3 * how this might work..
5 * a) login - if it's a new IP not seen that day
6 * --> touch /tmp/run_pman_admin_iptables
8 * cron every minute... ?? << could do some kind of IPC?!?
10 * if file exists -> run this code.
12 * This code finds all the IP's used in the last 24 hours.
13 * and opens the firew all for them.
25 require_once 'Pman.php';
27 class Pman_Admin_Iptables extends Pman {
29 static $cli_desc = "Read ip addresses that have been used to log in, and add them to the iptables list..";
35 if (!$this->bootLoader->cli) {
40 function monitorFile()
42 $ev = DB_DataObject::Factory('Events');
43 $db = $ev->database();
45 return '/tmp/run_pman_admin_iptables-'.$db;
48 function get($opt = '')
53 $mf = $this->monitorFile();
55 $fe = file_exists($mf);
65 // find IP's that have been used to log in.
66 // dump them to the iptables file.
67 // if it's different - apply it...
68 //DB_DataObject::debugLevel(1);
69 // need to get a list of users who have Admin.Iptables rights..
70 /*$gr = DB_DataObject::factory('group_rights');
71 $grps = $gr->groupsWithRights('Admin.Iptables', 'S');
73 $gr = DB_DataObject::factory('groups');
74 $gr->get('name', 'Administrators');
77 $gm = DB_DataObject::factory('group_members');
78 $gm->whereAddIn('group_id', $grps, 'int');
80 $gm->selectAdd('distinct(user_id) as user_id');
81 $peps = $gm->fetchAll('user_id');
87 $p = DB_DataObject::Factory('Person');
89 $p->whereAdd("join_company_id_id.comptype = 'OWNER'");
91 $p->selectAdd("{$p->tableName()}.id as id");
93 $peps = $p->fetchAll('id');
96 $e = DB_DataObject::factory('Events');
99 $e->selectAdd('distinct(ipaddr) as ipaddr');
100 $e->person_table = DB_DataObject::factory('person')->tableName();
101 $e->whereAddIn('person_id', $peps, 'int');
102 switch( $e->getDatabaseConnection()->phptype) {
104 $e->whereAdd("event_when > NOW() - INTERVAL 1 DAY");
107 $e->whereAdd("event_when > NOW() - INTERVAL '1 DAY'");
110 $ips = $e->fetchAll('ipaddr');
112 //inet addr:202.67.151.28 Bcast:202.67.151.255 Mask:255.255.255.0
116 $if = `/sbin/ifconfig`;
118 foreach(explode("\n", $if) as $l) {
120 if (!preg_match('/inet addr/', $l)) {
124 preg_match('/\s*inet addr:([0-9.]+)\s+/', $l, $match);
129 $cache = ini_get('session.save-path') . '/pman_admin_iptables.cache';
134 $fn = tempnam(ini_get('session.save-path'), 'firewallconf');
135 file_put_contents($fn, $this->output());
136 echo file_get_contents($fn);
137 //`/sbin/iptables-restore < $fn`;
145 require_once 'System.php';
147 $iptables = System::which('iptables');
148 // this should have been set up already..
149 // in the base firewall code.
152 // -A INPUT -p udp -m udp --dport 5432 -j postgres
153 // -A INPUT -p tcp -m tcp --dport 5432 -j postgres
156 // /sbin/iptables -L postgres -v -n --line-numbers
165 $this->jerr("iptables could not be found.");
167 $this->exec("{$iptables} -F postgres"); // flush old
168 $this->exec("{$iptables} -N postgres"); // create new..
170 foreach($this->ips as $ip=>$expires) {
171 $old = isset($cur[$ip]) ? $cur[$ip] : false;
173 if (strtotime($expires) <= strtotime($old['expires'])) {
174 // expires time is the same..
175 //?? make sure it's not flagged for removal..
182 $this->exec("{$iptables} -R postgres {$old['num']} -s {$ip}/32 -j ACCEPT --comment ".
183 escapeshellarg(json_encode(array('expires'=>$expires));
185 if (isset($remove[$ip])) {
191 $this->exec("{$iptables} -I postgres {$lastrulenum} -s {$ip}/32 -j ACCEPT --comment ".
192 escapeshellarg(json_encode(array('expires'=>$expires))
197 // remove rules that need deleting..
198 foreach($remove as $ip => $r) {
199 $this->exec("{$iptables} -d postgres {$r['num']} ");
204 $this->exec($iptables. ' -A postgres -m limit --limit 2/min -j LOG '.
205 '--log-prefix "IPTables-Dropped: " --log-level 4');
206 $this->exec("$iptables -A postgres -j DROP");
212 function createBase()
215 $iptables = System::which('iptables');
217 $this->jerr("iptables could not be found.");
222 $this->exec("{$iptables} -F postgres"); // flush old
223 $this->exec("{$iptables} -N postgres"); // create new..
225 $this->exec($iptables. ' -A postgres -m limit --limit 2/min -j LOG '.
226 '--log-prefix "IPTables-Dropped: " --log-level 4');
227 $this->exec("$iptables -A postgres -j DROP");
235 function exec($cmd) {