| commit | author | age | ||
| e1bbd3 | 1 | <?php |
| L | 2 | |
| 3 | class iptables_plugin | |
| 4 | { | |
| b1a6a5 | 5 | var $plugin_name = 'iptables_plugin'; |
| MC | 6 | var $class_name = 'iptables_plugin'; |
| e1bbd3 | 7 | |
| b1a6a5 | 8 | function onInstall() |
| MC | 9 | { |
| 10 | global $conf; | |
| 11 | /* | |
| e1bbd3 | 12 | if($conf['iptables']['installed'] = true) return true; |
| L | 13 | else return false; |
| c9873b | 14 | */ |
| b1a6a5 | 15 | return false; |
| MC | 16 | } |
| e1bbd3 | 17 | |
| b1a6a5 | 18 | function onLoad() |
| MC | 19 | { |
| 20 | global $app; | |
| 21 | $app->plugins->registerEvent('iptables_insert', $this->plugin_name, 'insert'); | |
| 22 | $app->plugins->registerEvent('iptables_update', $this->plugin_name, 'update'); | |
| 23 | $app->plugins->registerEvent('iptables_delete', $this->plugin_name, 'delete'); | |
| 24 | } | |
| e1bbd3 | 25 | |
| b1a6a5 | 26 | function insert($event_name, $data) |
| MC | 27 | { |
| 28 | global $app, $conf; | |
| 29 | $this->update($event_name, $data); | |
| 30 | } | |
| e1bbd3 | 31 | |
| b1a6a5 | 32 | function update($event_name, $data) |
| MC | 33 | { |
| 34 | global $app, $conf; | |
| 35 | /* | |
| e1bbd3 | 36 | ok, here is where we do some fun stuff. First off we need to see the currently |
| L | 37 | running iptables (sans the fail2ban) and compare with the database. This is |
| 38 | the method that is good for multi servers and keeping the firewall read only so | |
| 39 | a comromised box will not corrupt the master server. | |
| 40 | ||
| b1a6a5 | 41 | If the running iptables and the new iptables don't match, lets send a note to |
| e1bbd3 | 42 | the monitoring data to say that there is a difference. Maybe we can have the |
| L | 43 | iptables gui inteface check the data field for changes and post a warning and |
| 44 | or the changes as disabled rules. If an admin adds a rule on the comand line | |
| 45 | we should make it easy to add to the database, but hard to overwrite the data. | |
| 46 | ||
| 47 | 1. | |
| 48 | So first is a reading of the current rules by filter:table with our friend awk | |
| 49 | ||
| 50 | 2. | |
| 51 | Compare with database | |
| 52 | ||
| 53 | 3. | |
| 54 | Send notices or updates | |
| 55 | ||
| 56 | 4. | |
| 57 | Apply rules from database | |
| 58 | ||
| 59 | 5. | |
| 60 | Preform some type of sainity check like the apache restart script | |
| 61 | ||
| 62 | 6. | |
| 63 | Profit | |
| 64 | ||
| 65 | # automate this with a loop, but here it is for santity sake. | |
| 66 | exec('iptables -S INPUT'); | |
| 67 | exec('iptables -S OUTPUT'); | |
| 68 | exec('iptables -S FORWARD'); | |
| 69 | ||
| 70 | $data['new'] should have lots of fun stuff | |
| 71 | exec('iptables -I XYZ'); | |
| 72 | */ | |
| b1a6a5 | 73 | } |
| MC | 74 | |
| 75 | function delete($event_name, $data) | |
| 76 | { | |
| 77 | global $app, $conf; | |
| 78 | exec('iptables -D xyz'); | |
| 79 | } | |
| 80 | ||
| e1bbd3 | 81 | } |
| b1a6a5 | 82 | |
| MC | 83 | ?> |
