|
version 1.6, 2010/03/25 01:47:45
|
version 1.12, 2013/02/08 14:55:12
|
|
Line 35 package LONCAPA::Firewall;
|
Line 35 package LONCAPA::Firewall;
|
| use strict; |
use strict; |
| use lib '/home/httpd/perl/lib'; |
use lib '/home/httpd/perl/lib'; |
| use LONCAPA::Configuration; |
use LONCAPA::Configuration; |
| |
use LONCAPA; |
| |
|
| sub firewall_open_port { |
sub firewall_open_port { |
| my ($iptables,$fw_chains,$lond_port,$iphost,$ports) = @_; |
my ($iptables,$fw_chains,$lond_port,$iphost,$ports) = @_; |
|
Line 183 sub firewall_is_port_open {
|
Line 184 sub firewall_is_port_open {
|
| # check if firewall is active or installed |
# check if firewall is active or installed |
| return if (! &firewall_is_active()); |
return if (! &firewall_is_active()); |
| my $count = 0; |
my $count = 0; |
| if (open(PIPE,"$iptables -L $fw_chain -n 2>/dev/null |")) { |
if (open(PIPE,"$iptables -L $fw_chain -n |")) { |
| while(<PIPE>) { |
while(<PIPE>) { |
| if ($port eq $lond_port) { |
if ($port eq $lond_port) { |
| if (ref($iphost) eq 'HASH') { |
if (ref($iphost) eq 'HASH') { |
| if (/^ACCEPT\s+tcp\s+\-{2}\s+([\S]+)\s+/) { |
if (/^ACCEPT\s+tcp\s+\-{2}\s+(\S+)\s+\S+\s+tcp\s+dpt\:\Q$port\E/) { |
| my $ip = $1; |
my $ip = $1; |
| if ($iphost->{$ip}) { |
if ($iphost->{$ip}) { |
| $count ++; |
$count ++; |
|
Line 218 sub firewall_is_active {
|
Line 219 sub firewall_is_active {
|
| } |
} |
| |
|
| sub firewall_close_port { |
sub firewall_close_port { |
| my ($iptables,$fw_chains,$lond_port,$ports) = @_; |
my ($iptables,$fw_chains,$lond_port,$iphost,$ports) = @_; |
| return 'inactive firewall' if (!&firewall_is_active()); |
return 'inactive firewall' if (!&firewall_is_active()); |
| return 'port number unknown' if !$lond_port; |
return 'port number unknown' if !$lond_port; |
| return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY'); |
return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY'); |
|
Line 244 sub firewall_close_port {
|
Line 245 sub firewall_close_port {
|
| print "Skipped non-numeric port: $portnum\n"; |
print "Skipped non-numeric port: $portnum\n"; |
| next; |
next; |
| } |
} |
| print "Closing firewall access on port $port\n"; |
print "Closing firewall access on port $port.\n"; |
| if (($port ne '') && ($port eq $lond_port)) { |
if (($port ne '') && ($port eq $lond_port)) { |
| |
my $output; |
| foreach my $fw_chain (@okchains) { |
foreach my $fw_chain (@okchains) { |
| my (@port_error,@command_error,@lond_port_close); |
my (@port_error,@command_error,@lond_port_close); |
| my %to_close; |
my %to_close; |
|
Line 254 sub firewall_close_port {
|
Line 256 sub firewall_close_port {
|
| chomp(); |
chomp(); |
| next unless (/dpt:\Q$port\E\s*$/); |
next unless (/dpt:\Q$port\E\s*$/); |
| if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) { |
if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) { |
| $to_close{$1} = $port; |
my $ip = $1; |
| |
my $keepopen = 0; |
| |
if (ref($iphost) eq 'HASH') { |
| |
if (exists($iphost->{$ip})) { |
| |
$keepopen = 1; |
| |
} |
| |
} |
| |
unless ($keepopen) { |
| |
$to_close{$ip} = $port; |
| |
} |
| } |
} |
| } |
} |
| close(PIPE); |
close(PIPE); |
|
Line 275 sub firewall_close_port {
|
Line 286 sub firewall_close_port {
|
| } |
} |
| } |
} |
| if (@lond_port_close) { |
if (@lond_port_close) { |
| print "Port closed for ".scalar(@lond_port_close)." IP addresses\n"; |
$output .= "Port closed for ".scalar(@lond_port_close)." IP addresses\n"; |
| } |
} |
| if (@port_error) { |
if (@port_error) { |
| print "Error closing port for following IP addresses: ".join(', ',@port_error)."\n"; |
$output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n"; |
| } |
} |
| if (@command_error) { |
if (@command_error) { |
| print "Bad command error opening port for following IP addresses: ". |
$output .= "Bad command error opening port for following IP addresses: ". |
| join(', ',@command_error)."\n". |
join(', ',@command_error)."\n". |
| 'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n"; |
'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n"; |
| } |
} |
| } |
} |
| |
if ($output) { |
| |
print $output; |
| |
} else { |
| |
print "No IP addresses required discontinuation of access.\n"; |
| |
} |
| } else { |
} else { |
| foreach my $fw_chain (@okchains) { |
foreach my $fw_chain (@okchains) { |
| my (@port_error,@command_error,@lond_port_close); |
my (@port_error,@command_error,@lond_port_close); |
|
Line 360 sub get_lond_port {
|
Line 376 sub get_lond_port {
|
| |
|
| sub get_fw_chains { |
sub get_fw_chains { |
| my ($iptables) = @_; |
my ($iptables) = @_; |
| |
my $distro = &LONCAPA::distro(); |
| my @fw_chains; |
my @fw_chains; |
| my $suse_config = "/etc/sysconfig/SuSEfirewall2"; |
my $suse_config = "/etc/sysconfig/SuSEfirewall2"; |
| |
my $ubuntu_config = "/etc/ufw/ufw.conf"; |
| if (-e $suse_config) { |
if (-e $suse_config) { |
| push(@fw_chains,'input_ext'); |
push(@fw_chains,'input_ext'); |
| } else { |
} else { |
| if (!-e '/etc/sysconfig/iptables') { |
my @posschains; |
| if (!-e '/var/lib/iptables') { |
if (-e $ubuntu_config) { |
| print("Unable to find iptables file containing static definitions\n"); |
@posschains = ('ufw-user-input','INPUT'); |
| |
} else { |
| |
if ($distro =~ /^(debian|ubuntu|suse|sles)/) { |
| |
@posschains = ('INPUT'); |
| |
} else { |
| |
@posschains = ('RH-Firewall-1-INPUT','INPUT'); |
| |
} |
| |
if (!-e '/etc/sysconfig/iptables') { |
| |
if (!-e '/var/lib/iptables') { |
| |
unless ($distro =~ /^(debian|ubuntu)/) { |
| |
print("Unable to find iptables file containing static definitions\n"); |
| |
} |
| |
} |
| |
if ($distro =~ /^(fedora|rhes|centos|scientific)/) { |
| |
push(@fw_chains,'RH-Firewall-1-INPUT'); |
| |
} |
| } |
} |
| push(@fw_chains,'RH-Firewall-1-INPUT'); |
|
| } |
} |
| if ($iptables eq '') { |
if ($iptables eq '') { |
| $iptables = &get_pathto_iptables(); |
$iptables = &get_pathto_iptables(); |
| } |
} |
| my %counts; |
my %counts; |
| my @posschains = ('RH-Firewall-1-INPUT','INPUT'); |
|
| if (open(PIPE,"$iptables -L -n |")) { |
if (open(PIPE,"$iptables -L -n |")) { |
| while(<PIPE>) { |
while(<PIPE>) { |
| foreach my $chain (@posschains) { |
foreach my $chain (@posschains) { |
|
Line 388 sub get_fw_chains {
|
Line 419 sub get_fw_chains {
|
| } |
} |
| foreach my $fw_chain (@posschains) { |
foreach my $fw_chain (@posschains) { |
| if ($counts{$fw_chain}) { |
if ($counts{$fw_chain}) { |
| push(@fw_chains,$fw_chain); |
unless(grep(/^\Q$fw_chain\E$/,@fw_chains)) { |
| |
push(@fw_chains,$fw_chain); |
| |
} |
| } |
} |
| } |
} |
| } |
} |
|
Line 446 The following methods are available:
|
Line 479 The following methods are available:
|
| |
|
| =over 4 |
=over 4 |
| |
|
| =item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chains,$lond_port,$ports ); |
=item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chains,$lond_port,$iphost,$ports ); |
| |
|
| =back |
=back |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to Firewall.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / configuration