1 | 2 | simandl | #! /bin/bash |
2 | | | # Firewall nove generace pro Czela Debian 3.1 |
3 | | | # Autor: Mirek Slugen |
4 | | | # Spoluatori: Michal Perlik, Michal Vondracek, Jan Chmelensky, Adam Pribyl |
5 | | | # Vytvoreno: 06.11.2006 |
6 | | | # Naposledy zmeneno: 08.2014 |
7 | | | # Tento skript muzete volne sirit a upravovat. |
8 | | | |
9 | | | # globĂĄlnĂ promÄnnĂĄ pro RO file systĂŠm |
10 | | | RO="no" |
11 | | | |
12 | | | # ukonÄenĂ macguarda |
13 | | | macguard_stop() { |
14 | | | # StandardnÄ jakĂ˝koliv prĹŻchozĂ provoz skrze router povolĂme |
15 | | | $IPTABLES -P FORWARD ACCEPT |
16 | | | |
17 | | | # VymaĹžeme obsah vĹĄech tĹĂd vytvoĹenĂ˝ch pro macguarda |
18 | | | $IPTABLES -F eth_accept |
19 | | | $IPTABLES -t nat -F valid_mac_pre |
20 | | | $IPTABLES -F valid_mac_fwd |
21 | | | |
22 | | | # pĹedtĂm, neĹž vymaĹžeme tĹĂdy macguarda, musĂme zruĹĄit vĹĄechny pravidla na nÄ odkazujĂcĂ |
23 | | | for I in `iptables -L FORWARD -n -v --line-numbers | grep eth_accept | grep all | grep -v spt | grep -v dpt | awk '{print $1}' | sort -r -n`; do |
24 | | | $IPTABLES -D FORWARD $I |
25 | | | done |
26 | | | for I in `iptables -t nat -L PREROUTING -n -v --line-numbers | grep valid_mac_pre | grep all | grep -v spt | grep -v dpt | awk '{print $1}' | sort -r -n`; do |
27 | | | $IPTABLES -t nat -D PREROUTING $I |
28 | | | done |
29 | | | |
30 | | | # vymaĹžeme dalĹĄĂ pravidla vytvoĹenĂĄ macguardem |
31 | | | for I in `iptables -L FORWARD -n -v --line-numbers | grep ACCEPT | grep all | grep -v spt | grep -v dpt | awk '{print $1}' | sort -r -n`; do |
32 | | | $IPTABLES -D FORWARD $I |
33 | | | done |
34 | | | for I in `iptables -t nat -L PREROUTING -n -v --line-numbers | grep ACCEPT | grep all | grep -v spt | grep -v dpt | awk '{print $1}' | sort -r -n`; do |
35 | | | $IPTABLES -t nat -D PREROUTING $I |
36 | | | done |
37 | | | |
38 | | | # SmaĹžeme vĹĄechny tĹĂdy vytvoĹenĂŠ pro macguarda |
39 | | | $IPTABLES -X eth_accept |
40 | | | $IPTABLES -t nat -X valid_mac_pre |
41 | | | $IPTABLES -X valid_mac_fwd |
42 | | | } |
43 | | | |
44 | | | # krĂĄtkodobÄ do dalĹĄĂ aktualizace povolĂme mac adresu, prvnĂ je IP, druhĂĄ MAC |
45 | | | macguard_allow_user() { |
46 | | | ( [ "$1" == "" ] || [ "$2" == "" ] ) && return 0 |
47 | | | |
48 | | | if [ "$1" == "0" ]; then |
49 | | | while true; do |
50 | | | $IPTABLES -D FORWARD -s "$2" -j valid_mac_fwd 2>/dev/null |
51 | | | [ "$?" != "0" ] && break |
52 | | | done |
53 | | | while true; do |
54 | | | $IPTABLES -t nat -D PREROUTING -s "$2" -j valid_mac_pre 2>/dev/null |
55 | | | [ "$?" != "0" ] && break |
56 | | | done |
57 | | | else |
58 | | | $IPTABLES -t nat -L valid_mac_pre -n 1>/dev/null 2>/dev/null |
59 | | | [ "$?" != "0" ] && return 0 |
60 | | | |
61 | | | $IPTABLES -L valid_mac_fwd -n 1>/dev/null 2>/dev/null |
62 | | | [ "$?" != "0" ] && return 0 |
63 | | | |
64 | | | LINE_PRE=$((`$IPTABLES -t nat -L valid_mac_pre -n -v --line-numbers | grep MAC | awk '{print $1}' | tail -n 1` + 1)) |
65 | | | |
66 | | | $IPTABLES -t nat -I valid_mac_pre $LINE_PRE -s "$2" -m mac --mac-source "$1" -j ACCEPT 2>/dev/null |
67 | | | |
68 | | | LINE_FWD=$((`$IPTABLES -L valid_mac_fwd -n -v --line-numbers | grep MAC | awk '{print $1}' | tail -n 1` + 1)) |
69 | | | |
70 | | | $IPTABLES -I valid_mac_fwd $LINE_FWD -s "$2" -m mac --mac-source "$1" -j ACCEPT 2>/dev/null |
71 | | | fi |
72 | | | } |
73 | | | |
74 | | | # krĂĄtkodobÄ do dalĹĄĂ aktualizace zakĂĄĹžeme mac adresu |
75 | | | macguard_deny_user() { |
76 | | | ( [ "$1" == "" ] || [ "$2" == "" ] ) && return 0 |
77 | | | |
78 | | | if [ "$1" == "0" ]; then |
79 | | | $IPTABLES -A FORWARD -s "$2" -j valid_mac_fwd |
80 | | | $IPTABLES -t nat -A PREROUTING -s "$2" -j valid_mac_pre |
81 | | | else |
82 | | | while true; do |
83 | | | $IPTABLES -t nat -D valid_mac_pre -s "$2" -m mac --mac-source "$1" -j ACCEPT 2>/dev/null |
84 | | | [ "$?" != "0" ] && break |
85 | | | done |
86 | | | while true; do |
87 | | | $IPTABLES -D valid_mac_fwd -s "$2" -m mac --mac-source "$1" -j ACCEPT 2>/dev/null |
88 | | | [ "$?" != "0" ] && break |
89 | | | done |
90 | | | fi |
91 | | | } |
92 | | | |
93 | | | macguard_load_conf() { |
94 | | | local TYPE="" |
95 | | | local IP="" |
96 | | | local MAC="" |
97 | | | |
98 | | | # Zpracujeme konfiguraÄnĂ soubor |
99 | | | while read TYPE MAC IP; do |
100 | | | if [ "$TYPE" == "ALLOW" ]; then |
101 | | | echo -n "Allowing mac $MAC with ip $IP..." |
102 | | | macguard_allow_user "$MAC" "$IP" |
103 | | | echo "done." |
104 | | | elif [ "$TYPE" == "DENY" ]; then |
105 | | | echo -n "Denying mac $MAC with ip $IP..." |
106 | | | macguard_deny_user "$MAC" "$IP" |
107 | | | echo "done." |
108 | | | fi |
109 | | | done < "/etc/firewall/macguard.conf" |
110 | | | } |
111 | | | |
112 | | | # Otestujeme jestli je soubor moĹžnĂŠ uloĹžit, pokud ne, tak povolĂme zĂĄpis |
113 | | | # a nastavĂme RO na yes. |
114 | | | ro_test() { |
115 | | | local F_EXIST="no" |
116 | | | |
117 | | | ( [ "$1" == "" ] || [ "$1" == "/" ] ) && return 0 |
118 | | | |
119 | | | [ -e "$1" ] && F_EXIST="yes" |
120 | | | |
121 | | | touch "$1" 2>/dev/null |
122 | | | |
123 | | | if [ "$?" != "0" ]; then |
124 | | | /usr/local/sbin/rw 1>/dev/null |
125 | | | RO="yes" |
126 | | | fi |
127 | | | |
128 | | | [ "$F_EXIST" != "yes" ] && rm -f "$1" 2>/dev/null |
129 | | | } |
130 | | | |
131 | | | # UkonÄenĂ RO mĂłdu, pokud jsme disk odemkli, tak ho takĂŠ zkusĂme zamknout |
132 | | | ro_exit() { |
133 | | | [ "$RO" != "yes" ] && return 0 |
134 | | | /usr/local/sbin/ro 1>/dev/null |
135 | | | RO="no" |
136 | | | } |
137 | | | |
138 | | | # hlavnĂ implementace macguarda |
139 | | | macguard_start() { |
140 | | | # detekce rozhranĂ pro macguarda |
141 | | | I="0" |
142 | | | MACGUARD_DEV_YES="" |
143 | | | MACGUARD_DEV_NO="" |
144 | | | MACGUARD_DEV_DHCP="" |
145 | | | while [ "$I" -lt 15 ]; do |
146 | | | DEV=DEV${I}_IFACE |
147 | | | DEV=${!DEV} |
148 | | | MACGUARD_DEV=DEV${I}_MACGUARD |
149 | | | MACGUARD_DEV=${!MACGUARD_DEV} |
150 | | | MACGUARD_DHCP=DEV${I}_MACGUARD_DHCP |
151 | | | MACGUARD_DHCP=${!MACGUARD_DHCP} |
152 | | | if [ "$MACGUARD_DEV" == "yes" ] && [ "$DEV" != "" ]; then |
153 | | | if [ "$MACGUARD_DEV_YES" == "" ]; then |
154 | | | MACGUARD_DEV_YES="$DEV" |
155 | | | else |
156 | | | MACGUARD_DEV_YES="$MACGUARD_DEV_YES $DEV" |
157 | | | fi |
158 | | | elif [ "$MACGUARD_DEV" != "yes" ] && [ "$DEV" != "" ]; then |
159 | | | if [ "$MACGUARD_DEV_NO" == "" ]; then |
160 | | | MACGUARD_DEV_NO="$DEV" |
161 | | | else |
162 | | | MACGUARD_DEV_NO="$MACGUARD_DEV_NO $DEV" |
163 | | | fi |
164 | | | fi |
165 | | | if [ "$MACGUARD_DHCP" == "yes" ] && [ "$DEV" != "" ]; then |
166 | | | if [ "$MACGUARD_DEV_DHCP" == "" ]; then |
167 | | | MACGUARD_DEV_DHCP="$DEV" |
168 | | | else |
169 | | | MACGUARD_DEV_DHCP="$MACGUARD_DEV_DHCP $DEV" |
170 | | | fi |
171 | | | fi |
172 | | | ((I++)) |
173 | | | done |
174 | | | |
175 | | | # Pro dalĹĄĂ prĂĄci potĹebujeme dummy a jeho ip adresu! |
176 | | | [ "$DUMMY_IFACE" == "" ] && DUMMY_IFACE="dummy0" |
177 | | | [ "$DUMMY_IP" == "" ] && DUMMY_IP="`$IP addr show $DUMMY_IFACE | grep inet | grep -v inet6 | awk '{print \$2}' | cut -d \"/\" -f1`" |
178 | | | |
179 | | | # zavedenĂ zĂĄkladnĂch pravidel pro macguarda |
180 | | | # podmĂnky spuĹĄtÄnĂ: |
181 | | | # 1. pokud mĂĄme nÄjakĂŠ rozhranĂ na kterĂŠm bÄŞà macguard |
182 | | | # 2. pokud neprovĂĄdĂme jen aktualizaci dat |
183 | | | if [ "$MACGUARD_DEV_YES" != "" ] && [ "$1" != "update" ]; then |
184 | | | echo -n "Starting macguard on:" |
185 | | | # StandardnÄ jakĂ˝koliv prĹŻchozĂ provoz skrze router zahazujeme |
186 | | | $IPTABLES -P FORWARD DROP |
187 | | | |
188 | | | # VytvoĹĂme tĹĂdy pro macguarda |
189 | | | $IPTABLES -N eth_accept |
190 | | | $IPTABLES -t nat -N valid_mac_pre |
191 | | | $IPTABLES -N valid_mac_fwd |
192 | | | |
193 | | | # pokud pouĹžĂvĂĄme ACCOUNT, tak ho znovu zavedeme i pĹi zavedenĂ zĂĄkladnĂch pravidel pro macguarda |
194 | | | [ "$ACCOUNT" == "yes" ] && account_start |
195 | | | |
196 | | | # vygenerujeme zĂĄkladnĂ pravidla pro danĂĄ rozhranĂ |
197 | | | for DEV in $MACGUARD_DEV_YES; do |
198 | | | # zĂĄkladnĂ ochrana pĹed ĹĄpatnÄ zadanĂ˝m, nebo neaktivnĂm rozhranĂm |
199 | | | $IP addr show $DEV 1>/dev/null 2>/dev/null |
200 | | | [ "$?" != "0" ] && continue |
201 | | | |
202 | | | # oznĂĄmĂme Ĺže zpracovĂĄvĂĄme danĂŠ rozhranĂ |
203 | | | echo -n " $DEV" |
204 | | | |
205 | | | # zĂskĂĄme adresu IP a masku rozhranĂ |
206 | | | DEV_IP="`ip addr show $DEV | grep -v inet6 | grep inet | grep -v : | awk '{print \$2}' | cut -d \"/\" -f1`" |
207 | | | DEV_IP1="`echo $DEV_IP | cut -d. -f1`" |
208 | | | DEV_IP2="`echo $DEV_IP | cut -d. -f2`" |
209 | | | DEV_IP3="`echo $DEV_IP | cut -d. -f3`" |
210 | | | DEV_IP4="`echo $DEV_IP | cut -d. -f4`" |
211 | | | |
212 | | | # netmask |
213 | | | NETMASK="`ip addr show $DEV | grep -v inet6 | grep inet | grep -v : | awk '{print \$2}' | cut -d \"/\" -f2`" |
214 | | | |
215 | | | # vygenerujeme masku na zĂĄkladÄ netmask |
216 | | | if let $(((32-${NETMASK}) > 0)); then |
217 | | | MASK_IP4=$(((255 << (32-${NETMASK})) & 255)) |
218 | | | else |
219 | | | MASK_IP4=255 |
220 | | | fi |
221 | | | if let $(((24-${NETMASK}) > 0)); then |
222 | | | MASK_IP3=$(((255 << (24-${NETMASK})) & 255)) |
223 | | | else |
224 | | | MASK_IP3=255 |
225 | | | fi |
226 | | | if let $(((16-${NETMASK}) > 0)); then |
227 | | | MASK_IP2=$(((255 << (16-${NETMASK})) & 255)) |
228 | | | else |
229 | | | MASK_IP2=255 |
230 | | | fi |
231 | | | if let $(((8-${NETMASK}) > 0)); then |
232 | | | MASK_IP1=$(((255 << (8-${NETMASK})) & 255)) |
233 | | | else |
234 | | | MASK_IP1=255 |
235 | | | fi |
236 | | | MASK="$MASK_IP1.$MASK_IP2.$MASK_IP3.$MASK_IP4" |
237 | | | |
238 | | | # network |
239 | | | NETWORK_IP1="$(($DEV_IP1 & $MASK_IP1))" |
240 | | | NETWORK_IP2="$(($DEV_IP2 & $MASK_IP2))" |
241 | | | NETWORK_IP3="$(($DEV_IP3 & $MASK_IP3))" |
242 | | | NETWORK_IP4="$(($DEV_IP4 & $MASK_IP4))" |
243 | | | NETWORK="$NETWORK_IP1.$NETWORK_IP2.$NETWORK_IP3.$NETWORK_IP4" |
244 | | | |
245 | | | # NezakĂĄĹžeme prĹŻchod Äehokoliv co nejde z rozsahu na danĂŠm rozhranĂ, abychom neblokovali |
246 | | | # IP adresy pĹipojenĂŠ na danĂ˝ router skrze dalĹĄĂ router. |
247 | | | $IPTABLES -t nat -A PREROUTING -i $DEV ! -s "$NETWORK/$NETMASK" -j ACCEPT |
248 | | | $IPTABLES -A FORWARD -i $DEV ! -s "$NETWORK/$NETMASK" -j ACCEPT |
249 | | | |
250 | | | # VĹĄe ostatnĂ jde do tĹĂdy valid_mac_pre kde bude ovÄĹeno jestli je pro danou MAC adresu |
251 | | | # a IP adresu povolen pĹĂstup na internet. |
252 | | | $IPTABLES -t nat -A PREROUTING -i $DEV -j valid_mac_pre |
253 | | | $IPTABLES -A FORWARD -i $DEV -j eth_accept |
254 | | | done |
255 | | | |
256 | | | # povolĂme pĹĂchozĂ provoz na rozhranĂch, kde nenĂ aktivnĂ macguad |
257 | | | for DEV in $MACGUARD_DEV_NO; do |
258 | | | $IPTABLES -A FORWARD -i $DEV -j ACCEPT |
259 | | | done |
260 | | | |
261 | | | # default politika pro eth_accept je ACCEPT |
262 | | | $IPTABLES -A eth_accept -j valid_mac_fwd |
263 | | | $IPTABLES -A eth_accept -j ACCEPT |
264 | | | |
265 | | | # odchozĂ provoz skrze rozhranĂ povolĂme |
266 | | | for DEV in $MACGUARD_DEV_YES $MACGUARD_DEV_NO; do |
267 | | | $IPTABLES -A FORWARD -o $DEV -j ACCEPT |
268 | | | done |
269 | | | |
270 | | | echo "" |
271 | | | fi |
272 | | | |
273 | | | # hlavnĂ ÄĂĄst macguarda |
274 | | | # podmĂnky spuĹĄtÄnĂ: |
275 | | | # 1. pokud mĂĄme nÄjakĂŠ rozhranĂ na kterĂŠm bÄŞà macguard, nebo dhcp server |
276 | | | # 2. pokud nechceme dÄlat jen klasickĂ˝ update, nebo existuje semafor, nebo chceme dÄlat vynucenĂ˝ uprade, nebo neexistuje csv tabulka |
277 | | | if ( [ "$MACGUARD_DEV_YES" != "" ] || [ "$MACGUARD_DEV_DHCP" != "" ] ) && ( [ "$1" != "update" ] || [ -e "$MACGUARD_DIR/semafor" ] || [ "$2" == "force" ] || [ ! -e "$MACGUARD_DIR/table-$DUMMY_IP.csv" ] ); then |
278 | | | # nahlĂĄsĂme do logu udĂĄlost |
279 | | | logger "updating macguard settings" |
280 | | | |
281 | | | # semafor |
282 | | | [ -e "$MACGUARD_DIR/semafor" ] && MACGUARD_SEMAFOR="on" |
283 | | | rm -f "$MACGUARD_DIR/semafor" |
284 | | | |
285 | | | # pokud neexistuje csv tabulka, nebo dÄlĂĄme vynucenĂ˝ update, tak zkusĂme stĂĄhnout novĂĄ data |
286 | | | if [ ! -e "$MACGUARD_DIR/table-$DUMMY_IP.csv" ] || [ "$2" == "force" ]; then |
287 | | | # neexistujĂ-li klĂÄe pro ssh uĹživatele safe, tak je vygenerujeme |
288 | | | if [ ! -e "/home/safe/.ssh/id_dsa" ] || [ ! -e "/home/safe/.ssh/id_dsa.pub" ]; then |
289 | | | ro_test "/home/safe/.ssh/id_dsa" |
290 | | | |
291 | | | # soubory musĂme radÄji odstranit |
292 | | | rm -f "/home/safe/.ssh/id_dsa"* 2>/dev/null |
293 | | | |
294 | | | # generovĂĄnĂ klĂÄĹŻ |
295 | | | echo -n "Generating ssh keys for user safe..." |
296 | | | su safe -c "/usr/bin/ssh-keygen -q -P \"\" -t dsa -f /home/safe/.ssh/id_dsa" |
297 | | | chown safe:safe "/home/safe/.ssh/id_dsa" |
298 | | | chown safe:safe "/home/safe/.ssh/id_dsa.pub" |
299 | | | echo "done." |
300 | | | echo "" |
301 | | | echo "Nyni musite nahrat verejny klic /home/safe/.ssh/id_dsa.pub na macguard server" |
302 | | | echo "do souboru /home/safe/.ssh/authorized_keys, pokud nemate pristup kontaktujte" |
303 | | | echo "spravce serveru. Bez tohoto kroku nebude mozne stahnout aktualni data pro" |
304 | | | echo "macguarda ze serveru na tento router!!" |
305 | | | echo "" |
306 | | | sleep 2 |
307 | | | # zruĹĄeno kvĹŻli vyĹazeni ssmtp a mail ze zĂĄkladnĂ instalace |
308 | | | #echo -n "Chcete zaslat verejny klic spravci macguard serveru [`tput setaf 2`ano`tput op`/ne] " |
309 | | | #read x |
310 | | | #if [ "$x" != "ne" ]; then |
311 | | | # zatim si klic necham posilat jen sobe |
312 | | | #cat "/home/safe/.ssh/id_dsa.pub" | mail -s "Verejny klic uzivatele safe z routeru `hostname`" thunder.m@czela.net |
313 | | | #fi |
314 | | | fi |
315 | | | |
316 | | | # pokusĂme se stĂĄhnout tabulku |
317 | | | echo -n "Downloading new table for macguard..." |
318 | | | su safe -c "mkdir -p $MACGUARD_DIR" 1>/dev/null 2>/tmp/firewall.err |
319 | | | su safe -c "scp -B safe@${MACGUARD_SERVER}:/home/safe/macguard-centrala/table-${DUMMY_IP}.* $MACGUARD_DIR" 1>/dev/null 2>/tmp/firewall.err |
320 | | | if [ "$?" == "0" ]; then |
321 | | | echo "done." |
322 | | | logger "downloading new macguard table: done" |
323 | | | MACGUARD_STATUS="on" |
324 | | | else |
325 | | | echo "failed." |
326 | | | # zobrazĂme chybovou hlĂĄĹĄku |
327 | | | cat "/tmp/firewall.err" |
328 | | | logger "downloading new macguard table: failed!" |
329 | | | logger "`cat /tmp/firewall.err`" |
330 | | | MACGUARD_STATUS="off" |
331 | | | # pokud se nĂĄm nepodaĹilo zĂskat data z macguard serveru, tak zkusĂme pouĹžĂt |
332 | | | # naposledy uloĹženou tabulku |
333 | | | if [ -e "/usr/share/macguard/table-${DUMMY_IP}.csv" ] && [ ! -e "$MACGUARD_DIR/table-${DUMMY_IP}.csv" ]; then |
334 | | | cp -ax "/usr/share/macguard/table-${DUMMY_IP}."* "$MACGUARD_DIR" |
335 | | | fi |
336 | | | fi |
337 | | | |
338 | | | # vymaĹžeme chybovou hlĂĄĹĄku |
339 | | | rm -rf "/tmp/firewall.err" |
340 | | | fi |
341 | | | |
342 | | | # UdÄlĂĄme zĂĄlohu staĹženĂŠ tabulky, abychom pĹi restartu mÄli okamĹžitÄ k dispozici |
343 | | | # alespoĹ ÄĂĄsteÄnÄ aktuĂĄlnĂ data. |
344 | | | MACGUARD_UPDATE_BACKUP="no" |
345 | | | if ( [ "$MACGUARD_STATUS" == "on" ] || [ "$MACGUARD_SEMAFOR" == "on" ] ) && [ -e "$MACGUARD_DIR/table-$DUMMY_IP.csv" ]; then |
346 | | | if [ -e "/usr/share/macguard/table-${DUMMY_IP}.csv" ]; then |
347 | | | # soubory sice existujĂ, ale liĹĄĂ se, takĹže je aktuĂĄlnĂ soubor nejspĂĹĄ novÄjĹĄĂ |
348 | | | if [ "`diff \"$MACGUARD_DIR/table-${DUMMY_IP}.csv\" \"/usr/share/macguard/table-${DUMMY_IP}.csv\"`" != "" ]; then |
349 | | | MACGUARD_UPDATE_BACKUP="yes" |
350 | | | fi |
351 | | | else |
352 | | | MACGUARD_UPDATE_BACKUP="yes" |
353 | | | fi |
354 | | | fi |
355 | | | |
356 | | | # Aktualizujeme zĂĄlohu tabulky, aktualizace dat nesmĂme provĂĄdÄt zase moc Äasto, |
357 | | | # jinak tĂm niÄĂme flash disky. |
358 | | | if [ "$MACGUARD_UPDATE_BACKUP" == "yes" ]; then |
359 | | | SKIP_RO="no" |
360 | | | touch "/usr/share/macguard.testfile" 2>/dev/null |
361 | | | if [ "$?" != "0" ]; then |
362 | | | # staÄĂ odemknout jednou tĂ˝dnÄ, pokud neodemkneme uzamÄenĂ˝ FS, nezapĂĹĄou se novĂĄ data |
363 | | | if [ -e "$MACGUARD_DIR/table-${DUMMY_IP}.csv" ] && [ ! -e "/usr/share/macguard/table-${DUMMY_IP}.csv" ]; then |
364 | | | /usr/local/sbin/rw 1>/dev/null |
365 | | | RO="yes" |
366 | | | elif [ -e "$MACGUARD_DIR/table-${DUMMY_IP}.csv" ] && [ -e "/usr/share/macguard/table-${DUMMY_IP}.csv" ]; then |
367 | | | if [ "`expr \`ls $MACGUARD_DIR/table-${DUMMY_IP}.csv -l --time-style=+%s | awk '{print \$6}'\` - \`ls /usr/share/macguard/table-${DUMMY_IP}.csv -l --time-style=+%s | awk '{print \$6}'\``" -gt "604800" ]; then |
368 | | | /usr/local/sbin/rw 1>/dev/null |
369 | | | RO="yes" |
370 | | | fi |
371 | | | else |
372 | | | SKIP_RO="yes" |
373 | | | fi |
374 | | | fi |
375 | | | |
376 | | | rm -f "/usr/share/macguard.testfile" 2>/dev/null |
377 | | | |
378 | | | if [ "$SKIP_RO" != "yes" ]; then |
379 | | | echo -n "Creating backup of macguard table..." |
380 | | | mkdir -p "/usr/share/macguard" |
381 | | | cp -ax "$MACGUARD_DIR/table-${DUMMY_IP}."* "/usr/share/macguard/" |
382 | | | echo "done." |
383 | | | fi |
384 | | | fi |
385 | | | |
386 | | | # Pokud jsme nestahovali novĂĄ data a tudĂĹž nevĂme jestli je dostupnĂ˝ macguard server, |
387 | | | # tak ovÄĹĂme jeho dostupnost pingem, jestli je nedostupnĂ˝, tak pozdÄji povolĂme vĹĄechny |
388 | | | # IP. |
389 | | | if [ "$MACGUARD_STATUS" == "" ]; then |
390 | | | I_STATUS="0" |
391 | | | J_STATUS="0" |
392 | | | while true; do |
393 | | | ping -q -c 1 $MACGUARD_SERVER >/dev/null 2>/dev/null |
394 | | | if [ "$?" != "0" ]; then |
395 | | | ((I_STATUS++)) |
396 | | | else |
397 | | | ((J_STATUS++)) |
398 | | | fi |
399 | | | # pokud je ĹĄpatnĂ˝ch vĂce jak 1 a dobrĂ˝ch mĂŠnÄ neĹž 2, tak je server nedostupnĂ˝ |
400 | | | if [ "$I_STATUS" -gt "1" ] && [ "$J_STATUS" -lt "2" ]; then |
401 | | | MACGUARD_STATUS="off" |
402 | | | break |
403 | | | # pokud je dobrĂ˝ch vĂce jak 1 a ĹĄpatnĂ˝ch mĂŠnÄ neĹž 2, tak je server dostupnĂ˝ |
404 | | | elif [ "$J_STATUS" -gt "1" ] && [ "$I_STATUS" -lt "2" ]; then |
405 | | | MACGUARD_STATUS="on" |
406 | | | break |
407 | | | fi |
408 | | | done |
409 | | | fi |
410 | | | |
411 | | | # generovĂĄnĂ pravidel pro iptables na zĂĄkladÄ csv tabulky |
412 | | | # podmĂnky spuĹĄtÄnĂ: |
413 | | | # 1. pokud mĂĄme nÄjakĂŠ rozhranĂ na kterĂŠm bÄŞà macguard |
414 | | | # 2. pokud existuje csv tabulka |
415 | | | # 3. pokud je dostupnĂ˝ macguard server, nebo byla nahrĂĄna novĂĄ tabulka |
416 | | | if [ "$MACGUARD_DEV_YES" != "" ] && [ -e "$MACGUARD_DIR/table-$DUMMY_IP.csv" ] && [ "$MACGUARD_STATUS" == "on" ]; then |
417 | | | # VymaĹžeme vĹĄechna pravidla v danĂŠ tĹĂdÄ |
418 | | | $IPTABLES -t nat -F valid_mac_pre 2>/dev/null |
419 | | | $IPTABLES -F valid_mac_fwd 2>/dev/null |
420 | | | |
421 | | | # zpracujeme csv tabulku |
422 | | | while read USER_IP B USER_MAC D USER_NAME F USER_VS H USER_ROUTER K USER_ROUTER_MAC L USER_SUBNET; do |
423 | | | # podmĂnka pro netransparentnĂ zaĹĂzenĂ jako napĹĂklad ovislinky na wifi |
424 | | | if [ "$USER_ROUTER" == "$DUMMY_IP" ]; then |
425 | | | $IPTABLES -t nat -A valid_mac_pre -s "$USER_IP" -m mac --mac-source "$USER_MAC" -j ACCEPT |
426 | | | $IPTABLES -A valid_mac_fwd -s "$USER_IP" -m mac --mac-source "$USER_MAC" -j ACCEPT |
427 | | | else |
428 | | | $IPTABLES -t nat -A valid_mac_pre -s "$USER_IP" -m mac --mac-source "$USER_ROUTER_MAC" -j ACCEPT |
429 | | | $IPTABLES -A valid_mac_fwd -s "$USER_IP" -m mac --mac-source "$USER_ROUTER_MAC" -j ACCEPT |
430 | | | fi |
431 | | | # rozĹĄĂĹenĂ o subnet, kterĂ˝ uĹživatel mĹŻĹže vyuĹžĂvat |
432 | | | if [ "`echo $USER_SUBNET | grep -F .`" != "" ]; then |
433 | | | # otazka je jak tyto routy mazat po vypnuti macguarda, nebo firewallu? |
434 | | | $IP route del "$USER_SUBNET" 2>/dev/null |
435 | | | $IP route add "$USER_SUBNET" via "$USER_IP" 2>/dev/null |
436 | | | fi |
437 | | | done < "$MACGUARD_DIR/table-$DUMMY_IP.csv" |
438 | | | |
439 | | | # Nahrajeme speciĂĄlnĂ konfiguraÄnĂ soubor |
440 | | | macguard_load_conf |
441 | | | |
442 | | | # povolĂme ssh, web, mail a dns na vnitĹnĂ adresy i pro ostatnĂ IP |
443 | | | $IPTABLES -A valid_mac_fwd -p tcp -d $INTERNAL_IP --dport 22 -j ACCEPT |
444 | | | $IPTABLES -A valid_mac_fwd -p tcp -d $INTERNAL_IP --dport 25 -j ACCEPT |
445 | | | $IPTABLES -A valid_mac_fwd -p udp -d $INTERNAL_IP --dport 25 -j ACCEPT |
446 | | | $IPTABLES -A valid_mac_fwd -p tcp -d $INTERNAL_IP --dport 53 -j ACCEPT |
447 | | | $IPTABLES -A valid_mac_fwd -p udp -d $INTERNAL_IP --dport 53 -j ACCEPT |
448 | | | $IPTABLES -A valid_mac_fwd -p tcp -d $INTERNAL_IP --dport 80:81 -j ACCEPT |
449 | | | |
450 | | | # PĹesmÄrujeme jakĂ˝koliv dotaz na http port nevnitĹnĂ IP na macguard server, port 81, |
451 | | | # kde by mÄla bĂ˝t vysvÄtlujĂcĂ http strĂĄnka s informacemi proÄ je uĹživatel zablokovĂĄn |
452 | | | # pĹĂpadnÄ jak vyĹeĹĄit nefunkÄnĂ pĹipojenĂ. |
453 | | | $IPTABLES -t nat -A valid_mac_pre ! -d $INTERNAL_IP -p tcp --dport 80 -j DNAT --to ${MACGUARD_SERVER}:81 |
454 | | | |
455 | | | # ostatnĂ MAC adresy zakĂĄĹžeme |
456 | | | $IPTABLES -A valid_mac_fwd -j REJECT |
457 | | | else |
458 | | | # VymaĹžeme vĹĄechna pravidla v danĂŠ tĹĂdÄ |
459 | | | $IPTABLES -t nat -F valid_mac_pre 2>/dev/null |
460 | | | $IPTABLES -F valid_mac_fwd 2>/dev/null |
461 | | | fi |
462 | | | |
463 | | | # ÄĂĄst pro generovĂĄnĂ a spouĹĄtÄnĂ dhcp serveru, o dhcp server se starĂĄ macguard, |
464 | | | # proto nenĂ tĹeba speciĂĄlnÄ upravovat soubor /etc/init.d/isc-dhcp-server |
465 | | | # podmĂnky spuĹĄtÄnĂ: |
466 | | | # 1. pokud mĂĄme nÄjakĂŠ rozhranĂ, kde spouĹĄtĂme dhcp server |
467 | | | # 2. nebÄĹžĂ-li dhcp server, nebo existuje-li cvs tabulka |
468 | | | # 3. nebÄĹžĂ-li dhcp server, nebo jsme dostali novou csv tabulku |
469 | | | if [ "$MACGUARD_DEV_DHCP" != "" ] && ( [ "`ps -e | grep dhcpd`" == "" ] || [ -e "$MACGUARD_DIR/table-$DUMMY_IP.csv" ] ) && ( [ "`ps -e | grep dhcpd`" == "" ] || [ "$MACGUARD_STATUS" == "on" ] ); then |
470 | | | # dhcp server musĂme zastavit aby nĂĄm pĹi generovĂĄnĂ nepĹepsal dhcpd.leases |
471 | | | [ "`ps -e | grep dhcpd`" != "" ] && /etc/init.d/isc-dhcp-server stop |
472 | | | # -------------------------- generovĂĄnĂ dhcpd.conf ----------------------------- |
473 | | | # naÄteme promÄnnou INTERFACES |
474 | | | [ -e "/etc/default/isc-dhcp-server" ] && . /etc/default/isc-dhcp-server |
475 | | | # vynulujeme generovĂĄnĂ souboru /etc/default/isc-dhcp-server |
476 | | | INTERFACES_NEW="" |
477 | | | |
478 | | | # vyÄistĂme dhcp soubory |
479 | | | rm -f "$MACGUARD_DIR/dhcpd.conf" |
480 | | | rm -f "/var/lib/dhcp/dhcpd.leases"* |
481 | | | touch "/var/lib/dhcp/dhcpd.leases" # isc-dhcp-server vyzaduje existenci tohoto souboru |
482 | | | |
483 | | | # datum ve formĂĄtu pro dhcpd.leases |
484 | | | DHCP_START_DATE="`date -u \"+%w %Y/%m/%d %H:%d:%M\"`" |
485 | | | DHCP_END_DATE="`date -u \"+%w %Y/%m/%d %H:%d:%M\" -d \"+2 year\"`" |
486 | | | |
487 | | | # zĂĄklad dhcpd.conf |
488 | | | echo "# Created by firewall script for macguard" >> "$MACGUARD_DIR/dhcpd.conf" |
489 | | | echo "" >> "$MACGUARD_DIR/dhcpd.conf" |
490 | | | echo "authoritative;" >> "$MACGUARD_DIR/dhcpd.conf" |
491 | | | echo "log-facility local7;" >> "$MACGUARD_DIR/dhcpd.conf" |
492 | | | echo "default-lease-time 43200; # 12 hours" >> "$MACGUARD_DIR/dhcpd.conf" |
493 | | | echo "max-lease-time 2678400; # 31 days" >> "$MACGUARD_DIR/dhcpd.conf" |
494 | | | echo "option domain-name \"$DOMAIN\";" >> "$MACGUARD_DIR/dhcpd.conf" |
495 | | | echo "option domain-name-servers $DNS_PRIMARY, $DNS_SECONDARY;" >> "$MACGUARD_DIR/dhcpd.conf" |
496 | | | echo "option netbios-name-servers $NETBIOS;" >> "$MACGUARD_DIR/dhcpd.conf" |
497 | | | echo "option T150 code 150 = string;" >> "$MACGUARD_DIR/dhcpd.conf" |
498 | | | echo "use-host-decl-names on;" >> "$MACGUARD_DIR/dhcpd.conf" |
499 | | | echo "allow booting;" >> "$MACGUARD_DIR/dhcpd.conf" |
500 | | | echo "allow bootp;" >> "$MACGUARD_DIR/dhcpd.conf" |
501 | | | echo "" >> "$MACGUARD_DIR/dhcpd.conf" |
502 | | | |
503 | | | # generovĂĄnĂ ip adres pro jednotlivĂĄ rozhranĂ |
504 | | | for DEV in $MACGUARD_DEV_DHCP; do |
505 | | | # zĂĄkladnĂ ochrana pĹed ĹĄpatnÄ zadanĂ˝m, nebo neaktivnĂm rozhranĂm |
506 | | | $IP addr show $DEV 1>/dev/null 2>/dev/null |
507 | | | [ "$?" != "0" ] && continue |
508 | | | |
509 | | | # Pokud schĂĄzĂ v /etc/default/isc-dhcp-server danĂŠ rozhranĂ, tak musĂme vygenerovat |
510 | | | # novĂ˝ soubor obsahujĂcĂ toto rozhranĂ. |
511 | | | [ "`echo $INTERFACES | tr \" \" \"\n\" | grep -x \"$DEV\"`" != "$DEV" ] && INTERFACES_NEW="yes" |
512 | | | |
513 | | | # spojenĂ vĹĄech zaĹĂzenĂ do formĂĄtu pro soubor /etc/default/isc-dhcp-server |
514 | | | if [ "$INTERFACES_INTERNAL" != "" ]; then |
515 | | | INTERFACES_INTERNAL="$INTERFACES_INTERNAL $DEV" |
516 | | | else |
517 | | | INTERFACES_INTERNAL="$DEV" |
518 | | | fi |
519 | | | |
520 | | | # zĂskĂĄme adresu IP a masku rozhranĂ |
521 | | | DEV_IP="`ip addr show $DEV | grep -v inet6 | grep inet | grep -v : | awk '{print \$2}' | cut -d \"/\" -f1`" |
522 | | | DEV_IP1="`echo $DEV_IP | cut -d. -f1`" |
523 | | | DEV_IP2="`echo $DEV_IP | cut -d. -f2`" |
524 | | | DEV_IP3="`echo $DEV_IP | cut -d. -f3`" |
525 | | | DEV_IP4="`echo $DEV_IP | cut -d. -f4`" |
526 | | | |
527 | | | # netmask |
528 | | | NETMASK="`ip addr show $DEV | grep -v inet6 | grep inet | grep -v : | awk '{print \$2}' | cut -d \"/\" -f2`" |
529 | | | |
530 | | | # vygenerujeme masku na zĂĄkladÄ netmask |
531 | | | if let $(((32-${NETMASK}) > 0)); then |
532 | | | MASK_IP4=$(((255 << (32-${NETMASK})) & 255)) |
533 | | | else |
534 | | | MASK_IP4=255 |
535 | | | fi |
536 | | | if let $(((24-${NETMASK}) > 0)); then |
537 | | | MASK_IP3=$(((255 << (24-${NETMASK})) & 255)) |
538 | | | else |
539 | | | MASK_IP3=255 |
540 | | | fi |
541 | | | if let $(((16-${NETMASK}) > 0)); then |
542 | | | MASK_IP2=$(((255 << (16-${NETMASK})) & 255)) |
543 | | | else |
544 | | | MASK_IP2=255 |
545 | | | fi |
546 | | | if let $(((8-${NETMASK}) > 0)); then |
547 | | | MASK_IP1=$(((255 << (8-${NETMASK})) & 255)) |
548 | | | else |
549 | | | MASK_IP1=255 |
550 | | | fi |
551 | | | MASK="$MASK_IP1.$MASK_IP2.$MASK_IP3.$MASK_IP4" |
552 | | | |
553 | | | # network |
554 | | | NETWORK_IP1="$(($DEV_IP1 & $MASK_IP1))" |
555 | | | NETWORK_IP2="$(($DEV_IP2 & $MASK_IP2))" |
556 | | | NETWORK_IP3="$(($DEV_IP3 & $MASK_IP3))" |
557 | | | NETWORK_IP4="$(($DEV_IP4 & $MASK_IP4))" |
558 | | | NETWORK="$NETWORK_IP1.$NETWORK_IP2.$NETWORK_IP3.$NETWORK_IP4" |
559 | | | |
560 | | | # broadcast |
561 | | | BROADCAST_IP1="$((($DEV_IP1 & $MASK_IP1) + (255 - $MASK_IP1)))" |
562 | | | BROADCAST_IP2="$((($DEV_IP2 & $MASK_IP2) + (255 - $MASK_IP2)))" |
563 | | | BROADCAST_IP3="$((($DEV_IP3 & $MASK_IP3) + (255 - $MASK_IP3)))" |
564 | | | BROADCAST_IP4="$((($DEV_IP4 & $MASK_IP4) + (255 - $MASK_IP4)))" |
565 | | | BROADCAST="$BROADCAST_IP1.$BROADCAST_IP2.$BROADCAST_IP3.$BROADCAST_IP4" |
566 | | | |
567 | | | # zapĂĹĄeme danĂ˝ subnet |
568 | | | echo "subnet $NETWORK netmask $MASK {" >> "$MACGUARD_DIR/dhcpd.conf" |
569 | | | |
570 | | | # nejmensi subnet pro ktery umime udelat dynamic-bootp je s maskou 255.255.255.252 |
571 | | | if [ "$MASK_IP4" -le "252" ]; then |
572 | | | # oÄekĂĄvĂĄme Ĺže brĂĄna mĂĄ prvnĂ dostupnou adresu danĂŠ sĂtÄ! |
573 | | | HIGHEST_IP4=0 |
574 | | | if [ -e "$MACGUARD_DIR/table-$DUMMY_IP.csv" ]; then |
575 | | | HIGHEST_IP4=`grep $NETWORK_IP1\.$NETWORK_IP2\.$NETWORK_IP3\. "$MACGUARD_DIR/table-$DUMMY_IP.csv" | cut -d\; -f1 | cut -d\. -f4| sort -g | awk -v BIP4=$BROADCAST_IP4 '$1<BIP4' | awk -v NIP4=$NETWORK_IP4 '$1>NIP4' | tail -1` |
576 | | | |
577 | | | if [ -z "$HIGHEST_IP4" ]; then |
578 | | | HIGHEST_IP4=$(($NETWORK_IP4 + 2)) |
579 | | | else |
580 | | | HIGHEST_IP4=$(($HIGHEST_IP4 + 1)) |
581 | | | fi |
582 | | | fi |
583 | | | |
584 | | | if [ $HIGHEST_IP4 -ge $(($BROADCAST_IP4 - 1)) ]; then |
585 | | | echo "DHCP pro $DEV nema volny dynamicky rozsah" |
586 | | | HIGHEST_IP4=$(($NETWORK_IP4 + 2)) |
587 | | | fi |
588 | | | |
589 | | | echo " range dynamic-bootp $NETWORK_IP1.$NETWORK_IP2.$NETWORK_IP3.$HIGHEST_IP4 $BROADCAST_IP1.$BROADCAST_IP2.$BROADCAST_IP3.$(($BROADCAST_IP4 - 1));" >> "$MACGUARD_DIR/dhcpd.conf" |
590 | | | fi |
591 | | | |
592 | | | # jako default gateway je ip adresa rozhranĂ |
593 | | | echo " option routers $DEV_IP;" >> "$MACGUARD_DIR/dhcpd.conf" |
594 | | | |
595 | | | # pĹĂklad startu ze sĂtÄ pomocĂ pxelinuxu, pouze pro node nĂĄdraŞà a rozsah na ethernetu |
596 | | | if [ "$DEV_IP" == "10.93.49.193" ]; then |
597 | | | echo " server-name \"10.93.49.250\";" >> "$MACGUARD_DIR/dhcpd.conf" |
598 | | | echo " next-server 10.93.49.250;" >> "$MACGUARD_DIR/dhcpd.conf" |
599 | | | echo " filename \"/tftpboot/pxelinux/pxelinux.0\";" >> "$MACGUARD_DIR/dhcpd.conf" |
600 | | | fi |
601 | | | |
602 | | | echo "" >> "$MACGUARD_DIR/dhcpd.conf" |
603 | | | |
604 | | | # pokud existuje csv soubor, tak ho naÄteme |
605 | | | if [ -e "$MACGUARD_DIR/table-$DUMMY_IP.csv" ]; then |
606 | | | # NaÄĂtĂĄme soubor tolikrĂĄt, kolik je k dispozici rozhranĂ, nenĂ moc efektivnĂ. |
607 | | | while read USER_IP A USER_MAC B USER_NAME C; do |
608 | | | IFS=$';. \t\n' |
609 | | | USER_IP_POM=( $USER_IP ) |
610 | | | IFS=$' \t\n' |
611 | | | USER_IP1=${USER_IP_POM[0]} |
612 | | | USER_IP2=${USER_IP_POM[1]} |
613 | | | USER_IP3=${USER_IP_POM[2]} |
614 | | | USER_IP4=${USER_IP_POM[3]} |
615 | | | if ( [ $USER_IP1 == $DEV_IP1 ] || ( [ $USER_IP1 -gt $NETWORK_IP1 ] && [ $USER_IP1 -lt $BROADCAST_IP1 ] ) ) && \ |
616 | | | ( [ $USER_IP2 == $DEV_IP2 ] || ( [ $USER_IP2 -gt $NETWORK_IP2 ] && [ $USER_IP2 -lt $BROADCAST_IP2 ] ) ) && \ |
617 | | | ( [ $USER_IP3 == $DEV_IP3 ] || ( [ $USER_IP3 -gt $NETWORK_IP3 ] && [ $USER_IP3 -lt $BROADCAST_IP3 ] ) ) && \ |
618 | | | ( [ $USER_IP4 == $DEV_IP4 ] || ( [ $USER_IP4 -gt $NETWORK_IP4 ] && [ $USER_IP4 -lt $BROADCAST_IP4 ] ) ) && \ |
619 | | | ( [ "$DEV_IP" != "$USER_IP" ] ); then |
620 | | | # NovÄ jsou definice hostĹŻ v isc-dhcp-serveru od verze 3.1.1 globĂĄlnĂ, takĹže nenĂ nutnĂŠ |
621 | | | # udĂĄvat je do rozsahu danĂŠho rozhranĂ, zĂĄroveĹ je tĹeba oĹĄetĹit vĂce stejnĂ˝ch mac adres |
622 | | | # o ty se dnes starĂĄ netadmin, kterĂ˝ by nemÄl dovolit uĹživatelĹŻm zadat stejnou mac adresu, |
623 | | | # to se vĹĄak v budoucnu mĹŻĹže zmÄnit! |
624 | | | echo " host $USER_NAME { hardware ethernet $USER_MAC; fixed-address $USER_IP; }" >> "$MACGUARD_DIR/dhcpd.conf" |
625 | | | # isc-dhcp-server od verze 3.1.1 obsahuje takĂŠ jednu velkou mouchu, pokud jsou fixnĂ adresy |
626 | | | # definovanĂ˝ch hostĹŻ v rozsahu range, tak je klidnÄ nabĂzĂ dĂĄle, existujĂ 3 moĹžnĂĄ ĹeĹĄenĂ: |
627 | | | # 1. sjednotit a seĹadit ip adresy, tak aby nezasahovaly do rozsahu range |
628 | | | # 2. pouĹžĂvat starĹĄĂ verzi isc-dhcp-serveru 3.0.4, kterĂĄ funguje sprĂĄvnÄ |
629 | | | # 3. generovat jeĹĄtÄ dhcpd.leases, kde nastavĂme velmi dlouhĂŠ doby pĹidÄlenĂ adres |
630 | | | echo "lease $USER_IP {" >> "/var/lib/dhcp/dhcpd.leases" |
631 | | | echo " starts $DHCP_START_DATE;" >> "/var/lib/dhcp/dhcpd.leases" |
632 | | | echo " ends $DHCP_END_DATE;" >> "/var/lib/dhcp/dhcpd.leases" |
633 | | | echo " tstp $DHCP_END_DATE;" >> "/var/lib/dhcp/dhcpd.leases" |
634 | | | echo " binding state active;" >> "/var/lib/dhcp/dhcpd.leases" |
635 | | | echo " hardware ethernet $USER_MAC;" >> "/var/lib/dhcp/dhcpd.leases" |
636 | | | echo "}" >> "/var/lib/dhcp/dhcpd.leases" |
637 | | | fi |
638 | | | done < "$MACGUARD_DIR/table-$DUMMY_IP.csv" |
639 | | | fi |
640 | | | echo "}" >> "$MACGUARD_DIR/dhcpd.conf" |
641 | | | echo "" >> "$MACGUARD_DIR/dhcpd.conf" |
642 | | | done |
643 | | | # ----------------------- konec generovĂĄnĂ dhcpd.conf --------------------------- |
644 | | | |
645 | | | # doĹĄlo ke zmÄnÄ INTERFACES pro soubor /etc/default/isc-dhcp-server |
646 | | | if [ "$INTERFACES_NEW" == "yes" ]; then |
647 | | | ro_test "/etc/default/isc-dhcp-server" |
648 | | | if [ ! -e "/etc/default/isc-dhcp-server.no_macguard" ] && [ -e "/etc/default/isc-dhcp-server" ]; then |
649 | | | mv "/etc/default/isc-dhcp-server" "/etc/default/isc-dhcp-server.no_macguard" |
650 | | | fi |
651 | | | echo "# Created by firewall script for macguard" > /etc/default/isc-dhcp-server |
652 | | | echo "INTERFACES=\"$INTERFACES_INTERNAL\"" >> /etc/default/isc-dhcp-server |
653 | | | fi |
654 | | | |
655 | | | # symlink na dhcp soubor neodpovĂdĂĄ souboru kam macguard uklĂĄdĂĄ dhcp data |
656 | | | if [ "`readlink /etc/dhcp/dhcpd.conf`" != "$MACGUARD_DIR/dhcpd.conf" ]; then |
657 | | | ro_test "/etc/dhcp/dhcpd.conf.old" |
658 | | | if [ -e "/etc/dhcp/dhcpd.conf" ]; then |
659 | | | mv "/etc/dhcp/dhcpd.conf" "/etc/dhcp/dhcpd.conf.old" |
660 | | | fi |
661 | | | ln -s "$MACGUARD_DIR/dhcpd.conf" "/etc/dhcp/dhcpd.conf" |
662 | | | fi |
663 | | | |
664 | | | # isc-dhcp-server nenĂ spouĹĄtÄn po startu |
665 | | | if [ "`find /etc/rc* -name \"*isc-dhcp-server\"`" == "" ]; then |
666 | | | ro_test "/etc/rc.test" |
667 | | | # v novĂŠ verzi Debiana uĹž nenĂ isc-dhcp-server v rc0.d a rc6.d! |
668 | | | ln -s "../init.d/isc-dhcp-server" "/etc/rc1.d/K40isc-dhcp-server" |
669 | | | ln -s "../init.d/isc-dhcp-server" "/etc/rc2.d/S40isc-dhcp-server" |
670 | | | ln -s "../init.d/isc-dhcp-server" "/etc/rc3.d/S40isc-dhcp-server" |
671 | | | ln -s "../init.d/isc-dhcp-server" "/etc/rc4.d/S40isc-dhcp-server" |
672 | | | ln -s "../init.d/isc-dhcp-server" "/etc/rc5.d/S40isc-dhcp-server" |
673 | | | fi |
674 | | | |
675 | | | # neexistuje konfigurace pro dhcp bez macguarda |
676 | | | if [ ! -e "/etc/dhcp/dhcpd.conf.no_macguard" ] && [ -e "$MACGUARD_DIR/dhcpd.conf" ]; then |
677 | | | ro_test "/etc/dhcp/dhcpd.conf.no_macguard" |
678 | | | cp "$MACGUARD_DIR/dhcpd.conf" "/etc/dhcp/dhcpd.conf.no_macguard" |
679 | | | fi |
680 | | | |
681 | | | # OpÄt spustĂme dhcp server, nemÄli bychom ho spouĹĄtÄt v rc.S, pokud vĂme Ĺže |
682 | | | # bude dhcp server spuĹĄtÄn nĂĄslednÄ z rc.2, detekce runlevelu je vĹĄak sloĹžitĂĄ. |
683 | | | /etc/init.d/isc-dhcp-server start |
684 | | | fi |
685 | | | |
686 | | | # pokud neexistuej skript pro automatickou aktualizaci macguarda, tak ho vytvoĹĂme |
687 | | | if [ ! -e "/etc/cron.d/macguard" ]; then |
688 | | | ro_test "/etc/cron.d/macguard" |
689 | | | echo "# Created by firewall script for macguard" > /etc/cron.d/macguard |
690 | | | echo "*/10 * * * * root /etc/init.d/firewall macguard_update" >> /etc/cron.d/macguard |
691 | | | fi |
692 | | | fi |
693 | | | |
694 | | | # pokud jsme odemkli disk pro zĂĄpis, tak ho musĂme takĂŠ uzamknout |
695 | | | ro_exit |
696 | | | } |