3 * how this might work..
5 * a) login - if it's a new IP not seen that day
6 * --> touch /tmp/run_pman_admin_iptables
8 * cron every minute... ?? << could do some kind of IPC?!?
10 * if file exists -> run this code.
12 * This code finds all the IP's used in the last 24 hours.
13 * and opens the firew all for them.
25 require_once 'Pman.php';
27 class Pman_Admin_Iptables extends Pman {
29 static $cli_desc = "Read ip addresses that have been used to log in, and add them to the iptables list..";
35 if (!$this->bootLoader->cli) {
40 function monitorFile()
42 $ev = DB_DataObject::Factory('Events');
43 $db = $ev->database();
45 return '/tmp/run_pman_admin_iptables-'.$db;
48 function get($opt = '')
53 $mf = $this->monitorFile();
55 $fe = file_exists($mf);
65 // find IP's that have been used to log in.
66 // dump them to the iptables file.
67 // if it's different - apply it...
68 //DB_DataObject::debugLevel(1);
69 // need to get a list of users who have Admin.Iptables rights..
70 /*$gr = DB_DataObject::factory('group_rights');
71 $grps = $gr->groupsWithRights('Admin.Iptables', 'S');
73 $gr = DB_DataObject::factory('groups');
74 $gr->get('name', 'Administrators');
77 $gm = DB_DataObject::factory('group_members');
78 $gm->whereAddIn('group_id', $grps, 'int');
80 $gm->selectAdd('distinct(user_id) as user_id');
81 $peps = $gm->fetchAll('user_id');
87 $p = DB_DataObject::Factory('Person');
89 $p->whereAdd("join_company_id_id.comptype = 'OWNER'");
91 $p->selectAdd("{$p->tableName()}.id as id");
93 $peps = $p->fetchAll('id');
96 $e = DB_DataObject::factory('Events');
99 $e->selectAdd('distinct(ipaddr) as ipaddr');
100 $e->person_table = DB_DataObject::factory('person')->tableName();
101 $e->whereAddIn('person_id', $peps, 'int');
102 switch( $e->getDatabaseConnection()->phptype) {
104 $e->whereAdd("event_when > NOW() - INTERVAL 1 DAY");
107 $e->whereAdd("event_when > NOW() - INTERVAL '1 DAY'");
110 $ips = $e->fetchAll('ipaddr');
112 //inet addr:202.67.151.28 Bcast:202.67.151.255 Mask:255.255.255.0
116 $if = `/sbin/ifconfig`;
118 foreach(explode("\n", $if) as $l) {
120 if (!preg_match('/inet addr/', $l)) {
124 preg_match('/\s*inet addr:([0-9.]+)\s+/', $l, $match);
129 $cache = ini_get('session.save-path') . '/pman_admin_iptables.cache';
131 $this->updateTables();
137 function updateTables()
140 require_once 'System.php';
142 $iptables = System::which('iptables');
143 // this should have been set up already..
144 // in the base firewall code.
147 // -A INPUT -p udp -m udp --dport 5432 -j postgres
148 // -A INPUT -p tcp -m tcp --dport 5432 -j postgres
151 // /sbin/iptables -L postgres -v -n --line-numbers
153 $res = $this->exec("{$iptables} -L postgres -v -n --line-numbers");
155 foreach(explode("\n", $res) as $i => $line) {
157 $head = preg_split('/\s+/', $line);
163 $ar = preg_split('/\s+/', $line);
164 if (count($ar) < 3) {
167 $ar[10] = array_slice($ar, 10);
169 foreach($head as $k=>$v) {
183 $this->jerr("iptables could not be found.");
185 $this->exec("{$iptables} -F postgres"); // flush old
186 $this->exec("{$iptables} -N postgres"); // create new..
188 foreach($this->ips as $ip=>$expires) {
189 $old = isset($cur[$ip]) ? $cur[$ip] : false;
191 if (strtotime($expires) <= strtotime($old['expires'])) {
192 // expires time is the same..
193 //?? make sure it's not flagged for removal..
200 $this->exec("{$iptables} -R postgres {$old['num']} -s {$ip}/32 -j ACCEPT --comment ".
201 escapeshellarg(json_encode(array('expires'=>$expires)))) ;
203 if (isset($remove[$ip])) {
209 $this->exec("{$iptables} -I postgres {$lastrulenum} -s {$ip}/32 -j ACCEPT --comment ".
210 escapeshellarg(json_encode(array('expires'=>$expires))));
215 // remove rules that need deleting..
216 foreach($remove as $ip => $r) {
217 $this->exec("{$iptables} -d postgres {$r['num']} ");
222 $this->exec($iptables. ' -A postgres -m limit --limit 2/min -j LOG '.
223 '--log-prefix "IPTables-Dropped: " --log-level 4');
224 $this->exec("$iptables -A postgres -j DROP");
230 function createBase()
233 $iptables = System::which('iptables');
235 $this->jerr("iptables could not be found.");
240 $this->exec("{$iptables} -F postgres"); // flush old
241 $this->exec("{$iptables} -N postgres"); // create new..
243 $this->exec($iptables. ' -A postgres -m limit --limit 2/min -j LOG '.
244 '--log-prefix "IPTables-Dropped: " --log-level 4');
245 $this->exec("$iptables -A postgres -j DROP");