3 * how this might work..
5 * a) login - if it's a new IP not seen that day
6 * --> touch /tmp/run_pman_admin_iptables
8 * cron every minute... ?? << could do some kind of IPC?!?
10 * if file exists -> run this code.
12 * This code finds all the IP's used in the last 24 hours.
13 * and opens the firew all for them.
19 require_once 'Pman.php';
21 class Pman_Admin_Iptables extends Pman {
23 static $cli_desc = "Read ip addresses that have been used to log in, and add them to the iptables list..";
29 if (!$this->bootLoader->cli) {
35 // find IP's that have been used to log in.
36 // dump them to the iptables file.
37 // if it's different - apply it...
38 //DB_DataObject::debugLevel(1);
39 // need to get a list of users who have Admin.Iptables rights..
40 /*$gr = DB_DataObject::factory('group_rights');
41 $grps = $gr->groupsWithRights('Admin.Iptables', 'S');
43 $gr = DB_DataObject::factory('groups');
44 $gr->get('name', 'Administrators');
47 $gm = DB_DataObject::factory('group_members');
48 $gm->whereAddIn('group_id', $grps, 'int');
50 $gm->selectAdd('distinct(user_id) as user_id');
51 $peps = $gm->fetchAll('user_id');
57 $p = DB_DataObject::Factory('Person');
59 $p->whereAdd("join_company_id_id.comptype = 'OWNER'");
61 $p->selectAdd("{$p->tableName()}.id as id");
63 $peps = $p->fetchAll('id');
66 $e = DB_DataObject::factory('Events');
69 $e->selectAdd('distinct(ipaddr) as ipaddr');
70 $e->person_table = DB_DataObject::factory('person')->tableName();
71 $e->whereAddIn('person_id', $peps, 'int');
72 switch( $e->getDatabaseConnection()->phptype) {
74 $e->whereAdd("event_when > NOW() - INTERVAL 1 DAY");
77 $e->whereAdd("event_when > NOW() - INTERVAL '1 DAY'");
80 $ips = $e->fetchAll('ipaddr');
82 //inet addr:202.67.151.28 Bcast:202.67.151.255 Mask:255.255.255.0
86 $if = `/sbin/ifconfig`;
88 foreach(explode("\n", $if) as $l) {
90 if (!preg_match('/inet addr/', $l)) {
94 preg_match('/\s*inet addr:([0-9.]+)\s+/', $l, $match);
99 $fn = tempnam(ini_get('session.save-path'), 'firewallconf');
100 file_put_contents($fn, $this->output());
101 echo file_get_contents($fn);
102 //`/sbin/iptables-restore < $fn`;
111 // this should have been set up already..
112 // in the base firewall code.
115 //-A INPUT -p udp -m udp --dport 5432 -j postgres
116 //-A INPUT -p tcp -m tcp --dport 5432 -j postgres
117 require_once 'System.php';
119 $iptables = System::which('iptables');
120 $this->exec("$iptables -F postgres");
122 foreach($this->ips as $ip) {
123 $this->exec("$iptables} -A postgres -s {$ip}/32 -j ACCEPT");
125 $this->exec($iptables. ' -A postgres -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4');
126 $this->exec("$iptables -A postgres -j DROP");
130 function exec($cmd) {