Skip to content

Commit e1bbd3a

Browse files
author
latham
committed
start iptables plugin, just documenting now
1 parent 1815290 commit e1bbd3a

File tree

1 file changed

+78
-0
lines changed

1 file changed

+78
-0
lines changed

server/plugins-available/iptables_plugin.inc.php

Lines changed: 78 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,78 @@
1+
<?php
2+
3+
class iptables_plugin
4+
{
5+
var $plugin_name = 'iptables_plugin';
6+
var $class_name = 'iptables_plugin';
7+
8+
function onInstall()
9+
{
10+
global $conf;
11+
if($conf['iptables']['installed'] = true) return true;
12+
else return false;
13+
}
14+
15+
function onLoad()
16+
{
17+
global $app;
18+
$app->plugins->registerEvent('iptables_insert',$this->plugin_name,'insert');
19+
$app->plugins->registerEvent('iptables_update',$this->plugin_name,'update');
20+
$app->plugins->registerEvent('iptables_delete',$this->plugin_name,'delete');
21+
}
22+
23+
function insert($event_name,$data)
24+
{
25+
global $app, $conf;
26+
$this->update($event_name,$data);
27+
}
28+
29+
function update($event_name,$data)
30+
{
31+
global $app, $conf;
32+
/*
33+
ok, here is where we do some fun stuff. First off we need to see the currently
34+
running iptables (sans the fail2ban) and compare with the database. This is
35+
the method that is good for multi servers and keeping the firewall read only so
36+
a comromised box will not corrupt the master server.
37+
38+
If the running iptables and the new iptables don't match, lets send a note to
39+
the monitoring data to say that there is a difference. Maybe we can have the
40+
iptables gui inteface check the data field for changes and post a warning and
41+
or the changes as disabled rules. If an admin adds a rule on the comand line
42+
we should make it easy to add to the database, but hard to overwrite the data.
43+
44+
1.
45+
So first is a reading of the current rules by filter:table with our friend awk
46+
47+
2.
48+
Compare with database
49+
50+
3.
51+
Send notices or updates
52+
53+
4.
54+
Apply rules from database
55+
56+
5.
57+
Preform some type of sainity check like the apache restart script
58+
59+
6.
60+
Profit
61+
62+
# automate this with a loop, but here it is for santity sake.
63+
exec('iptables -S INPUT');
64+
exec('iptables -S OUTPUT');
65+
exec('iptables -S FORWARD');
66+
67+
$data['new'] should have lots of fun stuff
68+
exec('iptables -I XYZ');
69+
*/
70+
}
71+
72+
function delete($event_name,$data)
73+
{
74+
global $app, $conf;
75+
exec('iptables -D xyz');
76+
}
77+
}
78+
?>

0 commit comments

Comments
 (0)