| New file |
| | |
|---|
| | | <?php |
|---|
| | | |
|---|
| | | class iptables_plugin |
|---|
| | | { |
|---|
| | | var $plugin_name = 'iptables_plugin'; |
|---|
| | | var $class_name = 'iptables_plugin'; |
|---|
| | | |
|---|
| | | function onInstall() |
|---|
| | | { |
|---|
| | | global $conf; |
|---|
| | | if($conf['iptables']['installed'] = true) return true; |
|---|
| | | else return false; |
|---|
| | | } |
|---|
| | | |
|---|
| | | function onLoad() |
|---|
| | | { |
|---|
| | | global $app; |
|---|
| | | $app->plugins->registerEvent('iptables_insert',$this->plugin_name,'insert'); |
|---|
| | | $app->plugins->registerEvent('iptables_update',$this->plugin_name,'update'); |
|---|
| | | $app->plugins->registerEvent('iptables_delete',$this->plugin_name,'delete'); |
|---|
| | | } |
|---|
| | | |
|---|
| | | function insert($event_name,$data) |
|---|
| | | { |
|---|
| | | global $app, $conf; |
|---|
| | | $this->update($event_name,$data); |
|---|
| | | } |
|---|
| | | |
|---|
| | | function update($event_name,$data) |
|---|
| | | { |
|---|
| | | global $app, $conf; |
|---|
| | | /* |
|---|
| | | ok, here is where we do some fun stuff. First off we need to see the currently |
|---|
| | | running iptables (sans the fail2ban) and compare with the database. This is |
|---|
| | | the method that is good for multi servers and keeping the firewall read only so |
|---|
| | | a comromised box will not corrupt the master server. |
|---|
| | | |
|---|
| | | If the running iptables and the new iptables don't match, lets send a note to |
|---|
| | | the monitoring data to say that there is a difference. Maybe we can have the |
|---|
| | | iptables gui inteface check the data field for changes and post a warning and |
|---|
| | | or the changes as disabled rules. If an admin adds a rule on the comand line |
|---|
| | | we should make it easy to add to the database, but hard to overwrite the data. |
|---|
| | | |
|---|
| | | 1. |
|---|
| | | So first is a reading of the current rules by filter:table with our friend awk |
|---|
| | | |
|---|
| | | 2. |
|---|
| | | Compare with database |
|---|
| | | |
|---|
| | | 3. |
|---|
| | | Send notices or updates |
|---|
| | | |
|---|
| | | 4. |
|---|
| | | Apply rules from database |
|---|
| | | |
|---|
| | | 5. |
|---|
| | | Preform some type of sainity check like the apache restart script |
|---|
| | | |
|---|
| | | 6. |
|---|
| | | Profit |
|---|
| | | |
|---|
| | | # automate this with a loop, but here it is for santity sake. |
|---|
| | | exec('iptables -S INPUT'); |
|---|
| | | exec('iptables -S OUTPUT'); |
|---|
| | | exec('iptables -S FORWARD'); |
|---|
| | | |
|---|
| | | $data['new'] should have lots of fun stuff |
|---|
| | | exec('iptables -I XYZ'); |
|---|
| | | */ |
|---|
| | | } |
|---|
| | | |
|---|
| | | function delete($event_name,$data) |
|---|
| | | { |
|---|
| | | global $app, $conf; |
|---|
| | | exec('iptables -D xyz'); |
|---|
| | | } |
|---|
| | | } |
|---|
| | | ?> |
|---|
