|
version 1.35, 2009/04/22 14:58:59
|
version 1.36, 2009/06/07 23:20:38
|
|
Line 50
|
Line 50
|
| use strict; |
use strict; |
| use lib '/home/httpd/lib/perl/'; |
use lib '/home/httpd/lib/perl/'; |
| use LONCAPA::Configuration; |
use LONCAPA::Configuration; |
| |
use Apache::lonnet; |
| |
|
| my $command=$ARGV[0]; $command=~s/[^a-z]//g; |
my $command=$ARGV[0]; $command=~s/[^a-z]//g; |
| |
|
|
Line 67 $ENV{'BASH_ENV'}="";
|
Line 68 $ENV{'BASH_ENV'}="";
|
| } |
} |
| } |
} |
| my $suse_config = "/etc/sysconfig/SuSEfirewall2"; |
my $suse_config = "/etc/sysconfig/SuSEfirewall2"; |
| if (!-e $suse_config) { |
if (-e $suse_config) { |
| |
$fw_chain = 'input_ext'; |
| |
} else { |
| if (!-e '/etc/sysconfig/iptables') { |
if (!-e '/etc/sysconfig/iptables') { |
| print("Unable to find iptables file containing static definitions\n"); |
print("Unable to find iptables file containing static definitions\n"); |
| } |
} |
|
Line 81 sub firewall_open_port {
|
Line 84 sub firewall_open_port {
|
| return 'inactive firewall' if (! &firewall_is_active); |
return 'inactive firewall' if (! &firewall_is_active); |
| return 'port number unknown' if !$lond_port; |
return 'port number unknown' if !$lond_port; |
| my @opened; |
my @opened; |
| my $suse_config = "/etc/sysconfig/SuSEfirewall2"; |
if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) { |
| if (-e $suse_config) { |
return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n"; |
| if (open(my $fh,"<$suse_config")) { |
} |
| while(<$fh>) { |
# iptables is running with expected chain |
| chomp(); |
# |
| if (/^FW_SERVICES_EXT_TCP="([^"]+)"\s*$/) { |
# For lond port, restrict the servers allowed to attempt to communicate |
| my $portstr = $1; |
# to include only source IPs in the LON-CAPA cluster. |
| my @suseports = split(/\s+/,$portstr); |
foreach my $port ($lond_port) { |
| foreach my $port ($lond_port) { |
print "Opening firewall access on port $port.\n"; |
| if (grep/^\Q$port\E$/,@suseports) { |
my $result; |
| push(@opened,$port); |
if ($port eq $lond_port) { |
| } |
my (@port_error,@command_error,@lond_port_open); |
| |
my %iphost = &Apache::lonnet::get_iphost(); |
| |
if (keys(%iphost) > 0) { |
| |
&firewall_close_anywhere($port); |
| |
foreach my $ip (keys(%iphost)) { |
| |
my $firewall_command = |
| |
"$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT"; |
| |
system($firewall_command); |
| |
my $return_status = $?>>8; |
| |
if ($return_status == 1) { |
| |
push (@port_error,$ip); |
| |
} elsif ($return_status == 2) { |
| |
push(@command_error,$ip); |
| |
} elsif ($return_status == 0) { |
| |
push(@lond_port_open,$ip); |
| } |
} |
| } |
} |
| } |
} |
| } |
if (@lond_port_open) { |
| } else { |
push(@opened,$port); |
| if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) { |
print "Port $port opened for ".scalar(@lond_port_open)." IP addresses\n"; |
| return 'chain error'; |
} |
| } |
if (@port_error) { |
| # iptables is running with our chain |
print "Error opening port $port for following IP addresses: ".join(', ',@port_error)."\n"; |
| # |
} |
| # We could restrict the servers allowed to attempt to communicate |
if (@command_error) { |
| # here, but the logistics of updating the /home/httpd/lonTabs/host.tab |
print "Bad command error opening port for following IP addresses: ". |
| # file are likely to be a problem |
join(', ',@command_error)."\n". |
| foreach my $port ($lond_port) { |
'Command was: "'."$iptables -I $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n"; |
| print "Opening firewall access on port $port.\n"; |
} |
| my $result; |
} else { |
| my $firewall_command = |
my $firewall_command = |
| "$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT"; |
"$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT"; |
| system($firewall_command); |
system($firewall_command); |
| my $return_status = $?>>8; |
my $return_status = $?>>8; |
|
Line 135 sub firewall_open_port {
|
Line 152 sub firewall_open_port {
|
| |
|
| sub firewall_is_port_open { |
sub firewall_is_port_open { |
| my ($port) = @_; |
my ($port) = @_; |
| # returns 1 if the firewall port is open, 0 if not. |
# for lond port returns number of source IPs for which firewall port is open |
| |
# for other ports returns 1 if the firewall port is open, 0 if not. |
| # |
# |
| # check if firewall is active or installed |
# check if firewall is active or installed |
| return if (! &firewall_is_active); |
return if (! &firewall_is_active); |
| if (`$iptables -L -n 2>/dev/null | grep "tcp dpt:$port"`) { |
if ($port eq $lond_port) { |
| return 1; |
my %iphost = &Apache::lonnet::get_iphost(); |
| |
foreach my $ip (keys(%iphost)) { |
| |
my $count = `$iptables -L -n 2>/dev/null | grep "tcp dpt:$port" | wc -l`; |
| |
return $count; |
| |
} |
| } else { |
} else { |
| return 0; |
if (`$iptables -L -n 2>/dev/null | grep "tcp dpt:$port"`) { |
| |
return 1; |
| |
} else { |
| |
return 0; |
| |
} |
| } |
} |
| } |
} |
| |
|
|
Line 157 sub firewall_is_active {
|
Line 183 sub firewall_is_active {
|
| sub firewall_close_port { |
sub firewall_close_port { |
| return 'inactive firewall' if (! &firewall_is_active); |
return 'inactive firewall' if (! &firewall_is_active); |
| return 'port number unknown' if !$lond_port; |
return 'port number unknown' if !$lond_port; |
| my $suse_config = "/etc/sysconfig/SuSEfirewall2"; |
if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) { |
| return if (-e $suse_config); |
return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n"; |
| |
} |
| foreach my $port ($lond_port) { |
foreach my $port ($lond_port) { |
| print "Closing firewall access on port $port\n"; |
print "Closing firewall access on port $port\n"; |
| my $firewall_command = |
if ($port eq $lond_port) { |
| "$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT"; |
my (@port_error,@command_error,@lond_port_close); |
| system($firewall_command); |
my %iphost = &Apache::lonnet::get_iphost(); |
| my $return_status = $?>>8; |
my %toclose; |
| if ($return_status == 1) { |
if (keys(%iphost) > 0) { |
| # Error |
open(PIPE, "$iptables -n -L $fw_chain |"); |
| print "Error closing port.\n"; |
while (<PIPE>) { |
| } elsif ($return_status == 2) { |
chomp(); |
| # Bad command |
next unless (/dpt:\Q$port\E\s*$/); |
| print "Bad command error closing port. Command was\n". |
if (/^ACCEPT\s+tcp\s+\-{2}\s+([\S]+)\s+/) { |
| " ".$firewall_command."\n"; |
$toclose{$1} = $port; |
| |
} |
| |
} |
| |
close(PIPE); |
| |
} |
| |
foreach my $ip (keys(%iphost)) { |
| |
next unless (exists($toclose{$ip})); |
| |
my $firewall_command = |
| |
"$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT"; |
| |
system($firewall_command); |
| |
my $return_status = $?>>8; |
| |
if ($return_status == 1) { |
| |
push (@port_error,$ip); |
| |
} elsif ($return_status == 2) { |
| |
push(@command_error,$ip); |
| |
} elsif ($return_status == 0) { |
| |
push(@lond_port_close,$ip); |
| |
} |
| |
} |
| |
if (@lond_port_close) { |
| |
print "Port $port closed for ".scalar(@lond_port_close)." IP addresses\n"; |
| |
} |
| |
if (@port_error) { |
| |
print "Error closing port $port for following IP addresses: ".join(', ',@port_error)."\n"; |
| |
} |
| |
if (@command_error) { |
| |
print "Bad command error opening port for following IP addresses: ". |
| |
join(', ',@command_error)."\n". |
| |
'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n"; |
| |
} |
| |
&firewall_close_anywhere($port); |
| } else { |
} else { |
| print "Port closed.\n"; |
my $firewall_command = |
| |
"$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT"; |
| |
system($firewall_command); |
| |
my $return_status = $?>>8; |
| |
if ($return_status == 1) { |
| |
# Error |
| |
print "Error closing port.\n"; |
| |
} elsif ($return_status == 2) { |
| |
# Bad command |
| |
print "Bad command error closing port. Command was\n". |
| |
" ".$firewall_command."\n"; |
| |
} else { |
| |
print "Port closed.\n"; |
| |
} |
| } |
} |
| } |
} |
| return; |
return; |
|
Line 190 sub get_lond_port {
|
Line 260 sub get_lond_port {
|
| return $lond_port; |
return $lond_port; |
| } |
} |
| |
|
| |
sub firewall_close_anywhere { |
| |
my ($port) = @_; |
| |
open(PIPE, "$iptables --line-numbers -n -L $fw_chain |"); |
| |
while (<PIPE>) { |
| |
next unless (/dpt:\Q$port\E/); |
| |
chomp(); |
| |
if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) { |
| |
my $firewall_command = "$iptables -D $fw_chain $1"; |
| |
system($firewall_command); |
| |
my $return_status = $?>>8; |
| |
if ($return_status == 1) { |
| |
print 'Error closing port '.$port.' for source "anywhere"'."\n"; |
| |
} elsif ($return_status == 2) { |
| |
print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n". |
| |
' '.$firewall_command."\n"; |
| |
} else { |
| |
print 'Port '.$port.' closed for source "anywhere"'."\n"; |
| |
} |
| |
} |
| |
} |
| |
close(PIPE); |
| |
} |
| |
|
| } # End firewall variable scope |
} # End firewall variable scope |
| |
|
| sub stop_daemon { |
sub stop_daemon { |
![[BACK]](/icons/back.gif){kind=icon}
Return to loncontrol CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / init.d