die; } if ($argv[1] == '--transfert-white') { ParseResolvMX(); die; } if ($argv[1] == '--upgrade-white') { UpgradeWhiteList(); die; } if ($argv[1] == '--ipdeny') { ipdeny(); die; } if ($argv[1] == '--perso') { perso(); die; } if ($GLOBALS["VERBOSE"]) { echo "Parsing " . @implode(" ", $argv) . "\n"; } if (!Build_pid_func(__FILE__, "MAIN")) { writelogs(basename(__FILE__) . ":Already executed.. aborting the process", basename(__FILE__), __FILE__, __LINE__); die; } parsequeue(); if ($GLOBALS["EnablePostfixAutoBlock"] != 1) { iptables_delete_all(); events("This feature is currently disabled ({$GLOBALS["EnablePostfixAutoBlock"]})"); die; }
function Compile_rules($NoPersoRules = false) { progress(5, "Cleaning rules"); if ($GLOBALS["VERBOSE"]) { echo __FUNCTION__ . " line:" . __LINE__ . "\n"; } iptables_delete_all(); $sock = new sockets(); if ($GLOBALS["VERBOSE"]) { echo __FUNCTION__ . " line:" . __LINE__ . "\n"; } $PostFixLimitToNets = $sock->GET_INFO("PostFixLimitToNets"); if (!is_numeric($PostFixLimitToNets)) { $PostFixLimitToNets = 0; } $EnablePostfixAutoBlockWhiteListed = $sock->GET_INFO("EnablePostfixAutoBlockWhiteListed"); if (!is_numeric($EnablePostfixAutoBlockWhiteListed)) { $EnablePostfixAutoBlockWhiteListed = 0; } $GlobalIptablesEnabled = $sock->GET_INFO("GlobalIptablesEnabled"); if (!is_numeric($GlobalIptablesEnabled)) { $GlobalIptablesEnabled = 1; } if ($GlobalIptablesEnabled != 1) { if ($GLOBALS["VERBOSE"]) { echo "GlobalIptablesEnabled <> 1, aborting...\n"; } return; } if (!$NoPersoRules) { perso(true); } FW_PERSO_RULES(); if ($GLOBALS["VERBOSE"]) { echo __FUNCTION__ . " line:" . __LINE__ . "\n"; } if ($EnablePostfixAutoBlockWhiteListed == 1) { Compile_rules_whitelist(); } if ($GLOBALS["VERBOSE"]) { echo "FW_NGINX_RULES\n\n"; } FW_NGINX_RULES(true); FW_SPAMHAUS_RULES(true); if ($PostFixLimitToNets == 1) { Compile_rules_postfix_limitToNets(); return; } $unix = new unix(); $iptables = $unix->find_program("iptables"); $sock = new sockets(); if ($GLOBALS["VERBOSE"]) { echo __FUNCTION__ . " line:" . __LINE__ . "\n"; } $iptablesClass = new iptables_chains(); if ($GLOBALS["VERBOSE"]) { echo __FUNCTION__ . " line:" . __LINE__ . "\n"; } $InstantIptablesEventAll = $sock->GET_INFO("InstantIptablesEventAll"); if (!is_numeric($InstantIptablesEventAll)) { $InstantIptablesEventAll = 1; } if ($GLOBALS["VERBOSE"]) { echo "InstantIptablesEventAll={$InstantIptablesEventAll}\n"; } if ($GLOBALS["EnablePostfixAutoBlock"] != 1) { progress(100, "Building rules done..."); return; } events("Query iptables rules from mysql"); progress(10, "Query rules"); progress(25, "Building logging rules"); $sql = "SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' and log=1 AND allow=0 AND local_port=25"; if ($GLOBALS["VERBOSE"]) { echo $sql . "\n"; } $q = new mysql(); $results = $q->QUERY_SQL($sql, "artica_backup"); $GLOBALS["IPTABLES_WHITELISTED"] = $iptablesClass->LoadWhiteLists(); while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) { $ip = $ligne["serverip"]; if ($iptablesClass->isWhiteListed($ip)) { if ($GLOBALS["VERBOSE"]) { echo "{$ip} is whitelisted\n"; } continue; } events("LOG {$ligne["serverip"]} REJECT INBOUND PORT 25"); progress(35, "Building logging rules for {$ip}"); $cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j LOG --log-prefix \"SMTP DROP: \" -m comment --comment \"ArticaInstantPostfix\""; $commands[] = $cmd; } progress(40, "Building rules..."); $c = 0; $sql = "SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' AND allow=0 AND local_port=25"; if ($GLOBALS["VERBOSE"]) { echo $sql . "\n"; } $results = $q->QUERY_SQL($sql, "artica_backup"); progress(55, "Building rules..."); while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) { $ip = $ligne["serverip"]; if ($iptablesClass->isWhiteListed($ip)) { continue; } $c++; events("ADD REJECT {$ligne["serverip"]} INBOUND PORT 25"); progress(60, "Building rules for {$ip}..."); if ($InstantIptablesEventAll == 1) { if ($GLOBALS["VERBOSE"]) { echo "{$ip} -> LOG\n"; } $cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j LOG --log-prefix \"SMTP DROP: \" -m comment --comment \"ArticaInstantPostfix\""; $commands[] = $cmd; } $cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j DROP -m comment --comment \"ArticaInstantPostfix\""; $commands[] = $cmd; } if ($GLOBALS["VERBOSE"]) { echo count($commands) . " should be performed\n"; return; } if (is_array($commands)) { while (list($index, $line) = each($commands)) { shell_exec($line); } } $unix->send_email_events("{$c} banned addresses compiled in the SMTP Firewall", "{$c} items has been banned from 25,587,465 ports", "postfix"); progress(90, "Building rules done..."); progress(100, "Building rules done..."); $nohup = $unix->find_program("nohup"); $cachefile = "/etc/artica-postfix/IPTABLES_INPUT"; shell_exec("{$nohup} {$iptables} -L --line-numbers -n >{$cachefile} 2>&1 &"); }
$sock=new sockets(); $GLOBALS["EnablePostfixAutoBlock"]=trim($sock->GET_INFO("EnablePostfixAutoBlock")); if($GLOBALS["EnablePostfixAutoBlock"]==null){$GLOBALS["EnablePostfixAutoBlock"]=0;} if($argv[1]=='--compile'){Compile_rules();die();} if($argv[1]=='--parse-queue'){parsequeue();die();} if($argv[1]=='--no-check'){$_GET["nocheck"]=true;} if($argv[1]=='--parse-sql'){ParseLastEvents();die();} if($argv[1]=='--delete-all-iptables'){DeleteAllIpTablesRules();die();} if($argv[1]=='--test-white'){$iptablesClass=new iptables_chains();$GLOBALS["IPTABLES_WHITELISTED"]=$iptablesClass->LoadWhiteLists();$iptablesClass->isWhiteListed($argv[2]);die();} if($argv[1]=='--export-drop'){ExportDrop();die();} if($argv[1]=='--transfert-white'){ParseResolvMX();die();} if($argv[1]=='--upgrade-white'){UpgradeWhiteList();die();} if($argv[1]=='--ipdeny'){ipdeny();die();} if($argv[1]=='--perso'){perso();die();} if($GLOBALS["VERBOSE"]){echo "Parsing ".@implode(" ", $argv)."\n";} if(!Build_pid_func(__FILE__,"MAIN")){writelogs(basename(__FILE__).":Already executed.. aborting the process",basename(__FILE__),__FILE__,__LINE__);die();} parsequeue(); if($GLOBALS["EnablePostfixAutoBlock"]<>1){events("This feature is currently disabled ({$GLOBALS["EnablePostfixAutoBlock"]})");die();} die(); //iptables -L OUTPUT --line-numbers //iptables -A INPUT -s 65.55.44.100 -p tcp --destination-port 25 -j DROP; function DeleteAllIpTablesRules(){ $unix=new unix();