6,16 → 6,14 |
# by Franck BOUIJOUX and Richard REY |
# This script is distributed under the Gnu General Public License (GPL) |
|
# Gestion de la BL pour le filtrage de domaine (via dnsmasq) et d'URL (via E2guardian) |
# Manage the BL for DnsBlackHole (dnsmasq) and URL filtering (E2guardian) |
# Gestion de la BL pour le filtrage de domaine (via unbound) et d'URL (via E2guardian) |
# Manage the BL for DnsBlackHole (unbound) and URL filtering (E2guardian) |
|
DIR_CONF="/usr/local/etc" |
CONF_FILE="$DIR_CONF/alcasar.conf" |
private_ip_mask=`grep ^PRIVATE_IP= $CONF_FILE|cut -d"=" -f2` |
private_ip_mask=${private_ip_mask:=192.168.182.1/24} |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
DIR_tmp="/tmp/blacklists" |
DIR_WL_tmp="/tmp/whitelists" |
FILE_tmp="/tmp/filesfilter.txt" |
FILE_ip_tmp="/tmp/filesipfilter.txt" |
DIR_DG="/etc/e2guardian/lists" |
26,15 → 24,15 |
BL_CATEGORIES_ENABLED="$DIR_CONF/alcasar-bl-categories-enabled" # ' ' BL enabled categories |
WL_CATEGORIES_ENABLED="$DIR_CONF/alcasar-wl-categories-enabled" # ' ' WL enabled categories |
DIR_SHARE="/usr/local/share" |
DIR_DNS_BL="$DIR_SHARE/dnsmasq-bl" # all the BL in the DNSMASQ format |
DIR_DNS_WL="$DIR_SHARE/dnsmasq-wl" # all the WL ' ' ' |
DIR_DNS_BL="$DIR_SHARE/unbound-bl" # all the BL in the Unbound format |
DIR_DNS_WL="$DIR_SHARE/unbound-wl" # all the WL ' ' ' |
DIR_IP_BL="$DIR_SHARE/iptables-bl" # all the IP addresses of the BL |
DIR_IP_WL="$DIR_SHARE/iptables-wl" # IP ossi disabled WL |
DIR_DNS_BL_ENABLED="$DIR_SHARE/dnsmasq-bl-enabled" # symbolic link to the domains BL (only enabled categories) |
DIR_DNS_WL_ENABLED="$DIR_SHARE/dnsmasq-wl-enabled" # ' ' ' WL ' ' |
DIR_DNS_BL_ENABLED="$DIR_SHARE/unbound-bl-enabled" # symbolic link to the domains BL (only enabled categories) |
DIR_DNS_WL_ENABLED="$DIR_SHARE/unbound-wl-enabled" # ' ' ' WL ' ' |
DIR_IP_BL_ENABLED="$DIR_SHARE/iptables-bl-enabled" # ' ' ip BL (only enabled categories) |
DIR_IP_WL_ENABLED="$DIR_SHARE/iptables-wl-enabled" # ' ' ip WL (ossi and ossi-* imported from ACC) |
DNS1=`grep ^DNS1= $CONF_FILE | cut -d'=' -f2-` # server DNS1 (for WL domain names) |
REHABILITATED_DNS_FILE="/etc/unbound/conf.d/blacklist/rehabilitated.conf" |
BL_SERVER="dsi.ut-capitole.fr" |
SED="/bin/sed -i" |
|
47,7 → 45,7 |
then |
mkdir $LIST |
else |
rm -rf $LIST/* |
rm -rf ${LIST:?}/* |
fi |
chown root:apache $LIST |
chmod 770 $LIST |
69,7 → 67,7 |
$SED "1i\/etc\/e2guardian\/lists\/blacklists\/$ENABLE_CATEGORIE" $BL_CATEGORIES |
ln -sf $DIR_DNS_BL/$ENABLE_CATEGORIE.conf $DIR_DNS_BL_ENABLED/$ENABLE_CATEGORIE |
ln -sf $DIR_IP_BL/$ENABLE_CATEGORIE $DIR_IP_BL_ENABLED/$ENABLE_CATEGORIE |
# echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/domains>" >> $DIR_DG/bannedsitelist # Blacklisted domains are managed by dnsmasq |
# echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/domains>" >> $DIR_DG/bannedsitelist # Blacklisted domains are managed by unbound |
echo ".Include<$DIR_DG_BL/$ENABLE_CATEGORIE/urls>" >> $DIR_DG/bannedurllist |
done |
sort +0.0 -0.2 $BL_CATEGORIES -o $FILE_tmp |
101,7 → 99,7 |
$SED '/[äâëêïîöôüû@,]/d' $FILE_tmp # remove line with "chelou" characters |
# extract ip addresses for iptables. |
awk '/^([0-9]{1,3}\.){3}[0-9]{1,3}$/{print "add bl_ip_blocked " $0}' $FILE_tmp > $FILE_ip_tmp |
# extract domain names for dnsmasq. |
# extract domain names for unbound. |
$SED -n '/^\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}/!p' $FILE_tmp |
# Retrieve max Top Level Domain for domain name synthax |
#MAX_TLD=$(curl http://data.iana.org/TLD/tlds-alpha-by-domain.txt | grep -v '-' | grep -v '#' | wc -L) |
142,7 → 140,7 |
-cat_choice | --cat_choice) |
cat_choice |
;; |
# Adapt Toulouse University BL to ALCASAR architecture (dnsmasq + DG + iptables) |
# Adapt Toulouse University BL to ALCASAR architecture (unbound + DG + iptables) |
-adapt | --adapt) |
echo -n "Adaptation process of Toulouse University blackList. Please wait : " |
if [ -f $DIR_tmp/blacklists.tar.gz ] # when downloading the last version of the BL |
231,7 → 229,8 |
$SED "/^$ENABLE_CATEGORIE$/d" $WL_CATEGORIES_ENABLED |
fi |
done |
# Creation of DNSMASQ and Iptables BL and WL |
|
# Creation of Unbound and Iptables BL and WL |
for LIST in $BL_CATEGORIES $WL_CATEGORIES # for each list (bl and wl) |
do |
for PATH_FILE in `cat $LIST` # for each category |
244,16 → 243,16 |
chown e2guardian:apache $PATH_FILE/urls |
fi |
cp $PATH_FILE/domains $FILE_tmp |
clean_split # clean ossi custom files & split them for dnsmasq and for iptables |
clean_split # clean ossi custom files & split them for unbound and for iptables |
if [ "$LIST" == "$BL_CATEGORIES" ] |
then |
# adapt to the dnsmasq syntax for the blacklist |
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp |
# adapt to the unbound syntax for the blacklist |
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_BL/$DOMAIN.conf |
mv $FILE_ip_tmp $DIR_IP_BL/$DOMAIN |
else |
# adapt to the dnsmasq syntax for the whitelist |
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp |
# adapt to the unbound syntax for the whitelist |
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_WL/$DOMAIN.conf |
fi |
done |
276,27 → 275,28 |
URL=$(echo $LIGNE_RSYNC | cut -d' ' -f2) |
PATH_FILE=$(find $DIR_DG_BL/ -type d -name $CATEGORIE) # retrieve directory name of the category |
rsync -rv $URL $(dirname $PATH_FILE ) #rsync inside of the blacklist directory |
# Creation of DNSMASQ and Iptables BL and WL |
# Creation of unbound and Iptables BL and WL |
DOMAIN=$(basename $PATH_FILE) |
cp $PATH_FILE/domains $FILE_tmp |
clean_split # clean ossi custom files & split them for dnsmasq and for iptables |
clean_split # clean ossi custom files & split them for unbound and for iptables |
black=`grep black $PATH_FILE/usage |wc -l` |
if [ $black == "1" ] |
then |
# adapt to the dnsmasq syntax for the blacklist |
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp |
# adapt to the unbound syntax for the blacklist |
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_BL/$DOMAIN.conf |
mv $FILE_ip_tmp $DIR_IP_BL/$DOMAIN |
else |
# adapt to the dnsmasq syntax for the whitelist |
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp |
# adapt to the unbound syntax for the whitelist |
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_WL/$DOMAIN.conf |
mv $FILE_ip_tmp $DIR_IP_WL/$DOMAIN |
fi |
rm -f $FILE_tmp $FILE_ip_tmp |
done |
/usr/bin/systemctl restart unbound-whitelist |
/usr/bin/systemctl restart dnsmasq-whitelist |
/usr/bin/systemctl restart dnsmasq-blacklist |
/usr/bin/systemctl restart unbound-blacklist |
/usr/bin/systemctl restart e2guardian |
/usr/local/bin/alcasar-iptables.sh |
else |
308,17 → 308,16 |
-reload | --reload) |
# for DG |
cat_choice |
# for dnsmasq (rehabited domain names) |
if [ `wc -w $DIR_DG/exceptionsitelist|cut -d " " -f1` != "0" ] |
# for unbound (rehabilitated domain names) |
rm -f $REHABILITATED_DNS_FILE |
if [ "$(wc -w $DIR_DG/exceptionsitelist | cut -d " " -f1)" != "0" ] |
then |
rm -f $DIR_DNS_BL_ENABLED/authorized-ossi-bl $DIR_DNS_BL/authorized-ossi-bl.conf |
touch $DIR_DNS_BL/authorized-ossi-bl.conf |
for i in `cat $DIR_DG/exceptionsitelist` |
do |
$SED "/$i/d" $DIR_DNS_BL/* |
echo "server=/$i/#" >> $DIR_DNS_BL/authorized-ossi-bl.conf |
done |
ln -s $DIR_DNS_BL/authorized-ossi-bl.conf $DIR_DNS_BL_ENABLED/authorized-ossi-bl |
touch $REHABILITATED_DNS_FILE |
while read -r domain; do |
[ -z "$domain" ] && continue |
echo "local-zone: $domain typetransparent" >> $REHABILITATED_DNS_FILE |
echo "local-zone-tag: $domain \"\"" >> $REHABILITATED_DNS_FILE |
done < $DIR_DG/exceptionsitelist |
fi |
# adapt OSSI BL & WL custom files |
for dir in $DIR_DNS_BL_ENABLED $DIR_DNS_WL_ENABLED $DIR_IP_BL_ENABLED $DIR_IP_WL_ENABLED $DIR_DNS_BL $DIR_DNS_WL $DIR_IP_BL $DIR_IP_WL |
341,12 → 340,12 |
fi |
$SED "s/\r//" $ossi_custom_dir/domains $ossi_custom_dir/urls # remove Windows <CR> from custom file |
cp $ossi_custom_dir/domains $FILE_tmp |
clean_split # clean ossi custom files & split them for dnsmasq and for iptables |
clean_split # clean ossi custom files & split them for unbound and for iptables |
if [ $categorie_type == "white" ] |
then |
# adapt the file to the dnsmasq syntax and enable it if needed |
# adapt the file to the unbound syntax and enable it if needed |
# for the WL |
$SED "s?.*?server=/&/$DNS1?g" $FILE_tmp |
$SED "s?.*?local-zone: & transparent?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_WL/$ossi_categorie.conf |
mv $FILE_ip_tmp $DIR_IP_WL/$ossi_categorie |
enabled=`grep ^$ossi_categorie$ $WL_CATEGORIES_ENABLED | wc -l` |
359,7 → 358,7 |
fi |
else |
# for the BL |
$SED "s?.*?address=/&/$PRIVATE_IP?g" $FILE_tmp |
$SED "s?.*?local-zone: & typetransparent\nlocal-zone-tag: & blacklist?g" $FILE_tmp |
mv $FILE_tmp $DIR_DNS_BL/$ossi_categorie.conf |
mv $FILE_ip_tmp $DIR_IP_BL/$ossi_categorie |
enabled=`grep ^$ossi_categorie$ $BL_CATEGORIES_ENABLED | wc -l` |
383,7 → 382,8 |
chmod 660 $DIR_DNS_BL/* $DIR_DNS_WL/* $DIR_IP_BL/* $DIR_IP_WL/* |
if [ "$PARENT_SCRIPT" != "alcasar-conf.sh" ] # don't launch on install stage |
then |
/usr/bin/systemctl restart dnsmasq-blacklist |
/usr/bin/systemctl restart unbound-blacklist |
/usr/bin/systemctl restart unbound-whitelist |
/usr/bin/systemctl restart dnsmasq-whitelist |
/usr/bin/systemctl restart e2guardian |
/usr/local/bin/alcasar-iptables.sh |