function Compile_rules($NoPersoRules = false)
{
progress(5, "Cleaning rules");
if ($GLOBALS["VERBOSE"]) {
echo __FUNCTION__ . " line:" . __LINE__ . "\n";
}
iptables_delete_all();
$sock = new sockets();
if ($GLOBALS["VERBOSE"]) {
echo __FUNCTION__ . " line:" . __LINE__ . "\n";
}
$PostFixLimitToNets = $sock->GET_INFO("PostFixLimitToNets");
if (!is_numeric($PostFixLimitToNets)) {
$PostFixLimitToNets = 0;
}
$EnablePostfixAutoBlockWhiteListed = $sock->GET_INFO("EnablePostfixAutoBlockWhiteListed");
if (!is_numeric($EnablePostfixAutoBlockWhiteListed)) {
$EnablePostfixAutoBlockWhiteListed = 0;
}
$GlobalIptablesEnabled = $sock->GET_INFO("GlobalIptablesEnabled");
if (!is_numeric($GlobalIptablesEnabled)) {
$GlobalIptablesEnabled = 1;
}
if ($GlobalIptablesEnabled != 1) {
if ($GLOBALS["VERBOSE"]) {
echo "GlobalIptablesEnabled <> 1, aborting...\n";
}
return;
}
if (!$NoPersoRules) {
perso(true);
}
FW_PERSO_RULES();
if ($GLOBALS["VERBOSE"]) {
echo __FUNCTION__ . " line:" . __LINE__ . "\n";
}
if ($EnablePostfixAutoBlockWhiteListed == 1) {
Compile_rules_whitelist();
}
if ($GLOBALS["VERBOSE"]) {
echo "FW_NGINX_RULES\n\n";
}
FW_NGINX_RULES(true);
FW_SPAMHAUS_RULES(true);
if ($PostFixLimitToNets == 1) {
Compile_rules_postfix_limitToNets();
return;
}
$unix = new unix();
$iptables = $unix->find_program("iptables");
$sock = new sockets();
if ($GLOBALS["VERBOSE"]) {
echo __FUNCTION__ . " line:" . __LINE__ . "\n";
}
$iptablesClass = new iptables_chains();
if ($GLOBALS["VERBOSE"]) {
echo __FUNCTION__ . " line:" . __LINE__ . "\n";
}
$InstantIptablesEventAll = $sock->GET_INFO("InstantIptablesEventAll");
if (!is_numeric($InstantIptablesEventAll)) {
$InstantIptablesEventAll = 1;
}
if ($GLOBALS["VERBOSE"]) {
echo "InstantIptablesEventAll={$InstantIptablesEventAll}\n";
}
if ($GLOBALS["EnablePostfixAutoBlock"] != 1) {
progress(100, "Building rules done...");
return;
}
events("Query iptables rules from mysql");
progress(10, "Query rules");
progress(25, "Building logging rules");
$sql = "SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' and log=1 AND allow=0 AND local_port=25";
if ($GLOBALS["VERBOSE"]) {
echo $sql . "\n";
}
$q = new mysql();
$results = $q->QUERY_SQL($sql, "artica_backup");
$GLOBALS["IPTABLES_WHITELISTED"] = $iptablesClass->LoadWhiteLists();
while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) {
$ip = $ligne["serverip"];
if ($iptablesClass->isWhiteListed($ip)) {
if ($GLOBALS["VERBOSE"]) {
echo "{$ip} is whitelisted\n";
}
continue;
}
events("LOG {$ligne["serverip"]} REJECT INBOUND PORT 25");
progress(35, "Building logging rules for {$ip}");
$cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j LOG --log-prefix \"SMTP DROP: \" -m comment --comment \"ArticaInstantPostfix\"";
$commands[] = $cmd;
}
progress(40, "Building rules...");
$c = 0;
$sql = "SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' AND allow=0 AND local_port=25";
if ($GLOBALS["VERBOSE"]) {
echo $sql . "\n";
}
$results = $q->QUERY_SQL($sql, "artica_backup");
progress(55, "Building rules...");
while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) {
$ip = $ligne["serverip"];
if ($iptablesClass->isWhiteListed($ip)) {
continue;
}
$c++;
events("ADD REJECT {$ligne["serverip"]} INBOUND PORT 25");
progress(60, "Building rules for {$ip}...");
if ($InstantIptablesEventAll == 1) {
if ($GLOBALS["VERBOSE"]) {
echo "{$ip} -> LOG\n";
}
$cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j LOG --log-prefix \"SMTP DROP: \" -m comment --comment \"ArticaInstantPostfix\"";
$commands[] = $cmd;
}
$cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j DROP -m comment --comment \"ArticaInstantPostfix\"";
$commands[] = $cmd;
}
if ($GLOBALS["VERBOSE"]) {
echo count($commands) . " should be performed\n";
return;
}
if (is_array($commands)) {
while (list($index, $line) = each($commands)) {
shell_exec($line);
}
}
$unix->send_email_events("{$c} banned addresses compiled in the SMTP Firewall", "{$c} items has been banned from 25,587,465 ports", "postfix");
progress(90, "Building rules done...");
progress(100, "Building rules done...");
$nohup = $unix->find_program("nohup");
$cachefile = "/etc/artica-postfix/IPTABLES_INPUT";
shell_exec("{$nohup} {$iptables} -L --line-numbers -n >{$cachefile} 2>&1 &");
}
function Compile_rules()
{
progress(5, "Cleaning rules");
iptables_delete_all();
$sock = new sockets();
$EnablePostfixAutoBlockWhiteListed = $sock->GET_INFO("EnablePostfixAutoBlockWhiteListed");
if (!is_numeric($EnablePostfixAutoBlockWhiteListed)) {
$EnablePostfixAutoBlockWhiteListed = 0;
}
if ($EnablePostfixAutoBlockWhiteListed == 1) {
Compile_rules_whitelist();
return;
}
$unix = new unix();
$iptables = $unix->find_program("iptables");
$sock = new sockets();
$iptablesClass = new iptables_chains();
$InstantIptablesEventAll = $sock->GET_INFO("InstantIptablesEventAll");
if (!is_numeric($InstantIptablesEventAll)) {
$InstantIptablesEventAll = 1;
}
if ($GLOBALS["VERBOSE"]) {
echo "InstantIptablesEventAll={$InstantIptablesEventAll}\n";
}
if ($GLOBALS["EnablePostfixAutoBlock"] != 1) {
progress(100, "Building rules done...");
return;
}
events("Query iptables rules from mysql");
progress(10, "Query rules");
progress(25, "Building logging rules");
$sql = "SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' and log=1 AND local_port=25";
$q = new mysql();
$results = $q->QUERY_SQL($sql, "artica_backup");
$GLOBALS["IPTABLES_WHITELISTED"] = $iptablesClass->LoadWhiteLists();
while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) {
$ip = $ligne["serverip"];
if ($iptablesClass->isWhiteListed($ip)) {
continue;
}
events("LOG {$ligne["serverip"]} REJECT INBOUND PORT 25");
progress(35, "Building logging rules for {$ip}");
$cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j LOG --log-prefix \"SMTP DROP: \" -m comment --comment \"ArticaInstantPostfix\"";
$commands[] = $cmd;
}
progress(40, "Building rules...");
$c = 0;
$sql = "SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' AND local_port=25";
$results = $q->QUERY_SQL($sql, "artica_backup");
progress(55, "Building rules...");
while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) {
$ip = $ligne["serverip"];
if ($iptablesClass->isWhiteListed($ip)) {
continue;
}
$c++;
events("ADD REJECT {$ligne["serverip"]} INBOUND PORT 25");
progress(60, "Building rules for {$ip}...");
if ($InstantIptablesEventAll == 1) {
if ($GLOBALS["VERBOSE"]) {
echo "{$ip} -> LOG\n";
}
$cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j LOG --log-prefix \"SMTP DROP: \" -m comment --comment \"ArticaInstantPostfix\"";
$commands[] = $cmd;
}
$cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j DROP -m comment --comment \"ArticaInstantPostfix\"";
$commands[] = $cmd;
}
if ($GLOBALS["VERBOSE"]) {
echo count($commands) . " should be performed\n";
return;
}
if (is_array($commands)) {
while (list($index, $line) = each($commands)) {
shell_exec($line);
}
}
$unix->send_email_events("{$c} banned addresses compiled in the SMTP Firewall", "{$c} items has been banned from 25,587,465 ports", "postfix");
progress(90, "Building rules done...");
progress(100, "Building rules done...");
}
