# INPUT # |
############################# |
242,7 → 319,7 |
$IPTABLES -A OUTPUT -o lo -j ACCEPT |
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN) |
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN) |
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST and NEW not SYN) |
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP |
455,7 → 532,7 |
# HTTP & HTTPS requests are allowed with netflow log (from E2guardian) |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j NETFLOW |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport http -j ACCEPT |
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy) |
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j NETFLOW # When E2guardian will be in HTTPS transparent proxy) |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --dport https -j ACCEPT |
# On autorise les requêtes RSYNC sortantes (maj BL de Toulouse) |
489,6 → 566,9 |
# Dynamic NAT on EXTIF |
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE |
#Sauvegarde de la marque associée à la connexion pour le load balancing |
$IPTABLES -A POSTROUTING -t mangle -j CONNMARK --save-mark |
############################# |
# FAIL2BAN # |
############################# |
/scripts/alcasar-network.sh |
---|
0,0 → 1,109 |
#!/bin/bash |
# alcasar-network.sh |
# by Pierre RIVAULT and Rexy |
# This script is distributed under the Gnu General Public License (GPL) |
# Met à jour la configuration réseau conformément au fichier de configuration (alcasar.conf) |
# update network configuration according to alcasar.conf |
CONF_FILE="/usr/local/etc/alcasar.conf" |
TMP_ip_gw_save="/tmp/ipset_ip_gw_save" |
EXTIF=`grep ^EXTIF= $CONF_FILE|cut -d"=" -f2` |
PUBLIC_IP=`grep ^PUBLIC_IP= $CONF_FILE|cut -d"=" -f2` |
GW1=`grep ^GW= $CONF_FILE|cut -d"=" -f2` |
MTU=`grep ^PUBLIC_MTU= $CONF_FILE|cut -d"=" -f2` |
MULTIWAN=`grep ^MULTIWAN= $CONF_FILE|cut -d"=" -f2` |
MULTIWAN=${MULTIWAN:=Off} |
NET="`ipcalc -n $PUBLIC_IP | cut -d"=" -f2`/`ipcalc -p $PUBLIC_IP | cut -d"=" -f2`" |
IP=`echo $PUBLIC_IP | cut -d"/" -f1` |
PRIVATE_IP_MASK=`grep ^PRIVATE_IP $CONF_FILE | cut -d"=" -f2` |
PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1` |
PRIVATE_NETMASK=`echo $PRIVATE_IP_MASK | cut -d"/" -f2` |
PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP $PRIVATE_NETMASK |cut -d"=" -f2` # prefixe du réseau (ex. 24) |
PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP $PRIVATE_NETMASK| cut -d"=" -f2` # @ réseau de consultation (ex.: 192.168.182.0) |
PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # @ + masque du réseau de consult (192.168.182.0/24) |
nb_gw=`grep ^WAN $CONF_FILE | wc -l` |
routecmd="ip route replace default scope global" |
if [ $(whoami) != "root" ]; then |
echo "You must be root to run this!" ; echo ; exit 1 |
fi |
if [ $# -eq 0 ]; then |
args="--apply" |
else |
args=$1 |
fi |
case $args in |
--save) |
rm -f $TMP_ip_gw_save |
# ipset name list for load_balancing |
gw_list="gw0" |
for ((i=1 ; i<=$nb_gw ; i++)); do |
gw_list="${gw_list} gw$i" |
done |
# Saving all of the already connected IP in order to put them back in the load balancing after |
for i in $gw_list;do |
ipset list $i 1>/dev/null 2>&1 |
if [ $? -eq 0 ] |
then |
# the cut -d":" -f5 deletes all the lines with a :, i.e all the lines except the members |
ipset list $i | cut -d":" -f5 | sed '/^[[:space:]]*$/d' >> $TMP_ip_gw_save |
fi |
done |
exit 0 |
;; |
--apply) |
[ -e /etc/sysconfig/network-scripts/ifcfg-$EXTIF ] && ifdown $EXTIF |
# set the new configuration for EXTIF |
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF |
DEVICE=$EXTIF |
BOOTPROTO=static |
IPADDR=$IP |
NETMASK=`ipcalc -m $PUBLIC_IP | cut -d= -f2` |
NETWORK=`ipcalc -n $PUBLIC_IP | cut -d= -f2` |
GATEWAY=$GW1 |
DNS1=127.0.0.1 |
RESOLV_MODS=yes |
ONBOOT=yes |
METRIC=10 |
MII_NOT_SUPPORTED=yes |
IPV6INIT=no |
IPV6TO4INIT=no |
ACCOUNTING=no |
USERCTL=no |
MTU=$MTU |
NOZEROCONF=yes |
EOF |
ifup $EXTIF |
ip route flush ${NET} # Remove the previous route for the network of EXTIF |
ip route delete default scope global # Remove the previous default route |
ip route add ${NET} dev ${EXTIF} src ${IP} # Set the new route for EXTIF network |
ip route add ${NET} dev ${EXTIF} src ${IP} table 200 # Set the new default route. If no multiwan, these lines are equivalent to `ip route add default via ${GW1}` |
ip route add default via ${GW1} table 200 |
routecmd="${routecmd} nexthop via ${GW1} dev ${EXTIF}" |
ip rule flush # Remove the previous routing rules |
ip rule add from all lookup main pref 32766 # Set back the main rules |
ip rule add from all lookup default pref 32767 # Set back the default rules |
ip rule add from ${PRIVATE_NETWORK_MASK} fwmark 200 lookup 200 # Add the rule for the first gateway |
if [ "$MULTIWAN" == "on" ] || [ "$MULTIWAN" == "On" ]; then |
nb_gw_supp=`grep ^WAN $CONF_FILE|wc -l` |
for ((i=0 ; $i < $nb_gw_supp ; i++)); do |
table=$(($i + 201)) # This number is used to mark the paquets in order to route them to the choosen GW |
GW=`grep ^WAN$(($i + 1))= $CONF_FILE|awk -F'"' '{ print $2 }' | awk -F, '{print $1}'` |
ip route add ${NET} dev ${EXTIF} src ${IP} table $table # Add the others route in their respective tables |
ip route add default via ${GW} table $table |
ip rule add from ${PRIVATE_NETWORK_MASK} fwmark $table lookup $table # Add the rule for each rule depending of the mark set by the firewall |
routecmd="${routecmd} nexthop via ${GW} dev ${EXTIF}" # add the added gateway into the default gateway |
done |
fi |
${routecmd} # define the default gateway for outgoing traffic |
ip route flush cache |
exit 0 |
;; |
*) |
exit 1 |
;; |
esac |
Property changes: |
Added: svn:eol-style |
+native |
\ No newline at end of property |
Added: svn:executable |
+* |
\ No newline at end of property |
/scripts/alcasar-rpm-download.sh |
---|
13,7 → 13,7 |
# The kernel version we compile netflow for |
KERNEL="kernel-server-5.10.30-1.mga7-1-1.mga7" |
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ****** |
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamd fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat" |
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamd clamav clamav-db fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat" |
rpm_repository_sync () |
{ |
/scripts/alcasar-rpm.sh |
---|
18,7 → 18,8 |
# "lsscsi" & nvme-cli" : needed by phpsysinfo |
# "socat" : avoid a warning when run the install script of letsencrypt ("acme.sh") |
# "sudo" : needed after a reinstallation (to be investigated) |
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamd fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat" |
# "clamav + clamav-db" : needes because of a mutual dependance |
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamav clamav-db clamd fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat" |
rpm_repository_sync () |
{ |
/scripts/alcasar-uninstall.sh |
---|
289,19 → 289,14 |
post_install () |
{ |
echo -en "(8) : " |
echo -en "(7) : " |
[ -e /etc/mageia-release.default ] && mv -f /etc/mageia-release.default /etc/mageia-release && echo -n "1, " |
[ -e /etc/ssh/alcasar-banner-ssh ] && rm -f /etc/ssh/alcasar-banner-ssh && echo -n "2, " |
[ -e /etc/ssh/sshd_config.default ] && mv -f /etc/ssh/sshd_config.default /etc/ssh/sshd_config && echo -n "3, " |
[ -e /etc/bashrc.default ] && mv -f /etc/bashrc.default /etc/bashrc && echo -n "4, " |
[ -e /etc/sudoers.default ] && mv -f /etc/sudoers.default /etc/sudoers && echo -n "5, " |
if [ -e /etc/systemd/system/alcasar-load_balancing.service ] |
then |
rm -f /etc/systemd/system/alcasar-load_balancing.service |
echo -n "6, " |
fi |
[ -e /etc/security/limits.conf.default ] && mv -f /etc/security/limits.conf.default /etc/security/limits.conf && echo -n "7, " |
[ -e /etc/default/grub.default ] && mv -f /etc/default/grub.default /etc/default/grub && echo -n "8" |
[ -e /etc/security/limits.conf.default ] && mv -f /etc/security/limits.conf.default /etc/security/limits.conf && echo -n "6, " |
[ -e /etc/default/grub.default ] && mv -f /etc/default/grub.default /etc/default/grub && echo -n "7" |
} |
337,7 → 332,7 |
echo "----------------------------------------------------------------------------" |
echo "** Uninstall/Désinstallation d'ALCASAR **" |
echo "----------------------------------------------------------------------------" |
services="alcasar-load_balancing vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole nfcapd fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian sshd chilli" |
services="vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole nfcapd fail2ban iptables ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian sshd chilli" |
/usr/local/bin/alcasar-logout.sh all # logout everybody |
else |
echo "--------------------------------------------------------------------------" |
344,7 → 339,7 |
echo "** update/mise à jour d'ALCASAR **" |
echo "--------------------------------------------------------------------------" |
# unbound, iptables & sshd should stay on to allow remote update |
services="alcasar-load_balancing vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole nfcapd fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli" |
services="vnstat clamav-daemon clamav-freshclam ntpd php-fpm lighttpd radiusd mysqld unbound-blacklist unbound-whitelist dnsmasq-whitelist unbound-blackhole nfcapd fail2ban ulogd-ext-access ulogd-ssh ulogd-traceability e2guardian chilli" |
/usr/local/bin/alcasar-bypass.sh -on # to allow remote update + users stay connected during the update |
fi |
391,7 → 386,7 |
done |
if [ $mode == "full" ] |
then |
echo -en "\n- network(9) : " |
echo -en "\n- network(10) : " |
hostnamectl set-hostname localhost.localdomain |
chmod a-x /etc/sysconfig/network-scripts/default-* |
i=0 |
406,12 → 401,17 |
[ -e /etc/hosts.allow.default ] && mv -f /etc/hosts.allow.default /etc/hosts.allow && echo -n "5, " |
[ -e /etc/hosts.deny.default ] && mv -f /etc/hosts.deny.default /etc/hosts.deny && echo -n "6, " |
[ -e /etc/modprobe.preload.default ] && mv -f /etc/modprobe.preload.default /etc/modprobe.preload && echo -n "7, " |
if [ -e /etc/systemd/system/alcasar-network.service ] |
- then |
- rm -f /etc/systemd/system/alcasar-network.service |
- echo -n "8, " |
- fi |
if [ -e /etc/systemd/system/iptables.service ] |
then |
rm -f /etc/systemd/system/iptables.service |
echo -n "8, " |
echo -n "9, " |
fi |
[ -e /usr/libexec/iptables.init.default ] && mv -f /usr/libexec/iptables.init.default /usr/libexec/iptables.init && echo -n "9" |
[ -e /usr/libexec/iptables.init.default ] && mv -f /usr/libexec/iptables.init.default /usr/libexec/iptables.init && echo -n "10" |
/usr/bin/systemctl restart network |
sleep 1 |
fi |