function Compile_rules()
{
progress(5, "Cleaning rules");
iptables_delete_all();
if ($GLOBALS["EnablePostfixAutoBlock"] != 1) {
progress(100, "Building rules done...");
return;
}
events("Query iptables rules from mysql");
progress(10, "Query rules");
progress(25, "Building logging rules");
$sql = "SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' and log=1";
$q = new mysql();
$results = $q->QUERY_SQL($sql, "artica_backup");
while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) {
$ip = $ligne["serverip"];
events("LOG {$ligne["serverip"]} REJECT INBOUND PORT 25");
progress(35, "Building logging rules for {$ip}");
$cmd = "/sbin/iptables -A INPUT -s {$ip} -p tcp --destination-port 25 -j LOG --log-prefix \"SMTP DROP: \" -m comment --comment \"ArticaInstantPostfix\"";
system("{$cmd}");
}
progress(40, "Building rules...");
$sql = "SELECT * FROM iptables WHERE disable=0 AND flux='INPUT'";
$results = $q->QUERY_SQL($sql, "artica_backup");
progress(55, "Building rules...");
while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) {
$ip = $ligne["serverip"];
events("ADD REJECT {$ligne["serverip"]} INBOUND PORT 25");
progress(60, "Building rules for {$ip}...");
$cmd = "/sbin/iptables -A INPUT -s {$ip} -p tcp --destination-port 25 -j DROP -m comment --comment \"ArticaInstantPostfix\"";
system("{$cmd}");
}
progress(90, "Building rules done...");
progress(100, "Building rules done...");
}
function build()
{
iptables_delete_all();
$sql = "SELECT * FROM ip_rotator_smtp ORDER BY ID";
$mode["nth"] = "{counter}";
$mode["random"] = "{random}";
$unix = new unix();
$itables = $unix->find_program("iptables");
$q = new mysql();
$results = $q->QUERY_SQL($sql, "artica_backup");
if (!$q->ok) {
echo "{$q->mysql_error}\n";
}
$count = mysql_num_rows($results);
echo "Starting......: TCP/IP Rotator {$count} items\n";
if ($count == 0) {
return;
}
while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) {
$ipsrc = $ligne["ipsource"];
$ipdest = $ligne["ipdest"];
$mode = $ligne["mode"];
$comment = " -m comment --comment \"ArticaIpRotator\"";
if ($mode == "nth") {
$mode_text = " -m statistic --mode nth --every {$ligne["mode_value"]} ";
}
if ($mode == "random") {
$mode_text = " -m statistic --mode random --probability {$ligne["mode_value"]} ";
}
$cmdline = "{$itables} -t nat -A PREROUTING -p tcp -d {$ipsrc} --dport 25 -m state --state NEW {$mode_text} --packet 0 -j DNAT --to-destination {$ipdest} {$comment}";
if ($GLOBALS["VERBOSE"]) {
echo $cmdline . "\n";
}
$results = array();
exec($cmdline, $results);
while (list($a, $b) = each($results)) {
echo "Starting......: TCP/IP Rotator: {$b}\n";
}
}
}
function Compile_rules($NoPersoRules = false)
{
progress(5, "Cleaning rules");
if ($GLOBALS["VERBOSE"]) {
echo __FUNCTION__ . " line:" . __LINE__ . "\n";
}
iptables_delete_all();
$sock = new sockets();
if ($GLOBALS["VERBOSE"]) {
echo __FUNCTION__ . " line:" . __LINE__ . "\n";
}
$PostFixLimitToNets = $sock->GET_INFO("PostFixLimitToNets");
if (!is_numeric($PostFixLimitToNets)) {
$PostFixLimitToNets = 0;
}
$EnablePostfixAutoBlockWhiteListed = $sock->GET_INFO("EnablePostfixAutoBlockWhiteListed");
if (!is_numeric($EnablePostfixAutoBlockWhiteListed)) {
$EnablePostfixAutoBlockWhiteListed = 0;
}
$GlobalIptablesEnabled = $sock->GET_INFO("GlobalIptablesEnabled");
if (!is_numeric($GlobalIptablesEnabled)) {
$GlobalIptablesEnabled = 1;
}
if ($GlobalIptablesEnabled != 1) {
if ($GLOBALS["VERBOSE"]) {
echo "GlobalIptablesEnabled <> 1, aborting...\n";
}
return;
}
if (!$NoPersoRules) {
perso(true);
}
FW_PERSO_RULES();
if ($GLOBALS["VERBOSE"]) {
echo __FUNCTION__ . " line:" . __LINE__ . "\n";
}
if ($EnablePostfixAutoBlockWhiteListed == 1) {
Compile_rules_whitelist();
}
if ($GLOBALS["VERBOSE"]) {
echo "FW_NGINX_RULES\n\n";
}
FW_NGINX_RULES(true);
FW_SPAMHAUS_RULES(true);
if ($PostFixLimitToNets == 1) {
Compile_rules_postfix_limitToNets();
return;
}
$unix = new unix();
$iptables = $unix->find_program("iptables");
$sock = new sockets();
if ($GLOBALS["VERBOSE"]) {
echo __FUNCTION__ . " line:" . __LINE__ . "\n";
}
$iptablesClass = new iptables_chains();
if ($GLOBALS["VERBOSE"]) {
echo __FUNCTION__ . " line:" . __LINE__ . "\n";
}
$InstantIptablesEventAll = $sock->GET_INFO("InstantIptablesEventAll");
if (!is_numeric($InstantIptablesEventAll)) {
$InstantIptablesEventAll = 1;
}
if ($GLOBALS["VERBOSE"]) {
echo "InstantIptablesEventAll={$InstantIptablesEventAll}\n";
}
if ($GLOBALS["EnablePostfixAutoBlock"] != 1) {
progress(100, "Building rules done...");
return;
}
events("Query iptables rules from mysql");
progress(10, "Query rules");
progress(25, "Building logging rules");
$sql = "SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' and log=1 AND allow=0 AND local_port=25";
if ($GLOBALS["VERBOSE"]) {
echo $sql . "\n";
}
$q = new mysql();
$results = $q->QUERY_SQL($sql, "artica_backup");
$GLOBALS["IPTABLES_WHITELISTED"] = $iptablesClass->LoadWhiteLists();
while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) {
$ip = $ligne["serverip"];
if ($iptablesClass->isWhiteListed($ip)) {
if ($GLOBALS["VERBOSE"]) {
echo "{$ip} is whitelisted\n";
}
continue;
}
events("LOG {$ligne["serverip"]} REJECT INBOUND PORT 25");
progress(35, "Building logging rules for {$ip}");
$cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j LOG --log-prefix \"SMTP DROP: \" -m comment --comment \"ArticaInstantPostfix\"";
$commands[] = $cmd;
}
progress(40, "Building rules...");
$c = 0;
$sql = "SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' AND allow=0 AND local_port=25";
if ($GLOBALS["VERBOSE"]) {
echo $sql . "\n";
}
$results = $q->QUERY_SQL($sql, "artica_backup");
progress(55, "Building rules...");
while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) {
$ip = $ligne["serverip"];
if ($iptablesClass->isWhiteListed($ip)) {
continue;
}
$c++;
events("ADD REJECT {$ligne["serverip"]} INBOUND PORT 25");
progress(60, "Building rules for {$ip}...");
if ($InstantIptablesEventAll == 1) {
if ($GLOBALS["VERBOSE"]) {
echo "{$ip} -> LOG\n";
}
$cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j LOG --log-prefix \"SMTP DROP: \" -m comment --comment \"ArticaInstantPostfix\"";
$commands[] = $cmd;
}
$cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j DROP -m comment --comment \"ArticaInstantPostfix\"";
$commands[] = $cmd;
}
if ($GLOBALS["VERBOSE"]) {
echo count($commands) . " should be performed\n";
return;
}
if (is_array($commands)) {
while (list($index, $line) = each($commands)) {
shell_exec($line);
}
}
$unix->send_email_events("{$c} banned addresses compiled in the SMTP Firewall", "{$c} items has been banned from 25,587,465 ports", "postfix");
progress(90, "Building rules done...");
progress(100, "Building rules done...");
$nohup = $unix->find_program("nohup");
$cachefile = "/etc/artica-postfix/IPTABLES_INPUT";
shell_exec("{$nohup} {$iptables} -L --line-numbers -n >{$cachefile} 2>&1 &");
}
function compile_sshd_rules(){
include_once(dirname(__FILE__)."/ressources/class.openssh.inc");
$q=new mysql();
$iptablesClass=new iptables_chains();
$unix=new unix();
$openssh=new openssh();
$SSHDPort=$openssh->main_array["Port"];
if(!is_numeric($SSHDPort)){$SSHDPort=22;}
$iptables=$unix->find_program("iptables");
$GLOBALS["IPTABLES_WHITELISTED"]=$iptablesClass->LoadWhiteLists();
$sql="SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' AND local_port=22";
$results=$q->QUERY_SQL($sql,"artica_backup");
iptables_delete_all();
if($GLOBALS["VERBOSE"]){echo "OpenSSH port is $SSHDPort\n";}
while($ligne=@mysql_fetch_array($results,MYSQL_ASSOC)){
$ip=$ligne["serverip"];
if($iptablesClass->isWhiteListed($ip)){continue;}
events("ADD REJECT {$ligne["serverip"]} INBOUND PORT 22");
ssh_events("ADD REJECT {$ligne["serverip"]} INBOUND PORT 22",__FUNCTION__,__FILE__,__LINE__);
/*if($InstantIptablesEventAll==1){
if($GLOBALS["VERBOSE"]){echo "$ip -> LOG\n";}
$cmd="$iptables -A INPUT -s $ip -p tcp --destination-port 25 -j LOG --log-prefix \"SMTP DROP: \" -m comment --comment \"ArticaInstantPostfix\"";
$commands[]=$cmd;
}*/
$cmd="$iptables -A INPUT -s $ip -p tcp --destination-port $SSHDPort -j DROP -m comment --comment \"ArticaInstantSSH\"";
$commands[]=$cmd;
}
if($GLOBALS["VERBOSE"]){echo count($commands)." should be performed\n";}
if(is_array($commands)){
while (list ($index, $line) = each ($commands) ){
writelogs($line,__FUNCTION__,__FILE__,__LINE__);
if($GLOBALS["VERBOSE"]){echo $line."\n";}
shell_exec($line);
}
$unix->send_email_events("SSHD Hack ".count($commands)." rules(s) added",null,"system");
}
}
function build()
{
$unix = new unix();
$q = new mysql();
$sock = new sockets();
$FireHolEnable = intval($sock->GET_INFO("FireHolEnable"));
if ($FireHolEnable == 1) {
@unlink("/bin/artica-firewall.sh");
iptables_delete_all();
return;
}
iptables_delete_all();
$FINAL_LOG_DROP = array();
if (!$q->FIELD_EXISTS("nics", "isFWAcceptNet", "artica_backup")) {
$sql = "ALTER TABLE `nics` ADD `isFWAcceptNet` smallint( 1 ) NOT NULL DEFAULT '0'";
$q->QUERY_SQL($sql, 'artica_backup');
if (!$q->ok) {
echo "[" . __LINE__ . "]: {$q->mysql_error}\n";
}
}
if (!$q->FIELD_EXISTS("nics", "isFWAcceptArtica", "artica_backup")) {
$sql = "ALTER TABLE `nics` ADD `isFWAcceptArtica` smallint( 1 ) NOT NULL DEFAULT '0'";
$q->QUERY_SQL($sql, 'artica_backup');
if (!$q->ok) {
echo "[" . __LINE__ . "]: {$q->mysql_error}\n";
}
}
$sql = "SELECT `Interface`,`Bridged`,`BridgedTo`,`isFWAcceptNet`,`isFWAcceptArtica`,`isFWLogBlocked` FROM `nics` WHERE `isFW`=1 AND `Bridged`=0";
if ($GLOBALS["VERBOSE"]) {
echo "[" . __LINE__ . "] {$sql}\n";
}
$echo = $unix->find_program("echo");
$php = $unix->LOCATE_PHP5_BIN();
$SCRIPT[] = "#! /bin/sh";
$SCRIPT[] = "{$php} /usr/share/artica-postfix/exec.syslog-engine.php --buildconf";
$SCRIPT[] = "if [ ! -f /var/log/iptables.log ]; then";
$SCRIPT[] = "\t{$echo} \"/var/log/iptables.log doesn't exists...\"";
$SCRIPT[] = "\t" . $unix->LOCATE_SYSLOG_INITD() . " restart";
$SCRIPT[] = "fi";
$SCRIPT[] = "{$echo} \"Removing Firewall rules...\"";
$SCRIPT[] = $php . " " . __FILE__ . " --remove || true";
$SCRIPT[] = "# -------------- Q . O . S --------------";
$SCRIPT[] = build_qos();
$results = $q->QUERY_SQL($sql, "artica_backup");
$CountDeInterface = mysql_num_rows($results);
$SCRIPT[] = "{$echo} \"Firewall enabled on {$CountDeInterface} Interface(s)\"";
$iptables = $unix->find_program("iptables");
$MARKLOG = "-m comment --comment \"ArticaFireWall\"";
$net = new networkscanner();
while (list($num, $maks) = each($net->networklist)) {
if (trim($maks) == null) {
continue;
}
$SCRIPT[] = "# Accept potential Network {$maks}";
$hash[$maks] = $maks;
}
$ALL_RULES = 0;
if ($CountDeInterface > 0) {
while ($ligne = mysql_fetch_array($results, MYSQL_ASSOC)) {
$ALL_RULES++;
$isFWAcceptNet = intval($ligne["isFWAcceptNet"]);
$J_LOGPRX = "--j LOG --log-level debug --log-prefix \"AID=0/INPUT/REJECT \"";
$InInterface = " -i {$ligne["Interface"]} ";
$SCRIPT_FINAL[] = "{$iptables} -A INPUT {$InInterface} {$MARKLOG} -j REJECT || true";
if ($ligne["isFWLogBlocked"] == 1) {
$FINAL_LOG_DROP["{$iptables} -A INPUT {$InInterface} {$MARKLOG} {$J_LOGPRX} || true"] = true;
}
$SCRIPT[] = "{$iptables} -I INPUT {$InInterface} -s 127.0.0.1 {$MARKLOG} -j ACCEPT || true";
$SCRIPT[] = "{$iptables} -I INPUT {$InInterface} -d 127.0.0.1 {$MARKLOG} -j ACCEPT || true";
$SCRIPT[] = "# {$InInterface} Accept local network ? = {$isFWAcceptNet}";
if ($isFWAcceptNet == 1) {
reset($hash);
while (list($num, $maks) = each($hash)) {
$SCRIPT[] = "{$iptables} -I INPUT {$InInterface} -d {$maks} {$MARKLOG} -j ACCEPT || true";
$SCRIPT[] = "{$iptables} -I INPUT {$InInterface} -s {$maks} {$MARKLOG} -j ACCEPT || true";
}
}
$SCRIPT[] = BuilFWdRules($ligne["Interface"], "INPUT", $ligne["isFWLogBlocked"]);
$SCRIPT[] = BuilFWdRules($ligne["Interface"], "OUTPUT", $ligne["isFWLogBlocked"]);
$SCRIPT[] = BuilFWdRules_FORWARD($ligne["Interface"], $ligne["isFWLogBlocked"]);
}
}
$sql = "SELECT * FROM `nics_bridge` WHERE `isFW`=1";
if ($GLOBALS["VERBOSE"]) {
echo "[" . __LINE__ . "] {$sql}\n";
}
$results = $q->QUERY_SQL($sql, "artica_backup");
if (!$q->ok) {
$SCRIPT[] = "#" . str_replace("\n", " ", $q->mysql_error);
}
$CountDeInterface = mysql_num_rows($results);
$SCRIPT[] = "{$echo} \"Firewall enabled on {$CountDeInterface} Bridge(s)\"";
if ($CountDeInterface > 0) {
while ($ligne = mysql_fetch_array($results, MYSQL_ASSOC)) {
$ALL_RULES++;
$J_LOGPRX = "--j LOG --log-level debug --log-prefix \"AID={$ligne["ID"]}/INPUT/REJECT \"";
$SCRIPT[] = "{$echo} \"Apply rules on bridge br{$ligne["ID"]} log block={$ligne["isFWLogBlocked"]}\"";
$interface = "br{$ligne["ID"]}";
$InInterface = " -i {$interface} ";
$SCRIPT[] = "{$iptables} -I INPUT {$InInterface} -s 127.0.0.1 {$MARKLOG} -j ACCEPT || true";
reset($hash);
while (list($num, $maks) = each($hash)) {
$SCRIPT[] = "{$iptables} -I INPUT {$InInterface} -d {$maks} {$MARKLOG} -j ACCEPT || true";
$SCRIPT[] = "{$iptables} -I INPUT {$InInterface} -s {$maks} {$MARKLOG} -j ACCEPT || true";
}
$SCRIPT[] = BuilFWdRules($interface, "INPUT", $ligne["isFWLogBlocked"]);
$SCRIPT[] = BuilFWdRules($interface, "OUTPUT", $ligne["isFWLogBlocked"]);
$SCRIPT[] = BuilFWdRules_FORWARD($interface, $ligne["isFWLogBlocked"]);
$SCRIPT[] = BuilFWdRules_MARK($interface);
if ($ligne["isFWLogBlocked"] == 1) {
$FINAL_LOG_DROP["{$iptables} -A INPUT {$InInterface} {$MARKLOG} {$J_LOGPRX} || true"] = true;
}
$SCRIPT_FINAL[] = "{$iptables} -A INPUT {$InInterface} {$MARKLOG} -j REJECT || true";
}
}
$SCRIPT_FINAL[] = ProtectArtica();
$SCRIPT[] = "#Final step, block necessaries connections";
if (count($FINAL_LOG_DROP) > 0) {
while (list($itemSRC, $b) = each($FINAL_LOG_DROP)) {
if (is_array($itemSRC)) {
continue;
}
$SCRIPT[] = $itemSRC;
}
}
$SCRIPT[] = @implode("\n", $SCRIPT_FINAL);
$SCRIPT[] = "exit 0\n";
@file_put_contents("/bin/artica-firewall.sh", @implode("\n", $SCRIPT));
@chmod("/bin/artica-firewall.sh", 0755);
echo "[" . __LINE__ . "]: /bin/artica-firewall.sh done...\n";
}
function Compile_rules()
{
progress(5, "Cleaning rules");
iptables_delete_all();
$sock = new sockets();
$EnablePostfixAutoBlockWhiteListed = $sock->GET_INFO("EnablePostfixAutoBlockWhiteListed");
if (!is_numeric($EnablePostfixAutoBlockWhiteListed)) {
$EnablePostfixAutoBlockWhiteListed = 0;
}
if ($EnablePostfixAutoBlockWhiteListed == 1) {
Compile_rules_whitelist();
return;
}
$unix = new unix();
$iptables = $unix->find_program("iptables");
$sock = new sockets();
$iptablesClass = new iptables_chains();
$InstantIptablesEventAll = $sock->GET_INFO("InstantIptablesEventAll");
if (!is_numeric($InstantIptablesEventAll)) {
$InstantIptablesEventAll = 1;
}
if ($GLOBALS["VERBOSE"]) {
echo "InstantIptablesEventAll={$InstantIptablesEventAll}\n";
}
if ($GLOBALS["EnablePostfixAutoBlock"] != 1) {
progress(100, "Building rules done...");
return;
}
events("Query iptables rules from mysql");
progress(10, "Query rules");
progress(25, "Building logging rules");
$sql = "SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' and log=1 AND local_port=25";
$q = new mysql();
$results = $q->QUERY_SQL($sql, "artica_backup");
$GLOBALS["IPTABLES_WHITELISTED"] = $iptablesClass->LoadWhiteLists();
while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) {
$ip = $ligne["serverip"];
if ($iptablesClass->isWhiteListed($ip)) {
continue;
}
events("LOG {$ligne["serverip"]} REJECT INBOUND PORT 25");
progress(35, "Building logging rules for {$ip}");
$cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j LOG --log-prefix \"SMTP DROP: \" -m comment --comment \"ArticaInstantPostfix\"";
$commands[] = $cmd;
}
progress(40, "Building rules...");
$c = 0;
$sql = "SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' AND local_port=25";
$results = $q->QUERY_SQL($sql, "artica_backup");
progress(55, "Building rules...");
while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) {
$ip = $ligne["serverip"];
if ($iptablesClass->isWhiteListed($ip)) {
continue;
}
$c++;
events("ADD REJECT {$ligne["serverip"]} INBOUND PORT 25");
progress(60, "Building rules for {$ip}...");
if ($InstantIptablesEventAll == 1) {
if ($GLOBALS["VERBOSE"]) {
echo "{$ip} -> LOG\n";
}
$cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j LOG --log-prefix \"SMTP DROP: \" -m comment --comment \"ArticaInstantPostfix\"";
$commands[] = $cmd;
}
$cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j DROP -m comment --comment \"ArticaInstantPostfix\"";
$commands[] = $cmd;
}
if ($GLOBALS["VERBOSE"]) {
echo count($commands) . " should be performed\n";
return;
}
if (is_array($commands)) {
while (list($index, $line) = each($commands)) {
shell_exec($line);
}
}
$unix->send_email_events("{$c} banned addresses compiled in the SMTP Firewall", "{$c} items has been banned from 25,587,465 ports", "postfix");
progress(90, "Building rules done...");
progress(100, "Building rules done...");
}
}
if ($argv[1] == "--iptables-delete") {
iptables_delete_all();
exit;
}
if ($argv[1] == "--progress") {
restart_progress();
exit;
}
$users = new usersMenus();
if ($users->WEBSTATS_APPLIANCE) {
iptables_delete_all();
die;
}
if (!$users->SQUID_INSTALLED) {
iptables_delete_all();
die;
}
$sysctl = $unix->find_program("sysctl");
$pids = $unix->PIDOF_PATTERN_ALL("exec.squid.transparent.php");
if ($GLOBALS["OUTPUT"]) {
echo "Starting......: " . date("H:i:s") . " instances:" . count($pids) . "\n";
}
if (count($pids) > 2) {
if ($GLOBALS["OUTPUT"]) {
echo "Starting......: " . date("H:i:s") . " Too many instances " . count($pids) . " starting squid, kill them!\n";
}
$mypid = getmypid();
while (list($pid, $ligne) = each($pids)) {
if ($pid == $mypid) {
continue;
function Transparents_modes()
{
iptables_delete_all();
$unix = new unix();
$iptables = $unix->find_program("iptables");
$sysctl = $unix->find_program("sysctl");
$sql = "SELECT * FROM haproxy WHERE enabled=1 AND transparent=1";
$q = new mysql();
$results = $q->QUERY_SQL($sql, 'artica_backup');
if (!$q->ok) {
if ($GLOBALS["AS_ROOT"]) {
echo "Starting......: " . date("H:i:s") . " {$GLOBALS["TITLENAME"]} building configuration failed {$q->mysql_error}\n";
return;
}
}
if (mysql_num_rows($results) == 0) {
echo "Starting......: " . date("H:i:s") . " {$GLOBALS["TITLENAME"]} building configuration no transparent configurations...\n";
return;
}
shell_exec("{$sysctl} -w net.ipv4.ip_forward=1 2>&1");
shell_exec("{$sysctl} -w net.ipv4.conf.default.send_redirects=0 2>&1");
shell_exec("{$sysctl} -w net.ipv4.conf.all.send_redirects=0 2>&1");
shell_exec("{$sysctl} -w net.ipv4.conf.eth0.send_redirects=0 2>&1");
shell_exec("{$iptables} -P FORWARD ACCEPT");
return;
while ($ligne = mysql_fetch_array($results, MYSQL_ASSOC)) {
$listen_add = "127.0.0.1";
$next_port = $ligne["listen_port"];
$listen_ip = $ligne["listen_ip"];
$transparent_port = $ligne["transparentsrcport"];
if ($transparent_port < 1) {
continue;
}
echo "Starting......: " . date("H:i:s") . " {$GLOBALS["TITLENAME"]} building configuration transparent request from {$listen_ip}:{$transparent_port} and redirect to {$listen_add}:{$next_port}\n";
shell_exec2("{$iptables} -t nat -A PREROUTING -i eth0 -p tcp --dport {$transparent_port} -j ACCEPT -m comment --comment \"ArticaHAProxy\"");
shell_exec2("{$iptables} -t nat -A PREROUTING -p tcp --dport {$transparent_port} -j REDIRECT --to-ports {$next_port} -m comment --comment \"ArticaHAProxy\"");
shell_exec2("{$iptables} -t nat -A POSTROUTING -j MASQUERADE -m comment --comment \"ArticaHAProxy\"");
shell_exec2("{$iptables} -t mangle -A PREROUTING -p tcp --dport {$next_port} -j DROP -m comment --comment \"ArticaHAProxy\"");
}
}
