3 * how this might work..
5 * a) login - if it's a new IP not seen that day
6 * --> touch /tmp/run_pman_admin_iptables
8 * cron every minute... ?? << could do some kind of IPC?!?
10 * if file exists -> run this code.
12 * This code finds all the IP's used in the last 24 hours.
13 * and opens the firew all for them.
25 require_once 'Pman.php';
27 class Pman_Admin_Iptables extends Pman {
29 static $cli_desc = "Read ip addresses that have been used to log in, and add them to the iptables list..";
35 if (!$this->bootLoader->cli) {
40 function monitorFile()
42 $ev = DB_DataObject::Factory('Events');
43 $db = $ev->database();
45 return '/tmp/run_pman_admin_iptables-'.$db;
48 function get($opt = '')
53 $mf = $this->monitorFile();
55 $fe = file_exists($mf);
65 // find IP's that have been used to log in.
66 // dump them to the iptables file.
67 // if it's different - apply it...
68 //DB_DataObject::debugLevel(1);
69 // need to get a list of users who have Admin.Iptables rights..
70 /*$gr = DB_DataObject::factory('group_rights');
71 $grps = $gr->groupsWithRights('Admin.Iptables', 'S');
73 $gr = DB_DataObject::factory('groups');
74 $gr->get('name', 'Administrators');
77 $gm = DB_DataObject::factory('group_members');
78 $gm->whereAddIn('group_id', $grps, 'int');
80 $gm->selectAdd('distinct(user_id) as user_id');
81 $peps = $gm->fetchAll('user_id');
87 $p = DB_DataObject::Factory('Person');
89 $p->whereAdd("join_company_id_id.comptype = 'OWNER'");
91 $p->selectAdd("{$p->tableName()}.id as id");
93 $peps = $p->fetchAll('id');
96 $e = DB_DataObject::factory('Events');
99 $e->selectAdd('distinct(ipaddr) as ipaddr');
100 $e->person_table = DB_DataObject::factory('person')->tableName();
101 $e->whereAddIn('person_id', $peps, 'int');
102 switch( $e->getDatabaseConnection()->phptype) {
104 $e->whereAdd("event_when > NOW() - INTERVAL 1 DAY");
107 $e->whereAdd("event_when > NOW() - INTERVAL '1 DAY'");
110 $ips = $e->fetchAll('ipaddr');
112 //inet addr:202.67.151.28 Bcast:202.67.151.255 Mask:255.255.255.0
113 $ifconfig = System::which('ifconfig');
116 $this->jerr("ifconfig could not be found.");
121 foreach(explode("\n", $if) as $l) {
123 if (!preg_match('/inet addr/', $l)) {
127 preg_match('/\s*inet addr:([0-9.]+)\s+/', $l, $match);
132 $cache = ini_get('session.save-path') . '/pman_admin_iptables.cache';
134 $this->updateTables();
140 function updateTables()
143 require_once 'System.php';
145 $iptables = System::which('iptables');
148 $this->jerr("iptables could not be found.");
150 // this should have been set up already..
151 // in the base firewall code.
154 // -A INPUT -p udp -m udp --dport 5432 -j postgres
155 // -A INPUT -p tcp -m tcp --dport 5432 -j postgres
158 // /sbin/iptables -L postgres -v -n --line-numbers
160 $res = $this->exec("{$iptables} -L postgres -v -n --line-numbers");
165 foreach(explode("\n", $res) as $i => $line) {
167 $head = preg_split('/\s+/', $line);
168 $head[10] = 'comments';
174 $ar = preg_split('/\s+/', $line);
175 if (count($ar) < 3) {
178 $ar[10] = implode(' ',array_slice($ar, 10));
180 foreach($head as $k=>$v) {
185 if ($row['target'] != 'INPUT') {
188 // got input rules now..
189 if (!empty($row['comment'])) {
190 foreach((array)json_decode($row['comment']) as $k=>$v) {
194 if (!empty($row['expires'])) {
195 if (strtotime($row['expires']) < time()) {
196 $remove[ $row['source'] ] = $row;
199 $old[ $row['source'] ] = $row;
207 foreach($this->ips as $ip=>$expires) {
208 $old = isset($cur[$ip]) ? $cur[$ip] : false;
210 if (strtotime($expires) <= strtotime($old['expires'])) {
211 // expires time is the same..
212 //?? make sure it's not flagged for removal..
219 $this->exec("{$iptables} -R postgres {$old['num']} -s {$ip}/32 -j ACCEPT --comment ".
220 escapeshellarg(json_encode(array('expires'=>$expires)))) ;
222 if (isset($remove[$ip])) {
228 $this->exec("{$iptables} -I postgres {$lastrulenum} -s {$ip}/32 -j ACCEPT --comment ".
229 escapeshellarg(json_encode(array('expires'=>$expires))));
234 // remove rules that need deleting..
235 foreach($remove as $ip => $r) {
236 $this->exec("{$iptables} -d postgres {$r['num']} ");
241 $this->exec($iptables. ' -A postgres -m limit --limit 2/min -j LOG '.
242 '--log-prefix "IPTables-Dropped: " --log-level 4');
243 $this->exec("$iptables -A postgres -j DROP");
249 function createBase()
252 $iptables = System::which('iptables');
254 $this->jerr("iptables could not be found.");
259 $this->exec("{$iptables} -F postgres"); // flush old
260 $this->exec("{$iptables} -N postgres"); // create new..
262 $this->exec($iptables. ' -A postgres -m limit --limit 2/min -j LOG '.
263 '--log-prefix "IPTables-Dropped: " --log-level 4');
264 $this->exec("$iptables -A postgres -j DROP");