Annotation of loncom/configuration/Firewall.pm, revision 1.3
1.1 raeburn 1: # The LearningOnline Network with CAPA
2: # Firewall configuration to allow internal LON-CAPA communication between servers
3: #
1.3 ! raeburn 4: # $Id: Firewall.pm,v 1.2 2009/06/11 13:01:56 raeburn Exp $
1.1 raeburn 5: #
6: # The LearningOnline Network with CAPA
7: #
8: # Copyright Michigan State University Board of Trustees
9: #
10: # This file is part of the LearningOnline Network with CAPA (LON-CAPA).
11: #
12: # LON-CAPA is free software; you can redistribute it and/or modify
13: # it under the terms of the GNU General Public License as published by
14: # the Free Software Foundation; either version 2 of the License, or
15: # (at your option) any later version.
16: #
17: # LON-CAPA is distributed in the hope that it will be useful,
18: # but WITHOUT ANY WARRANTY; without even the implied warranty of
19: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20: # GNU General Public License for more details.
21: #
22: # You should have received a copy of the GNU General Public License
23: # along with LON-CAPA; if not, write to the Free Software
24: # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
25: #
26: # /home/httpd/html/adm/gpl.txt
27: #
28: # http://www.lon-capa.org/
29: #
30: # Startup script for the LON-CAPA network processes
31: #
32:
33: package LONCAPA::Firewall;
34:
35: use strict;
36: use lib '/home/httpd/perl/lib';
37: use LONCAPA::Configuration;
38:
39: # Firewall code is based on the code in FC2 /etc/init.d/ntpd
40:
41: sub firewall_open_port {
42: my ($iptables,$fw_chain,$lond_port,$iphost,$ports) = @_;
43: return 'inactive firewall' if (!&firewall_is_active());
44: return 'port number unknown' if !$lond_port;
45: my @opened;
46: if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) {
47: return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n";
48: }
49: #
50: # iptables is running with expected chain
51: #
52: if ($fw_chain =~ /^([\w\-]+)$/) {
53: $fw_chain = $1;
54: } else {
55: return 'Chain name has unexpected format'."\n";
56: }
57: if (ref($ports) ne 'ARRAY') {
58: return 'List of ports to open needed.';
59: }
60: foreach my $portnum (@{$ports}) {
61: my $port = '';
62: if ($portnum =~ /^(\d+)$/) {
63: $port = $1;
64: } else {
65: print "Skipped non-numeric port: $portnum\n";
66: next;
67: }
68: print "Opening firewall access on port $port.\n";
69: my $result;
70: if ($port eq $lond_port) {
71: # For lond port, restrict the servers allowed to attempt to communicate
72: # to include only source IPs in the LON-CAPA cluster.
73: my (@port_error,@command_error,@lond_port_open);
74: if (ref($iphost) eq 'HASH') {
75: if (keys(%{$iphost}) > 0) {
76: &firewall_close_anywhere($iptables,$fw_chain,$port);
77: foreach my $key (keys(%{$iphost})) {
78: my $ip = '';
1.2 raeburn 79: if ($key =~ /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/) {
80: if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) {
1.1 raeburn 81: $ip = "$1.$2.$3.$4";
82: } else {
83: next;
84: }
85: } else {
86: next;
87: }
88: my $firewall_command =
89: "$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
90: system($firewall_command);
91: my $return_status = $?>>8;
92: if ($return_status == 1) {
93: push (@port_error,$ip);
94: } elsif ($return_status == 2) {
95: push(@command_error,$ip);
96: } elsif ($return_status == 0) {
97: push(@lond_port_open,$ip);
98: }
99: }
100: }
101: }
102: if (@lond_port_open) {
103: push(@opened,$port);
104: print "Port $port opened for ".scalar(@lond_port_open)." IP addresses\n";
105: }
106: if (@port_error) {
107: print "Error opening port $port for following IP addresses: ".join(', ',@port_error)."\n";
108: }
109: if (@command_error) {
110: print "Bad command error opening port for following IP addresses: ".
111: join(', ',@command_error)."\n".
112: 'Command was: "'."$iptables -I $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
113: }
114: } else {
115: my $firewall_command =
116: "$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
117: system($firewall_command);
118: my $return_status = $?>>8;
119: if ($return_status == 1) {
120: # Error
121: print "Error opening port.\n";
122: } elsif ($return_status == 2) {
123: # Bad command
124: print "Bad command error opening port. Command was\n".
125: " ".$firewall_command."\n";
126: } elsif ($return_status == 0) {
127: push(@opened,$port);
128: }
129: }
130: }
131: foreach my $port (@{$ports}) {
132: if (!grep(/^\Q$port\E$/,@opened)) {
133: return 'Required port not open: '.$port."\n";
134: }
135: }
136: return 'ok';
137: }
138:
139: sub firewall_is_port_open {
140: my ($iptables,$fw_chain,$port,$lond_port,$iphost) = @_;
141: # for lond port returns number of source IPs for which firewall port is open
142: # for other ports returns 1 if the firewall port is open, 0 if not.
143: #
144: # check if firewall is active or installed
145: return if (! &firewall_is_active());
146: if ($port eq $lond_port) {
147: my $count ++;
148: if (ref($iphost) eq 'HASH') {
149: if (keys(%{$iphost}) > 0) {
150: foreach my $ip (keys(%{$iphost})) {
151: open(PIPE,"$iptables -L $fw_chain -n 2>/dev/null");
152: while(<PIPE>) {
153: $count++ if (/^ACCEPT\s+tcp\s+\-{2}\s+\Q$ip\E\s+/);
154: }
155: close(PIPE);
156: }
157: }
158: }
159: return $count;
160: } else {
161: if (`$iptables -L -n 2>/dev/null | grep "tcp dpt:$port"`) {
162: return 1;
163: } else {
164: return 0;
165: }
166: }
167: }
168:
169: sub firewall_is_active {
170: if (-e '/proc/net/ip_tables_names') {
171: return 1;
172: } else {
173: return 0;
174: }
175: }
176:
177: sub firewall_close_port {
178: my ($iptables,$fw_chain,$lond_port,$ports) = @_;
179: return 'inactive firewall' if (!&firewall_is_active());
180: return 'port number unknown' if !$lond_port;
181: if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) {
182: return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n";
183: }
184: if (ref($ports) ne 'ARRAY') {
185: return 'List of ports to close needed.';
186: }
187: if ($fw_chain =~ /^([\w\-]+)$/) {
188: $fw_chain = $1;
189: } else {
190: return 'Chain name has unexpected format'."\n";
191: }
192: foreach my $portnum (@{$ports}) {
193: my $port = '';
194: if ($portnum =~ /^(\d+)$/) {
195: $port = $1;
196: } else {
197: print "Skipped non-numeric port: $portnum\n";
198: next;
199: }
200: print "Closing firewall access on port $port\n";
201: if (($port ne '') && ($port eq $lond_port)) {
202: my (@port_error,@command_error,@lond_port_close);
203: my %to_close;
204: open(PIPE, "$iptables -n -L $fw_chain |");
205: while (<PIPE>) {
206: chomp();
207: next unless (/dpt:\Q$port\E\s*$/);
208: if (/^ACCEPT\s+tcp\s+\-{2}\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+/) {
209: $to_close{$1} = $port;
210: }
211: }
212: close(PIPE);
213: if (keys(%to_close) > 0) {
214: foreach my $ip (keys(%to_close)) {
215: my $firewall_command =
216: "$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT";
217: system($firewall_command);
218: my $return_status = $?>>8;
219: if ($return_status == 1) {
220: push (@port_error,$ip);
221: } elsif ($return_status == 2) {
222: push(@command_error,$ip);
223: } elsif ($return_status == 0) {
224: push(@lond_port_close,$ip);
225: }
226: }
227: }
228: if (@lond_port_close) {
229: print "Port $port closed for ".scalar(@lond_port_close)." IP addresses\n";
230: }
231: if (@port_error) {
232: print "Error closing port $port for following IP addresses: ".join(', ',@port_error)."\n";
233: }
234: if (@command_error) {
235: print "Bad command error opening port for following IP addresses: ".
236: join(', ',@command_error)."\n".
237: 'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n";
238: }
239: } else {
240: my $firewall_command =
241: "$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
242: system($firewall_command);
243: my $return_status = $?>>8;
244: if ($return_status == 1) {
245: # Error
246: print "Error closing port.\n";
247: } elsif ($return_status == 2) {
248: # Bad command
249: print "Bad command error closing port. Command was\n".
250: " ".$firewall_command."\n";
251: } else {
252: print "Port closed.\n";
253: }
254: }
255: }
256: return;
257: }
258:
259: sub firewall_close_anywhere {
260: my ($iptables,$fw_chain,$port) = @_;
261: open(PIPE, "$iptables --line-numbers -n -L $fw_chain |");
262: while (<PIPE>) {
263: next unless (/dpt:\Q$port\E/);
264: chomp();
265: if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) {
266: my $firewall_command = "$iptables -D $fw_chain $1";
267: system($firewall_command);
268: my $return_status = $?>>8;
269: if ($return_status == 1) {
270: print 'Error closing port '.$port.' for source "anywhere"'."\n";
271: } elsif ($return_status == 2) {
272: print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n".
273: ' '.$firewall_command."\n";
274: } else {
275: print 'Port '.$port.' closed for source "anywhere"'."\n";
276: }
277: }
278: }
279: close(PIPE);
280: }
281:
282: sub get_lond_port {
283: my $perlvarref=&LONCAPA::Configuration::read_conf();
284: my $lond_port;
285: if (ref($perlvarref) eq 'HASH') {
286: if (defined($perlvarref->{'londPort'})) {
287: $lond_port = $perlvarref->{'londPort'};
288: }
289: }
290: if (!$lond_port) {
291: print("Unable to determine lond port number from LON-CAPA configuration.\n");
292: }
293: return $lond_port;
294: }
295:
296: sub get_fw_chain {
297: my $fw_chain = 'RH-Firewall-1-INPUT';
298: my $suse_config = "/etc/sysconfig/SuSEfirewall2";
299: if (-e $suse_config) {
300: $fw_chain = 'input_ext';
301: } else {
302: if (!-e '/etc/sysconfig/iptables') {
303: print("Unable to find iptables file containing static definitions\n");
304: }
1.3 ! raeburn 305: my $count = `$iptables -L -n 2>/dev/null |grep $fw_chain |wc -l`;
! 306: chomp($count);
! 307: if (!$count) {
! 308: $fw_chain ='INPUT';
! 309: }
1.1 raeburn 310: }
311: return $fw_chain;
312: }
313:
314: sub get_pathto_iptables {
315: my $iptables;
316: if (-e '/sbin/iptables') {
317: $iptables = '/sbin/iptables';
318: } elsif (-e '/usr/sbin/iptables') {
319: $iptables = '/usr/sbin/iptables';
320: } else {
321: print("Unable to find iptables command\n");
322: }
323: return $iptables;
324: }
325:
326: 1;
327: __END__
328:
329: =pod
330:
331: =head1 NAME
332:
333: B<LONCAPA::Firewall> - dynamic opening/closing of firewall ports
334:
335: =head1 SYNOPSIS
336:
337: use lib '/home/httpd/lib/perl/';
338: use LONCAPA::Firewall;
339:
340: LONCAPA::Firewall::firewall_open_port();
341: LONCAPA::Firewall::firewall_close_port();
342: LONCAPA::Firewall::firewall_is_port_open();
343: LONCAPA::Firewall::firewall_is_active();
344: LONCAPA::Firewall::firewall_close_anywhere();
345:
346: =head1 DESCRIPTION
347:
348: The scripts: /etc/init.d/loncontrol, used to stop or start LON-CAPA services,
349: as well as the setuid script /home/httpd/perl/lciptables, called by loncron
350: for housekeeping tasks, make use of the methods provided by this module to
351: open and close firewall ports (currently the default port: 5663), used
352: for socket-based communication between LON-CAPA servers in the cluster
353: of networked servers to which the server belongs.
354:
355: The following methods are available:
356:
357: =over 4
358:
359: =item LONCAPA::Firewall::firewall_open_port( $iptables,$fw_chain,$lond_port,$iphost,$port );
360:
361: =back
362:
363: =over 4
364:
365: =item LONCAPA::Firewall::firewall_close_port( $iptables,$fw_chain,$lond_port,$ports );
366:
367: =back
368:
369: =over 4
370:
371: =item LONCAPA::Firewall::firewall_is_port_open( $iptables,$fw_chain,$port,$lond_port,$iphost );
372:
373: =back
374:
375: =over 4
376:
377: =item LONCAPA::Firewall::firewall_is_active();
378:
379: =back
380:
381: =over 4
382:
383: =item LONCAPA::Firewall::firewall_close_anywhere( $iptables,$fw_chain,$port );
384:
385: =back
386:
387: =over 4
388:
389: =item LONCAPA::Firewall::get_lond_port();
390:
391: =back
392:
393: =over 4
394:
395: =item LONCAPA::Firewall::get_fw_chain();
396:
397: =back
398:
399: =over 4
400:
401: =item LONCAPA::Firewall::get_pathto_iptables();
402:
403:
404: =head1 AUTHORS
405:
406: This library is free software; you can redistribute it and/or
407: modify it under the same terms as LON-CAPA itself.
408:
409: =cut
410:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to Firewall.pm CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / configuration