evoauth/admin/lib/Evoauth/Iptables.pm

package Evoauth::Iptables;

use strict;
use warnings;
use Config::Tiny;
use Evoauth::Functions;
use DBI;

my $Config = Config::Tiny->read( '/etc/evoauth/evoauth.conf' );

# Paramètres de configuration
my $activation = $Config->{control}->{enable};
my $timetorem = $Config->{control}->{timetorem};

# Paramètres Base de données
my $db = $Config->{bdd}->{db};
my $username = $Config->{bdd}->{username};
my $userpass = $Config->{bdd}->{userpass};

# Règles firewall
open(RULES, "/etc/evoauth/evoauth.rules") ||
	&ecriture("L'ouverture du fichier de règles a échoué.");
our @rules = <RULES>;
close(RULES);

sub Alter() {
	my $action = shift;
	my $login = shift;
	my $ip = shift;

	# mode ajout
	if ($action == 1) {
		system("/sbin/iptables -I EVOAUTH -s $ip -j ACCEPT 2>/dev/null");
		&Evoauth::Functions::Log("Ajout de $ip aux connectés.") &&
			&Evoauth::Functions::Mail("Connexion", $ip);
	}

	# mode vérification
	elsif ($action == 2) {
		&check_iptables;
		&check_timestamp;
	}

	# mode suppression
	else {

		my $dbh = DBI->connect( $db, $username, $userpass ) ||
			&Evoauth::Functions::Log("La connexion a échoué : $DBI::errstr");

		my $sql = qq{ UPDATE users set statut = 0 where ip = '$ip' };
		my $sth = $dbh->prepare($sql);

		system("/sbin/iptables -D EVOAUTH -s $ip -j ACCEPT 2>/dev/null");

		$sth->execute();
		$sth->finish();

		&Evoauth::Functions::Log("$ip [supprimée]");
		&Evoauth::Functions::Mail("Deconnexion", $ip);
	}
}


sub check_iptables() {
	my ($ip, @ips);

	&Evoauth::Functions::Log("Suppression des règles obsolètes dans iptables.");

	# obtention de la liste des ips
	system("/sbin/iptables -L EVOAUTH -n | grep ACCEPT | awk '{ print \$4 }' > /tmp/ips.txt");

	# on ouvre le fichier des ips
	open(IPS, "/tmp/ips.txt") || &ecriture("L'ouverture des IPs a échoué.");
	@ips = <IPS>;
	close(IPS);

	foreach $ip (@ips) {
		chomp $ip;

		my $dbh = DBI->connect( $db, $username, $userpass ) ||
			&Evoauth::Functions::Log("La connexion a échoué : $DBI::errstr");

		my $sql = "SELECT statut FROM users where ip = '".$ip."'";
		my $sth = $dbh->prepare( $sql );
		$sth->execute();
        
		my $statut;
		$sth->bind_columns(undef, \$statut);
		$sth->fetch();

		# si entrée iptables présente mais statut non connecté, on supprime
		if (defined($statut)) {
			if ($statut != 1) {
				&Evoauth::Functions::Log("$ip [supprimée]\n") &&
					&Evoauth::Functions::Mail("Suppression", $ip);
				&Alter(3, $ip);
			}
		}

		else {
			&Evoauth::Functions::Log("$ip [supprimée]\n") &&
				&Evoauth::Functions::Mail("Suppression", $ip);
			&Alter(3, $ip);
		}
	}
}

sub check_timestamp() {
	&Evoauth::Functions::Log("Suppression des règles obsolètes dans iptables.");

	# on travaille sur tous les utilisateurs présents
	my $dbh = DBI->connect( $db, $username, $userpass ) ||
		&Evoauth::Functions::Log("La connexion a échoué : $DBI::errstr");

	my $sql = "SELECT * FROM users";
	my $sth = $dbh->prepare($sql);
	$sth->execute();

	my($id, $login, $pass, $groupe, $utype, $credit, $ip, $statut, 
	$actif, $firstcon, $lastupdate, $kick);

	$sth->bind_columns(undef, \$id, \$login, \$pass, \$groupe,
	\$utype, \$credit, \$ip, \$statut, \$actif, \$firstcon,
	\$lastupdate, \$kick);

	&Evoauth::Functions::Log("Vérification de la base.");

	my ($newtime, $oldtime, $cpt);

	while ($sth->fetch() && $sth != 0) {
		if ($statut == 1) {
			$newtime = time();
			$oldtime = $lastupdate;

			# si le dernier update est trop ancien, on supprime
			my $timestamp = $newtime - $oldtime;
			if ($timestamp > $timetorem) {
				# dernière connexion est < 1 min -> suppresion
				&Alter(3, $ip);
				&Evoauth::Functions::Log("$ip [supprimée]") &&
					&Evoauth::Functions::Mail("Suppression", $ip);
			}

			# sinon conservation
			else {
				&Evoauth::Functions::Log("$ip [conservée]");
			}
		}
	}

	$sth->finish();
}

sub Control() {
	my $action = shift;

	# initialisation d'Evoauth
	if ($action == 1) {
		foreach (@rules) {
			next if /^#/;
			chomp;

			# on supprimer les commentaires
			$_ =~ s/#.*//;

			# on split la liste des paramètres
			my @tmp1 = split (/\t+|\s+/);

			system("/sbin/iptables -t nat -A PREROUTING -p $tmp1[2] -i ppp0 --dport $tmp1[1] -j DNAT --to $tmp1[0]:$tmp1[1] 2>/dev/null");
		}

		&Evoauth::Functions::Log("1 - Règles de PREROUTING charges");

		system("/sbin/iptables -N EVOAUTH 2>/dev/null");
		system("/sbin/iptables -A EVOAUTH -j DROP 2>/dev/null");

		&Evoauth::Functions::Log("2 - Tables crées");

		# chargement des règles
		foreach (@rules) {
			next if /^#/;
			chomp;

			# on supprimer les commentaires
			$_ =~ s/#.*//;

			# on split la liste des paramètres
			my @tmp2 = split (/\t+|\s+/);

			system("/sbin/iptables -A FORWARD -p $tmp2[2] -i ppp0 -o eth0 --dport $tmp2[1] -j EVOAUTH 2>/dev/null");
		}

		&Evoauth::Functions::Log("3 - Règles chargées");

		&Evoauth::Functions::Log("Evoauth vient de démarrer.");
	}

	# arret
	elsif ($action == 2) {
		system("/sbin/iptables -F EVOAUTH 2>/dev/null");
		&Evoauth::Functions::Log("1 - Flush de la table EVOAUTH");

		foreach (@rules) {
			next if /^#/;
			chomp;

			# on supprimer les commentaires
			$_ =~ s/#.*//;

			# on split la liste des paramètres
			my @tmp3 = split (/\t+|\s+/);

			system("/sbin/iptables -D FORWARD -p $tmp3[2] -i ppp0 -o eth0 --dport $tmp3[1] -j EVOAUTH 2>/dev/null");
			system("/sbin/iptables -t nat -D PREROUTING -p $tmp3[2] -i ppp0 --dport $tmp3[1] -j DNAT --to $tmp3[0]:$tmp3[1] 2>/dev/null");
		}

		&Evoauth::Functions::Log("2 - Annulation FORWARD + PREROUTING");

		system("/sbin/iptables -X EVOAUTH 2>/dev/null");
		&Evoauth::Functions::Log("3 - Suppression de la table EVOAUTH");

		&Evoauth::Functions::Log("Evoauth vient de s'arreter.");
	}

	# restart
	else {
		&Control(2);
		&Control(1);
		&Evoauth::Functions::Log("Evoauth vient de redémarrer.");
	}
}

1;
__END__

=head1 NAME

Evoauth::Iptables - Firewall

=head1 SYNOPSIS

use Evoauth::Iptables;

=head1 DESCRIPTION

Fonctions d'administration d'Evoauth.

=head2 EXPORT

...

=head1 SEE ALSO

...

=head1 AUTHOR

Evolix, E<lt>info@evolix.fr<gt>

=head1 COPYRIGHT AND LICENSE

Copyright (C) 2005 Evolix

Licence GPL.

=cut
Initial revision 2005-09-12 21:51:19 +02:00			`package Evoauth::Iptables;`

			`use strict;`
			`use warnings;`
			`use Config::Tiny;`
			`use Evoauth::Functions;`
corrections sur la connexion a la BDD. 2005-09-14 15:24:54 +02:00			`use DBI;`
Initial revision 2005-09-12 21:51:19 +02:00
			`my $Config = Config::Tiny->read( '/etc/evoauth/evoauth.conf' );`

			`# Paramètres de configuration`
			`my $activation = $Config->{control}->{enable};`
			`my $timetorem = $Config->{control}->{timetorem};`

gestion multi-regles 2005-09-20 09:05:46 +02:00			`# Paramètres Base de données`
Initial revision 2005-09-12 21:51:19 +02:00			`my $db = $Config->{bdd}->{db};`
			`my $username = $Config->{bdd}->{username};`
			`my $userpass = $Config->{bdd}->{userpass};`

gestion multi-regles 2005-09-20 09:05:46 +02:00			`# Règles firewall`
			`open(RULES, "/etc/evoauth/evoauth.rules") \|\|`
			`&ecriture("L'ouverture du fichier de règles a échoué.");`
			`our @rules = <RULES>;`
			`close(RULES);`
Initial revision 2005-09-12 21:51:19 +02:00
			`sub Alter() {`
			`my $action = shift;`
changement de nom du binaire. 2005-09-24 11:49:16 +02:00			`my $login = shift;`
Initial revision 2005-09-12 21:51:19 +02:00			`my $ip = shift;`

acces a la base, ouverture popup et commentaires ajoutes. 2005-09-15 10:22:21 +02:00			`# mode ajout`
Initial revision 2005-09-12 21:51:19 +02:00			`if ($action == 1) {`
bug log. 2005-09-15 11:47:10 +02:00			`system("/sbin/iptables -I EVOAUTH -s $ip -j ACCEPT 2>/dev/null");`
			`&Evoauth::Functions::Log("Ajout de $ip aux connectés.") &&`
Initial revision 2005-09-12 21:51:19 +02:00			`&Evoauth::Functions::Mail("Connexion", $ip);`
			`}`

acces a la base, ouverture popup et commentaires ajoutes. 2005-09-15 10:22:21 +02:00			`# mode vérification`
Initial revision 2005-09-12 21:51:19 +02:00			`elsif ($action == 2) {`
			`&check_iptables;`
			`&check_timestamp;`
			`}`

acces a la base, ouverture popup et commentaires ajoutes. 2005-09-15 10:22:21 +02:00			`# mode suppression`
Initial revision 2005-09-12 21:51:19 +02:00			`else {`
acces a la base. 2005-09-15 07:44:29 +02:00
			`my $dbh = DBI->connect( $db, $username, $userpass ) \|\|`
			`&Evoauth::Functions::Log("La connexion a échoué : $DBI::errstr");`

Initial revision 2005-09-12 21:51:19 +02:00			`my $sql = qq{ UPDATE users set statut = 0 where ip = '$ip' };`
			`my $sth = $dbh->prepare($sql);`

redirection des erreurs. 2005-09-15 10:34:48 +02:00			`system("/sbin/iptables -D EVOAUTH -s $ip -j ACCEPT 2>/dev/null");`
acces a la base, ouverture popup et commentaires ajoutes. 2005-09-15 10:22:21 +02:00
acces a la base. 2005-09-15 07:44:29 +02:00			`$sth->execute();`
			`$sth->finish();`
licence. 2005-09-15 10:43:05 +02:00
bug log. 2005-09-15 11:47:10 +02:00			`&Evoauth::Functions::Log("$ip [supprimée]");`
acces a la base. 2005-09-15 07:44:29 +02:00			`&Evoauth::Functions::Mail("Deconnexion", $ip);`
Initial revision 2005-09-12 21:51:19 +02:00			`}`
			`}`


			`sub check_iptables() {`
			`my ($ip, @ips);`

			`&Evoauth::Functions::Log("Suppression des règles obsolètes dans iptables.");`

			`# obtention de la liste des ips`
acces a la base, ouverture popup et commentaires ajoutes. 2005-09-15 10:22:21 +02:00			`system("/sbin/iptables -L EVOAUTH -n \| grep ACCEPT \| awk '{ print \$4 }' > /tmp/ips.txt");`
Initial revision 2005-09-12 21:51:19 +02:00
			`# on ouvre le fichier des ips`
			`open(IPS, "/tmp/ips.txt") \|\| &ecriture("L'ouverture des IPs a échoué.");`
			`@ips = <IPS>;`
			`close(IPS);`

typos. 2005-09-13 16:02:17 +02:00			`foreach $ip (@ips) {`
Initial revision 2005-09-12 21:51:19 +02:00			`chomp $ip;`

acces a la base. 2005-09-15 07:44:29 +02:00			`my $dbh = DBI->connect( $db, $username, $userpass ) \|\|`
			`&Evoauth::Functions::Log("La connexion a échoué : $DBI::errstr");`

Initial revision 2005-09-12 21:51:19 +02:00			`my $sql = "SELECT statut FROM users where ip = '".$ip."'";`
			`my $sth = $dbh->prepare( $sql );`
			`$sth->execute();`

			`my $statut;`
			`$sth->bind_columns(undef, \$statut);`
			`$sth->fetch();`
licence. 2005-09-15 10:43:05 +02:00
acces a la base, ouverture popup et commentaires ajoutes. 2005-09-15 10:22:21 +02:00			`# si entrée iptables présente mais statut non connecté, on supprime`
statut! 2005-09-15 13:46:08 +02:00			`if (defined($statut)) {`
			`if ($statut != 1) {`
			`&Evoauth::Functions::Log("$ip [supprimée]\n") &&`
			`&Evoauth::Functions::Mail("Suppression", $ip);`
			`&Alter(3, $ip);`
			`}`
			`}`
statut doit etre definis. 2005-09-15 13:39:53 +02:00
statut! 2005-09-15 13:46:08 +02:00			`else {`
bug log. 2005-09-15 11:47:10 +02:00			`&Evoauth::Functions::Log("$ip [supprimée]\n") &&`
			`&Evoauth::Functions::Mail("Suppression", $ip);`
delet() n'existe plus. 2005-09-13 16:45:43 +02:00			`&Alter(3, $ip);`
Initial revision 2005-09-12 21:51:19 +02:00			`}`
			`}`
			`}`

			`sub check_timestamp() {`
			`&Evoauth::Functions::Log("Suppression des règles obsolètes dans iptables.");`

			`# on travaille sur tous les utilisateurs présents`
acces a la base. 2005-09-15 07:44:29 +02:00			`my $dbh = DBI->connect( $db, $username, $userpass ) \|\|`
			`&Evoauth::Functions::Log("La connexion a échoué : $DBI::errstr");`

Initial revision 2005-09-12 21:51:19 +02:00			`my $sql = "SELECT * FROM users";`
			`my $sth = $dbh->prepare($sql);`
			`$sth->execute();`

			`my($id, $login, $pass, $groupe, $utype, $credit, $ip, $statut,`
			`$actif, $firstcon, $lastupdate, $kick);`

			`$sth->bind_columns(undef, \$id, \$login, \$pass, \$groupe,`
			`\$utype, \$credit, \$ip, \$statut, \$actif, \$firstcon,`
			`\$lastupdate, \$kick);`

			`&Evoauth::Functions::Log("Vérification de la base.");`

acces a la base, ouverture popup et commentaires ajoutes. 2005-09-15 10:22:21 +02:00			`my ($newtime, $oldtime, $cpt);`
typos. 2005-09-13 16:02:17 +02:00
			`while ($sth->fetch() && $sth != 0) {`
			`if ($statut == 1) {`
Initial revision 2005-09-12 21:51:19 +02:00			`$newtime = time();`
			`$oldtime = $lastupdate;`

acces a la base, ouverture popup et commentaires ajoutes. 2005-09-15 10:22:21 +02:00			`# si le dernier update est trop ancien, on supprime`
Initial revision 2005-09-12 21:51:19 +02:00			`my $timestamp = $newtime - $oldtime;`
timetorem... 2005-09-15 12:02:16 +02:00			`if ($timestamp > $timetorem) {`
Initial revision 2005-09-12 21:51:19 +02:00			`# dernière connexion est < 1 min -> suppresion`
log! 2005-09-15 11:55:54 +02:00			`&Alter(3, $ip);`
			`&Evoauth::Functions::Log("$ip [supprimée]") &&`
Initial revision 2005-09-12 21:51:19 +02:00			`&Evoauth::Functions::Mail("Suppression", $ip);`
			`}`

acces a la base, ouverture popup et commentaires ajoutes. 2005-09-15 10:22:21 +02:00			`# sinon conservation`
typos. 2005-09-13 16:02:17 +02:00			`else {`
Initial revision 2005-09-12 21:51:19 +02:00			`&Evoauth::Functions::Log("$ip [conservée]");`
			`}`
			`}`
			`}`

			`$sth->finish();`
			`}`

			`sub Control() {`
			`my $action = shift;`

acces a la base, ouverture popup et commentaires ajoutes. 2005-09-15 10:22:21 +02:00			`# initialisation d'Evoauth`
Initial revision 2005-09-12 21:51:19 +02:00			`if ($action == 1) {`
bogues de regexp. 2005-09-20 09:36:56 +02:00			`foreach (@rules) {`
			`next if /^#/;`
			`chomp;`
gestion multi-regles 2005-09-20 09:05:46 +02:00
			`# on supprimer les commentaires`
bogues de regexp. 2005-09-20 09:36:56 +02:00			`$_ =~ s/#.*//;`
gestion multi-regles 2005-09-20 09:05:46 +02:00
			`# on split la liste des paramètres`
tabs ou espaces. 2005-09-20 09:42:52 +02:00			`my @tmp1 = split (/\t+\|\s+/);`
gestion multi-regles 2005-09-20 09:05:46 +02:00
redirection des erreurs. 2005-09-15 10:34:48 +02:00			`system("/sbin/iptables -t nat -A PREROUTING -p $tmp1[2] -i ppp0 --dport $tmp1[1] -j DNAT --to $tmp1[0]:$tmp1[1] 2>/dev/null");`
Initial revision 2005-09-12 21:51:19 +02:00			`}`

acces a la base, ouverture popup et commentaires ajoutes. 2005-09-15 10:22:21 +02:00			`&Evoauth::Functions::Log("1 - Règles de PREROUTING charges");`
Initial revision 2005-09-12 21:51:19 +02:00
redirection des erreurs. 2005-09-15 10:34:48 +02:00			`system("/sbin/iptables -N EVOAUTH 2>/dev/null");`
			`system("/sbin/iptables -A EVOAUTH -j DROP 2>/dev/null");`
Initial revision 2005-09-12 21:51:19 +02:00
			`&Evoauth::Functions::Log("2 - Tables crées");`

gestion multi-regles 2005-09-20 09:05:46 +02:00			`# chargement des règles`
bogues de regexp. 2005-09-20 09:36:56 +02:00			`foreach (@rules) {`
			`next if /^#/;`
			`chomp;`
gestion multi-regles 2005-09-20 09:05:46 +02:00
			`# on supprimer les commentaires`
bogues de regexp. 2005-09-20 09:36:56 +02:00			`$_ =~ s/#.*//;`
gestion multi-regles 2005-09-20 09:05:46 +02:00
			`# on split la liste des paramètres`
tabs ou espaces. 2005-09-20 09:42:52 +02:00			`my @tmp2 = split (/\t+\|\s+/);`
gestion multi-regles 2005-09-20 09:05:46 +02:00
redirection des erreurs. 2005-09-15 10:34:48 +02:00			`system("/sbin/iptables -A FORWARD -p $tmp2[2] -i ppp0 -o eth0 --dport $tmp2[1] -j EVOAUTH 2>/dev/null");`
Initial revision 2005-09-12 21:51:19 +02:00			`}`

			`&Evoauth::Functions::Log("3 - Règles chargées");`

			`&Evoauth::Functions::Log("Evoauth vient de démarrer.");`
			`}`

			`# arret`
			`elsif ($action == 2) {`
bug log. 2005-09-15 11:47:10 +02:00			`system("/sbin/iptables -F EVOAUTH 2>/dev/null");`
			`&Evoauth::Functions::Log("1 - Flush de la table EVOAUTH");`
Initial revision 2005-09-12 21:51:19 +02:00
bogues de regexp. 2005-09-20 09:36:56 +02:00			`foreach (@rules) {`
			`next if /^#/;`
			`chomp;`
gestion multi-regles 2005-09-20 09:05:46 +02:00
			`# on supprimer les commentaires`
bogues de regexp. 2005-09-20 09:36:56 +02:00			`$_ =~ s/#.*//;`
gestion multi-regles 2005-09-20 09:05:46 +02:00
			`# on split la liste des paramètres`
tabs ou espaces. 2005-09-20 09:42:52 +02:00			`my @tmp3 = split (/\t+\|\s+/);`
gestion multi-regles 2005-09-20 09:05:46 +02:00
redirection des erreurs. 2005-09-15 10:34:48 +02:00			`system("/sbin/iptables -D FORWARD -p $tmp3[2] -i ppp0 -o eth0 --dport $tmp3[1] -j EVOAUTH 2>/dev/null");`
			`system("/sbin/iptables -t nat -D PREROUTING -p $tmp3[2] -i ppp0 --dport $tmp3[1] -j DNAT --to $tmp3[0]:$tmp3[1] 2>/dev/null");`
Initial revision 2005-09-12 21:51:19 +02:00			`}`

			`&Evoauth::Functions::Log("2 - Annulation FORWARD + PREROUTING");`

bug log. 2005-09-15 11:47:10 +02:00			`system("/sbin/iptables -X EVOAUTH 2>/dev/null");`
			`&Evoauth::Functions::Log("3 - Suppression de la table EVOAUTH");`
Initial revision 2005-09-12 21:51:19 +02:00
			`&Evoauth::Functions::Log("Evoauth vient de s'arreter.");`
			`}`

			`# restart`
			`else {`
correction fonction restart. 2005-09-15 10:48:40 +02:00			`&Control(2);`
			`&Control(1);`
acces a la base, ouverture popup et commentaires ajoutes. 2005-09-15 10:22:21 +02:00			`&Evoauth::Functions::Log("Evoauth vient de redémarrer.");`
Initial revision 2005-09-12 21:51:19 +02:00			`}`
			`}`

			`1;`
			`__END__`

			`=head1 NAME`

			`Evoauth::Iptables - Firewall`

			`=head1 SYNOPSIS`

acces a la base, ouverture popup et commentaires ajoutes. 2005-09-15 10:22:21 +02:00			`use Evoauth::Iptables;`
Initial revision 2005-09-12 21:51:19 +02:00
			`=head1 DESCRIPTION`

			`Fonctions d'administration d'Evoauth.`

			`=head2 EXPORT`

			`...`

			`=head1 SEE ALSO`

			`...`

			`=head1 AUTHOR`

licence. 2005-09-15 10:43:05 +02:00			`Evolix, E<lt>info@evolix.fr<gt>`
Initial revision 2005-09-12 21:51:19 +02:00
			`=head1 COPYRIGHT AND LICENSE`

licence. 2005-09-15 10:43:05 +02:00			`Copyright (C) 2005 Evolix`
Initial revision 2005-09-12 21:51:19 +02:00
licence. 2005-09-15 10:43:05 +02:00			`Licence GPL.`
Initial revision 2005-09-12 21:51:19 +02:00
			`=cut`