function perso() { $unix = new unix(); $pidfile = "/etc/artica-postfix/pids/" . basename(__FILE__) . "." . __FUNCTION__ . ".pid"; $pid = @file_get_contents($pidfile); if ($unix->process_exists($pid)) { echo "Already running pid {$pid}\n"; return; } $iptables = $unix->find_program("iptables"); $iptablesClass = new iptables_chains(); $sql = "SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' AND service='MANUAL'"; $q = new mysql(); $results = $q->QUERY_SQL($sql, "artica_backup"); $GLOBALS["IPTABLES_WHITELISTED"] = $iptablesClass->LoadWhiteLists(); while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) { $ip = $ligne["serverip"]; $ligne["multiples_ports"] = trim($ligne["multiples_ports"]); $port = " --destination-port {$ligne["local_port"]}"; if ($iptablesClass->isWhiteListed($ip)) { continue; } if ($ligne["local_port"] == -1) { if ($ligne["multiples_ports"] == null) { continue; } $port = " -m multiport --dports {$ligne["multiples_ports"]}"; } if ($ligne["local_port"] == 0) { $port = null; } if ($ligne["log"] == 1) { $log = " -j LOG --log-prefix \"FW_IN DROP: \""; } events("LOG {$ligne["serverip"]} REJECT INBOUND PORT {$port}"); progress(35, "Building logging rules for {$ip}"); $cmd = "{$iptables} -A INPUT -s {$ip} -p tcp{$port}{$log} -m comment --comment \"ArticaPersoRules\""; $commands[] = $cmd; } if (is_array($commands)) { if ($GLOBALS["VERBOSE"]) { echo count($commands) . " should be performed\n"; while (list($index, $line) = each($commands)) { echo $ligne . "\n"; } return; } while (list($index, $line) = each($commands)) { shell_exec($line); } } Compile_rules(); }
function perso($NoOtherRules = false) { $unix = new unix(); if (!$NoOtherRules) { $pidfile = "/etc/artica-postfix/pids/" . basename(__FILE__) . "." . __FUNCTION__ . ".pid"; $pid = @file_get_contents($pidfile); if ($unix->process_exists($pid)) { echo "Already running pid {$pid}\n"; return; } } $iptables = $unix->find_program("iptables"); $iptablesClass = new iptables_chains(); iptables_perso_delete_all(); $sock = new sockets(); $GlobalIptablesEnabled = $sock->GET_INFO("GlobalIptablesEnabled"); if (!is_numeric($GlobalIptablesEnabled)) { $GlobalIptablesEnabled = 1; } if ($GlobalIptablesEnabled != 1) { return; } /* * ----------------- ALLOW ----------------------------------------------- */ $sql = "SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' AND allow=1 AND service='MANUAL'"; $q = new mysql(); $results = $q->QUERY_SQL($sql, "artica_backup"); while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) { $ip = $ligne["serverip"]; $ligne["multiples_ports"] = trim($ligne["multiples_ports"]); $port = " --destination-port {$ligne["local_port"]}"; if ($ligne["local_port"] == -1) { if ($ligne["multiples_ports"] == null) { continue; } $port = " -m multiport --dports {$ligne["multiples_ports"]}"; } if ($ligne["local_port"] == 0) { $port = null; } if ($ligne["log"] == 1) { $log = " -j LOG --log-prefix \"FW_IN OK: \""; } events("LOG {$ligne["serverip"]} ACCEPT INBOUND PORT {$port}"); progress(35, "Building logging rules for {$ip}"); $ipsource_cmdline = "-s {$ip}"; if (preg_match("#Range:(.+)#", $ip, $re)) { $ipsource_cmdline = " -m iprange --src-range {$re[1]}"; } if ($ligne["log"] == 1) { $commands[] = "{$iptables} -A INPUT {$ipsource_cmdline} -p tcp{$port} -j LOG --log-prefix \"FW_IN OK: \" -m comment --comment \"ArticaPersoRules\""; } $commands[] = "{$iptables} -A INPUT {$ipsource_cmdline} -p tcp{$port} -j ACCEPT -m comment --comment \"ArticaPersoRules\""; } /* * ----------------- DENY ----------------------------------------------- */ $sql = "SELECT * FROM iptables WHERE disable=0 AND flux='INPUT' AND allow=0 AND service='MANUAL'"; $q = new mysql(); $results = $q->QUERY_SQL($sql, "artica_backup"); $GLOBALS["IPTABLES_WHITELISTED"] = $iptablesClass->LoadWhiteLists(); while ($ligne = @mysql_fetch_array($results, MYSQL_ASSOC)) { $ip = $ligne["serverip"]; $ligne["multiples_ports"] = trim($ligne["multiples_ports"]); $port = " --destination-port {$ligne["local_port"]}"; if ($iptablesClass->isWhiteListed($ip)) { continue; } if ($ligne["local_port"] == -1) { if ($ligne["multiples_ports"] == null) { continue; } $port = " -m multiport --dports {$ligne["multiples_ports"]}"; } if ($ligne["local_port"] == 0) { $port = null; } events("LOG {$ligne["serverip"]} REJECT INBOUND PORT {$port}"); progress(35, "Building logging rules for {$ip}"); $ipsource_cmdline = "-s {$ip}"; if (preg_match("#Range:(.+)#", $ip, $re)) { $ipsource_cmdline = " -m iprange --src-range {$re[1]}"; } if ($ligne["log"] == 1) { $commands[] = "{$iptables} -A INPUT {$ipsource_cmdline} -p tcp{$port} -j LOG --log-prefix \"FW_IN DROP: \" -m comment --comment \"ArticaPersoRules\""; } $commands[] = "{$iptables} -A INPUT {$ipsource_cmdline} -p tcp{$port} -j DROP -m comment --comment \"ArticaPersoRules\""; } if (is_array($commands)) { if ($GLOBALS["VERBOSE"]) { echo count($commands) . " should be performed:\n"; while (list($index, $line) = each($commands)) { echo $line . "\n"; } return; } while (list($index, $line) = each($commands)) { shell_exec($line); } } if (!$NoOtherRules) { Compile_rules(true); } }
$GLOBALS["VERBOSE"] = true; $GLOBALS["debug"] = true; } if (posix_getuid() != 0) { die("Cannot be used in web server mode\n\n"); } include_once dirname(__FILE__) . '/ressources/class.users.menus.inc'; include_once dirname(__FILE__) . '/ressources/class.mysql.inc'; include_once dirname(__FILE__) . '/ressources/class.user.inc'; include_once dirname(__FILE__) . '/ressources/class.ini.inc'; include_once dirname(__FILE__) . '/ressources/class.iptables-chains.inc'; include_once dirname(__FILE__) . '/ressources/class.baseunix.inc'; include_once dirname(__FILE__) . '/framework/class.unix.inc'; $GLOBALS["EnablePostfixAutoBlock"] = trim(@file_get_contents("/etc/artica-postfix/settings/Daemons/EnablePostfixAutoBlock")); if ($argv[1] == '--compile') { Compile_rules(); die; } if ($argv[1] == '--parse-queue') { parsequeue(); die; } if ($argv[1] == '--no-check') { $_GET["nocheck"] = true; } if (!Build_pid_func(__FILE__, "MAIN")) { writelogs(basename(__FILE__) . ":Already executed.. aborting the process", basename(__FILE__), __FILE__, __LINE__); die; } parsequeue(); if ($EnablePostfixAutoBlock != 1) {