die;
}
if ($argv[1] == '--transfert-white') {
ParseResolvMX();
die;
}
if ($argv[1] == '--upgrade-white') {
UpgradeWhiteList();
die;
}
if ($argv[1] == '--ipdeny') {
ipdeny();
die;
}
if ($argv[1] == '--perso') {
perso();
die;
}
if ($GLOBALS["VERBOSE"]) {
echo "Parsing " . @implode(" ", $argv) . "\n";
}
if (!Build_pid_func(__FILE__, "MAIN")) {
writelogs(basename(__FILE__) . ":Already executed.. aborting the process", basename(__FILE__), __FILE__, __LINE__);
die;
}
parsequeue();
if ($GLOBALS["EnablePostfixAutoBlock"] != 1) {
iptables_delete_all();
events("This feature is currently disabled ({$GLOBALS["EnablePostfixAutoBlock"]})");
die;
}
function Compile_rules($NoPersoRules = false)
{
progress(5, "Cleaning rules");
if ($GLOBALS["VERBOSE"]) {
echo __FUNCTION__ . " line:" . __LINE__ . "\n";
}
iptables_delete_all();
$sock = new sockets();
if ($GLOBALS["VERBOSE"]) {
echo __FUNCTION__ . " line:" . __LINE__ . "\n";
}
$PostFixLimitToNets = $sock->GET_INFO("PostFixLimitToNets");
if (!is_numeric($PostFixLimitToNets)) {
$PostFixLimitToNets = 0;
}
$EnablePostfixAutoBlockWhiteListed = $sock->GET_INFO("EnablePostfixAutoBlockWhiteListed");
if (!is_numeric($EnablePostfixAutoBlockWhiteListed)) {
$EnablePostfixAutoBlockWhiteListed = 0;
}
$GlobalIptablesEnabled = $sock->GET_INFO("GlobalIptablesEnabled");
if (!is_numeric($GlobalIptablesEnabled)) {
$GlobalIptablesEnabled = 1;
}
if ($GlobalIptablesEnabled != 1) {
if ($GLOBALS["VERBOSE"]) {
echo "GlobalIptablesEnabled <> 1, aborting...\n";
}
return;
}
if (!$NoPersoRules) {
perso(true);
}
FW_PERSO_RULES();
if ($GLOBALS["VERBOSE"]) {
echo __FUNCTION__ . " line:" . __LINE__ . "\n";
}
if ($EnablePostfixAutoBlockWhiteListed == 1) {
Compile_rules_whitelist();
}
if ($GLOBALS["VERBOSE"]) {
echo "FW_NGINX_RULES\n\n";
}
FW_NGINX_RULES(true);
FW_SPAMHAUS_RULES(true);
if ($PostFixLimitToNets == 1) {
Compile_rules_postfix_limitToNets();
return;
}
$unix = new unix();
$iptables = $unix->find_program("iptables");
$sock = new sockets();
if ($GLOBALS["VERBOSE"]) {
echo __FUNCTION__ . " line:" . __LINE__ . "\n";
}
$iptablesClass = new iptables_chains();
if ($GLOBALS["VERBOSE"]) {
echo __FUNCTION__ . " line:" . __LINE__ . "\n";
}
$InstantIptablesEventAll = $sock->GET_INFO("InstantIptablesEventAll");
if (!is_numeric($InstantIptablesEventAll)) {
$InstantIptablesEventAll = 1;
}
if ($GLOBALS["VERBOSE"]) {
echo "InstantIptablesEventAll={$InstantIptablesEventAll}\n";
}
if ($GLOBALS["EnablePostfixAutoBlock"] != 1) {
progress(100, "Building rules done...");
return;
}
events("Query iptables rules from mysql");
progress(10, "Query rules");
progress(25, "Building logging rules");
$sql = "SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' and log=1 AND allow=0 AND local_port=25";
if ($GLOBALS["VERBOSE"]) {
echo $sql . "\n";
}
$q = new mysql();
$results = $q->QUERY_SQL($sql, "artica_backup");
$GLOBALS["IPTABLES_WHITELISTED"] = $iptablesClass->LoadWhiteLists();
while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) {
$ip = $ligne["serverip"];
if ($iptablesClass->isWhiteListed($ip)) {
if ($GLOBALS["VERBOSE"]) {
echo "{$ip} is whitelisted\n";
}
continue;
}
events("LOG {$ligne["serverip"]} REJECT INBOUND PORT 25");
progress(35, "Building logging rules for {$ip}");
$cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j LOG --log-prefix \"SMTP DROP: \" -m comment --comment \"ArticaInstantPostfix\"";
$commands[] = $cmd;
}
progress(40, "Building rules...");
$c = 0;
$sql = "SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' AND allow=0 AND local_port=25";
if ($GLOBALS["VERBOSE"]) {
echo $sql . "\n";
}
$results = $q->QUERY_SQL($sql, "artica_backup");
progress(55, "Building rules...");
while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) {
$ip = $ligne["serverip"];
if ($iptablesClass->isWhiteListed($ip)) {
continue;
}
$c++;
events("ADD REJECT {$ligne["serverip"]} INBOUND PORT 25");
progress(60, "Building rules for {$ip}...");
if ($InstantIptablesEventAll == 1) {
if ($GLOBALS["VERBOSE"]) {
echo "{$ip} -> LOG\n";
}
$cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j LOG --log-prefix \"SMTP DROP: \" -m comment --comment \"ArticaInstantPostfix\"";
$commands[] = $cmd;
}
$cmd = "{$iptables} -A INPUT -s {$ip} -p tcp --destination-port 25 -j DROP -m comment --comment \"ArticaInstantPostfix\"";
$commands[] = $cmd;
}
if ($GLOBALS["VERBOSE"]) {
echo count($commands) . " should be performed\n";
return;
}
if (is_array($commands)) {
while (list($index, $line) = each($commands)) {
shell_exec($line);
}
}
$unix->send_email_events("{$c} banned addresses compiled in the SMTP Firewall", "{$c} items has been banned from 25,587,465 ports", "postfix");
progress(90, "Building rules done...");
progress(100, "Building rules done...");
$nohup = $unix->find_program("nohup");
$cachefile = "/etc/artica-postfix/IPTABLES_INPUT";
shell_exec("{$nohup} {$iptables} -L --line-numbers -n >{$cachefile} 2>&1 &");
}
$sock=new sockets();
$GLOBALS["EnablePostfixAutoBlock"]=trim($sock->GET_INFO("EnablePostfixAutoBlock"));
if($GLOBALS["EnablePostfixAutoBlock"]==null){$GLOBALS["EnablePostfixAutoBlock"]=0;}
if($argv[1]=='--compile'){Compile_rules();die();}
if($argv[1]=='--parse-queue'){parsequeue();die();}
if($argv[1]=='--no-check'){$_GET["nocheck"]=true;}
if($argv[1]=='--parse-sql'){ParseLastEvents();die();}
if($argv[1]=='--delete-all-iptables'){DeleteAllIpTablesRules();die();}
if($argv[1]=='--test-white'){$iptablesClass=new iptables_chains();$GLOBALS["IPTABLES_WHITELISTED"]=$iptablesClass->LoadWhiteLists();$iptablesClass->isWhiteListed($argv[2]);die();}
if($argv[1]=='--export-drop'){ExportDrop();die();}
if($argv[1]=='--transfert-white'){ParseResolvMX();die();}
if($argv[1]=='--upgrade-white'){UpgradeWhiteList();die();}
if($argv[1]=='--ipdeny'){ipdeny();die();}
if($argv[1]=='--perso'){perso();die();}
if($GLOBALS["VERBOSE"]){echo "Parsing ".@implode(" ", $argv)."\n";}
if(!Build_pid_func(__FILE__,"MAIN")){writelogs(basename(__FILE__).":Already executed.. aborting the process",basename(__FILE__),__FILE__,__LINE__);die();}
parsequeue();
if($GLOBALS["EnablePostfixAutoBlock"]<>1){events("This feature is currently disabled ({$GLOBALS["EnablePostfixAutoBlock"]})");die();}
die();
//iptables -L OUTPUT --line-numbers
//iptables -A INPUT -s 65.55.44.100 -p tcp --destination-port 25 -j DROP;
function DeleteAllIpTablesRules(){
$unix=new unix();
