Annotation of loncom/configuration/Firewall.pm, revision 1.1
1.1 ! raeburn 1: # The LearningOnline Network with CAPA
! 2: # Firewall configuration to allow internal LON-CAPA communication between servers
! 3: #
! 4: # $Id: Firewall.pm,v 1.1 2009/06/11 00:50:38 raeburn Exp $
! 5: #
! 6: # The LearningOnline Network with CAPA
! 7: #
! 8: # Copyright Michigan State University Board of Trustees
! 9: #
! 10: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
! 11: #
! 12: # LON-CAPA is free software; you can redistribute it and/or modify
! 13: # it under the terms of the GNU General Public License as published by
! 14: # the Free Software Foundation; either version 2 of the License, or
! 15: # (at your option) any later version.
! 16: #
! 17: # LON-CAPA is distributed in the hope that it will be useful,
! 18: # but WITHOUT ANY WARRANTY; without even the implied warranty of
! 19: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
! 20: # GNU General Public License for more details.
! 21: #
! 22: # You should have received a copy of the GNU General Public License
! 23: # along with LON-CAPA; if not, write to the Free Software
! 24: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
! 25: #
! 26: # /home/httpd/html/adm/gpl.txt
! 27: #
! 28: # http://www.lon-capa.org/
! 29: #
! 30: # Startup script for the LON-CAPA network processes
! 31: #
! 32:
! 33: package LONCAPA::Firewall;
! 34:
! 35: use strict;
! 36: use lib '/home/httpd/perl/lib';
! 37: use LONCAPA::Configuration;
! 38:
! 39: # Firewall code is based on the code in FC2 /etc/init.d/ntpd
! 40:
! 41: sub firewall_open_port {
! 42: my ($iptables,$fw_chain,$lond_port,$iphost,$ports) = @_;
! 43: return 'inactive firewall' if (!&firewall_is_active());
! 44: return 'port number unknown' if !$lond_port;
! 45: my @opened;
! 46: if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) {
! 47: return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n";
! 48: }
! 49: #
! 50: # iptables is running with expected chain
! 51: #
! 52: if ($fw_chain =~ /^([\w\-]+)$/) {
! 53: $fw_chain = $1;
! 54: } else {
! 55: return 'Chain name has unexpected format'."\n";
! 56: }
! 57: if (ref($ports) ne 'ARRAY') {
! 58: return 'List of ports to open needed.';
! 59: }
! 60: foreach my $portnum (@{$ports}) {
! 61: my $port = '';
! 62: if ($portnum =~ /^(\d+)$/) {
! 63: $port = $1;
! 64: } else {
! 65: print "Skipped non-numeric port: $portnum\n";
! 66: next;
! 67: }
! 68: print "Opening firewall access on port $port.\n";
! 69: my $result;
! 70: if ($port eq $lond_port) {
! 71: # For lond port, restrict the servers allowed to attempt to communicate
! 72: # to include only source IPs in the LON-CAPA cluster.
! 73: my (@port_error,@command_error,@lond_port_open);
! 74: if (ref($iphost) eq 'HASH') {
! 75: if (keys(%{$iphost}) > 0) {
! 76: &firewall_close_anywhere($iptables,$fw_chain,$port);
! 77: foreach my $key (keys(%{$iphost})) {
! 78: my $ip = '';
! 79: if ($key =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) { if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) {
! 80: $ip = "$1.$2.$3.$4";
! 81: } else {
! 82: next;
! 83: }
! 84: } else {
! 85: next;
! 86: }
! 87: my $firewall_command =
! 88: "$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
! 89: system($firewall_command);
! 90: my $return_status = $?>>8;
! 91: if ($return_status == 1) {
! 92: push (@port_error,$ip);
! 93: } elsif ($return_status == 2) {
! 94: push(@command_error,$ip);
! 95: } elsif ($return_status == 0) {
! 96: push(@lond_port_open,$ip);
! 97: }
! 98: }
! 99: }
! 100: }
! 101: if (@lond_port_open) {
! 102: push(@opened,$port);
! 103: print "Port $port opened for ".scalar(@lond_port_open)." IP addresses\n";
! 104: }
! 105: if (@port_error) {
! 106: print "Error opening port $port for following IP addresses: ".join(', ',@port_error)."\n";
! 107: }
! 108: if (@command_error) {
! 109: print "Bad command error opening port for following IP addresses: ".
! 110: join(', ',@command_error)."\n".
! 111: 'Command was: "'."$iptables -I $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
! 112: }
! 113: } else {
! 114: my $firewall_command =
! 115: "$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
! 116: system($firewall_command);
! 117: my $return_status = $?>>8;
! 118: if ($return_status == 1) {
! 119: # Error
! 120: print "Error opening port.\n";
! 121: } elsif ($return_status == 2) {
! 122: # Bad command
! 123: print "Bad command error opening port. Command was\n".
! 124: " ".$firewall_command."\n";
! 125: } elsif ($return_status == 0) {
! 126: push(@opened,$port);
! 127: }
! 128: }
! 129: }
! 130: foreach my $port (@{$ports}) {
! 131: if (!grep(/^\Q$port\E$/,@opened)) {
! 132: return 'Required port not open: '.$port."\n";
! 133: }
! 134: }
! 135: return 'ok';
! 136: }
! 137:
! 138: sub firewall_is_port_open {
! 139: my ($iptables,$fw_chain,$port,$lond_port,$iphost) = @_;
! 140: # for lond port returns number of source IPs for which firewall port is open
! 141: # for other ports returns 1 if the firewall port is open, 0 if not.
! 142: #
! 143: # check if firewall is active or installed
! 144: return if (! &firewall_is_active());
! 145: if ($port eq $lond_port) {
! 146: my $count ++;
! 147: if (ref($iphost) eq 'HASH') {
! 148: if (keys(%{$iphost}) > 0) {
! 149: foreach my $ip (keys(%{$iphost})) {
! 150: open(PIPE,"$iptables -L $fw_chain -n 2>/dev/null");
! 151: while(<PIPE>) {
! 152: $count++ if (/^ACCEPT\s+tcp\s+\-{2}\s+\Q$ip\E\s+/);
! 153: }
! 154: close(PIPE);
! 155: }
! 156: }
! 157: }
! 158: return $count;
! 159: } else {
! 160: if (`$iptables -L -n 2>/dev/null | grep "tcp dpt:$port"`) {
! 161: return 1;
! 162: } else {
! 163: return 0;
! 164: }
! 165: }
! 166: }
! 167:
! 168: sub firewall_is_active {
! 169: if (-e '/proc/net/ip_tables_names') {
! 170: return 1;
! 171: } else {
! 172: return 0;
! 173: }
! 174: }
! 175:
! 176: sub firewall_close_port {
! 177: my ($iptables,$fw_chain,$lond_port,$ports) = @_;
! 178: return 'inactive firewall' if (!&firewall_is_active());
! 179: return 'port number unknown' if !$lond_port;
! 180: if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) {
! 181: return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n";
! 182: }
! 183: if (ref($ports) ne 'ARRAY') {
! 184: return 'List of ports to close needed.';
! 185: }
! 186: if ($fw_chain =~ /^([\w\-]+)$/) {
! 187: $fw_chain = $1;
! 188: } else {
! 189: return 'Chain name has unexpected format'."\n";
! 190: }
! 191: foreach my $portnum (@{$ports}) {
! 192: my $port = '';
! 193: if ($portnum =~ /^(\d+)$/) {
! 194: $port = $1;
! 195: } else {
! 196: print "Skipped non-numeric port: $portnum\n";
! 197: next;
! 198: }
! 199: print "Closing firewall access on port $port\n";
! 200: if (($port ne '') && ($port eq $lond_port)) {
! 201: my (@port_error,@command_error,@lond_port_close);
! 202: my %to_close;
! 203: open(PIPE, "$iptables -n -L $fw_chain |");
! 204: while (<PIPE>) {
! 205: chomp();
! 206: next unless (/dpt:\Q$port\E\s*$/);
! 207: if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) {
! 208: $to_close{$1} = $port;
! 209: }
! 210: }
! 211: close(PIPE);
! 212: if (keys(%to_close) > 0) {
! 213: foreach my $ip (keys(%to_close)) {
! 214: my $firewall_command =
! 215: "$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
! 216: system($firewall_command);
! 217: my $return_status = $?>>8;
! 218: if ($return_status == 1) {
! 219: push (@port_error,$ip);
! 220: } elsif ($return_status == 2) {
! 221: push(@command_error,$ip);
! 222: } elsif ($return_status == 0) {
! 223: push(@lond_port_close,$ip);
! 224: }
! 225: }
! 226: }
! 227: if (@lond_port_close) {
! 228: print "Port $port closed for ".scalar(@lond_port_close)." IP addresses\n";
! 229: }
! 230: if (@port_error) {
! 231: print "Error closing port $port for following IP addresses: ".join(', ',@port_error)."\n";
! 232: }
! 233: if (@command_error) {
! 234: print "Bad command error opening port for following IP addresses: ".
! 235: join(', ',@command_error)."\n".
! 236: 'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
! 237: }
! 238: } else {
! 239: my $firewall_command =
! 240: "$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
! 241: system($firewall_command);
! 242: my $return_status = $?>>8;
! 243: if ($return_status == 1) {
! 244: # Error
! 245: print "Error closing port.\n";
! 246: } elsif ($return_status == 2) {
! 247: # Bad command
! 248: print "Bad command error closing port. Command was\n".
! 249: " ".$firewall_command."\n";
! 250: } else {
! 251: print "Port closed.\n";
! 252: }
! 253: }
! 254: }
! 255: return;
! 256: }
! 257:
! 258: sub firewall_close_anywhere {
! 259: my ($iptables,$fw_chain,$port) = @_;
! 260: open(PIPE, "$iptables --line-numbers -n -L $fw_chain |");
! 261: while (<PIPE>) {
! 262: next unless (/dpt:\Q$port\E/);
! 263: chomp();
! 264: if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) {
! 265: my $firewall_command = "$iptables -D $fw_chain $1";
! 266: system($firewall_command);
! 267: my $return_status = $?>>8;
! 268: if ($return_status == 1) {
! 269: print 'Error closing port '.$port.' for source "anywhere"'."\n";
! 270: } elsif ($return_status == 2) {
! 271: print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n".
! 272: ' '.$firewall_command."\n";
! 273: } else {
! 274: print 'Port '.$port.' closed for source "anywhere"'."\n";
! 275: }
! 276: }
! 277: }
! 278: close(PIPE);
! 279: }
! 280:
! 281: sub get_lond_port {
! 282: my $perlvarref=&LONCAPA::Configuration::read_conf();
! 283: my $lond_port;
! 284: if (ref($perlvarref) eq 'HASH') {
! 285: if (defined($perlvarref->{'londPort'})) {
! 286: $lond_port = $perlvarref->{'londPort'};
! 287: }
! 288: }
! 289: if (!$lond_port) {
! 290: print("Unable to determine lond port number from LON-CAPA configuration.\n");
! 291: }
! 292: return $lond_port;
! 293: }
! 294:
! 295: sub get_fw_chain {
! 296: my $fw_chain = 'RH-Firewall-1-INPUT';
! 297: my $suse_config = "/etc/sysconfig/SuSEfirewall2";
! 298: if (-e $suse_config) {
! 299: $fw_chain = 'input_ext';
! 300: } else {
! 301: if (!-e '/etc/sysconfig/iptables') {
! 302: print("Unable to find iptables file containing static definitions\n");
! 303: }
! 304: }
! 305: return $fw_chain;
! 306: }
! 307:
! 308: sub get_pathto_iptables {
! 309: my $iptables;
! 310: if (-e '/sbin/iptables') {
! 311: $iptables = '/sbin/iptables';
! 312: } elsif (-e '/usr/sbin/iptables') {
! 313: $iptables = '/usr/sbin/iptables';
! 314: } else {
! 315: print("Unable to find iptables command\n");
! 316: }
! 317: return $iptables;
! 318: }
! 319:
! 320: 1;
! 321: __END__
! 322:
! 323: =pod
! 324:
! 325: =head1 NAME
! 326:
! 327: B<LONCAPA::Firewall> - dynamic opening/closing of firewall ports
! 328:
! 329: =head1 SYNOPSIS
! 330:
! 331: use lib '/home/httpd/lib/perl/';
! 332: use LONCAPA::Firewall;
! 333:
! 334: LONCAPA::Firewall::firewall_open_port();
! 335: LONCAPA::Firewall::firewall_close_port();
! 336: LONCAPA::Firewall::firewall_is_port_open();
! 337: LONCAPA::Firewall::firewall_is_active();
! 338: LONCAPA::Firewall::firewall_close_anywhere();
! 339:
! 340: =head1 DESCRIPTION
! 341:
! 342: The scripts: /etc/init.d/loncontrol, used to stop or start LON-CAPA services,
! 343: as well as the setuid script /home/httpd/perl/lciptables, called by loncron
! 344: for housekeeping tasks, make use of the methods provided by this module to
! 345: open and close firewall ports (currently the default port: 5663), used
! 346: for socket-based communication between LON-CAPA servers in the cluster
! 347: of networked servers to which the server belongs.
! 348:
! 349: The following methods are available:
! 350:
! 351: =over 4
! 352:
! 353: =item LONCAPA::Firewall::firewall_open_port( $iptables,$fw_chain,$lond_port,$iphost,$port );
! 354:
! 355: =back
! 356:
! 357: =over 4
! 358:
! 359: =item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chain,$lond_port,$ports );
! 360:
! 361: =back
! 362:
! 363: =over 4
! 364:
! 365: =item LONCAPA::Firewall::firewall_is_port_open( $iptables,$fw_chain,$port,$lond_port,$iphost );
! 366:
! 367: =back
! 368:
! 369: =over 4
! 370:
! 371: =item LONCAPA::Firewall::firewall_is_active();
! 372:
! 373: =back
! 374:
! 375: =over 4
! 376:
! 377: =item LONCAPA::Firewall::firewall_close_anywhere( $iptables,$fw_chain,$port );
! 378:
! 379: =back
! 380:
! 381: =over 4
! 382:
! 383: =item LONCAPA::Firewall::get_lond_port();
! 384:
! 385: =back
! 386:
! 387: =over 4
! 388:
! 389: =item LONCAPA::Firewall::get_fw_chain();
! 390:
! 391: =back
! 392:
! 393: =over 4
! 394:
! 395: =item LONCAPA::Firewall::get_pathto_iptables();
! 396:
! 397:
! 398: =head1 AUTHORS
! 399:
! 400: This library is free software; you can redistribute it and/or
! 401: modify it under the same terms as LON-CAPA itself.
! 402:
! 403: =cut
! 404:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to Firewall.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / configuration