version 1.7, 2010/12/30 18:40:29
|
version 1.13, 2013/09/22 15:50:35
|
Line 35 package LONCAPA::Firewall;
|
Line 35 package LONCAPA::Firewall;
|
use strict; |
use strict; |
use lib '/home/httpd/perl/lib'; |
use lib '/home/httpd/perl/lib'; |
use LONCAPA::Configuration; |
use LONCAPA::Configuration; |
|
use LONCAPA; |
|
|
sub firewall_open_port { |
sub firewall_open_port { |
my ($iptables,$fw_chains,$lond_port,$iphost,$ports) = @_; |
my ($iptables,$fw_chains,$lond_port,$iphost,$ports) = @_; |
Line 83 sub firewall_open_port {
|
Line 84 sub firewall_open_port {
|
if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) { |
if (($1<=255) && ($2<=255) && ($3<=255) && ($4<=255)) { |
$ip = "$1.$2.$3.$4"; |
$ip = "$1.$2.$3.$4"; |
} else { |
} else { |
|
print "IP address: $key does not have expected format\n"; |
next; |
next; |
} |
} |
} else { |
} else { |
|
print "IP address: $key does not have expected format\n"; |
next; |
next; |
} |
} |
if ($curropen{$ip}) { |
if ($curropen{$ip}) { |
Line 109 sub firewall_open_port {
|
Line 112 sub firewall_open_port {
|
} |
} |
} |
} |
} |
} |
|
} else { |
|
print "no key found in $iphost hash ref\n"; |
} |
} |
|
} else { |
|
print "$iphost is not a reference to a hash\n"; |
} |
} |
if (@lond_port_curropen) { |
if (@lond_port_curropen) { |
unless (grep(/^\Q$port\E$/,@opened)) { |
unless (grep(/^\Q$port\E$/,@opened)) { |
Line 244 sub firewall_close_port {
|
Line 251 sub firewall_close_port {
|
print "Skipped non-numeric port: $portnum\n"; |
print "Skipped non-numeric port: $portnum\n"; |
next; |
next; |
} |
} |
print "Closing firewall access on port $port\n"; |
print "Closing firewall access on port $port.\n"; |
if (($port ne '') && ($port eq $lond_port)) { |
if (($port ne '') && ($port eq $lond_port)) { |
|
my $output; |
foreach my $fw_chain (@okchains) { |
foreach my $fw_chain (@okchains) { |
my (@port_error,@command_error,@lond_port_close); |
my (@port_error,@command_error,@lond_port_close); |
my %to_close; |
my %to_close; |
Line 284 sub firewall_close_port {
|
Line 292 sub firewall_close_port {
|
} |
} |
} |
} |
if (@lond_port_close) { |
if (@lond_port_close) { |
print "Port closed for ".scalar(@lond_port_close)." IP addresses\n"; |
$output .= "Port closed for ".scalar(@lond_port_close)." IP addresses\n"; |
} |
} |
if (@port_error) { |
if (@port_error) { |
print "Error closing port for following IP addresses: ".join(', ',@port_error)."\n"; |
$output .= "Error closing port for following IP addresses: ".join(', ',@port_error)."\n"; |
} |
} |
if (@command_error) { |
if (@command_error) { |
print "Bad command error opening port for following IP addresses: ". |
$output .= "Bad command error opening port for following IP addresses: ". |
join(', ',@command_error)."\n". |
join(', ',@command_error)."\n". |
'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n"; |
'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n"; |
} |
} |
} |
} |
|
if ($output) { |
|
print $output; |
|
} else { |
|
print "No IP addresses required discontinuation of access.\n"; |
|
} |
} else { |
} else { |
foreach my $fw_chain (@okchains) { |
foreach my $fw_chain (@okchains) { |
my (@port_error,@command_error,@lond_port_close); |
my (@port_error,@command_error,@lond_port_close); |
Line 369 sub get_lond_port {
|
Line 382 sub get_lond_port {
|
|
|
sub get_fw_chains { |
sub get_fw_chains { |
my ($iptables) = @_; |
my ($iptables) = @_; |
|
my $distro = &LONCAPA::distro(); |
my @fw_chains; |
my @fw_chains; |
my $suse_config = "/etc/sysconfig/SuSEfirewall2"; |
my $suse_config = "/etc/sysconfig/SuSEfirewall2"; |
|
my $ubuntu_config = "/etc/ufw/ufw.conf"; |
if (-e $suse_config) { |
if (-e $suse_config) { |
push(@fw_chains,'input_ext'); |
push(@fw_chains,'input_ext'); |
} else { |
} else { |
if (!-e '/etc/sysconfig/iptables') { |
my @posschains; |
if (!-e '/var/lib/iptables') { |
if (-e $ubuntu_config) { |
print("Unable to find iptables file containing static definitions\n"); |
@posschains = ('ufw-user-input','INPUT'); |
|
} else { |
|
if ($distro =~ /^(debian|ubuntu|suse|sles)/) { |
|
@posschains = ('INPUT'); |
|
} else { |
|
@posschains = ('RH-Firewall-1-INPUT','INPUT'); |
|
} |
|
if (!-e '/etc/sysconfig/iptables') { |
|
if (!-e '/var/lib/iptables') { |
|
unless ($distro =~ /^(debian|ubuntu)/) { |
|
print("Unable to find iptables file containing static definitions\n"); |
|
} |
|
} |
|
if ($distro =~ /^(fedora|rhes|centos|scientific)/) { |
|
push(@fw_chains,'RH-Firewall-1-INPUT'); |
|
} |
} |
} |
push(@fw_chains,'RH-Firewall-1-INPUT'); |
|
} |
} |
if ($iptables eq '') { |
if ($iptables eq '') { |
$iptables = &get_pathto_iptables(); |
$iptables = &get_pathto_iptables(); |
} |
} |
my %counts; |
my %counts; |
my @posschains = ('RH-Firewall-1-INPUT','INPUT'); |
|
if (open(PIPE,"$iptables -L -n |")) { |
if (open(PIPE,"$iptables -L -n |")) { |
while(<PIPE>) { |
while(<PIPE>) { |
foreach my $chain (@posschains) { |
foreach my $chain (@posschains) { |
Line 397 sub get_fw_chains {
|
Line 425 sub get_fw_chains {
|
} |
} |
foreach my $fw_chain (@posschains) { |
foreach my $fw_chain (@posschains) { |
if ($counts{$fw_chain}) { |
if ($counts{$fw_chain}) { |
push(@fw_chains,$fw_chain); |
unless(grep(/^\Q$fw_chain\E$/,@fw_chains)) { |
|
push(@fw_chains,$fw_chain); |
|
} |
} |
} |
} |
} |
} |
} |