package Evoauth::Iptables; use strict; use warnings; use Config::Tiny; use Evoauth::Functions; use DBI; my $Config = Config::Tiny->read( '/etc/evoauth/evoauth.conf' ); # Paramètres de configuration my $activation = $Config->{control}->{enable}; my $timetorem = $Config->{control}->{timetorem}; # Connexion à la base de données my $db = $Config->{bdd}->{db}; my $username = $Config->{bdd}->{username}; my $userpass = $Config->{bdd}->{userpass}; # Les règles du fichier de configuration sont stockées dans un tableau # associatif our %conf; my $cpt = 1; while ($cpt <= 4) { $conf{"rule".$cpt} = $Config->{rules}->{"rule".$cpt}; $cpt++; } sub Alter() { my $action = shift; my $ip = shift; # mode ajout if ($action == 1) { system("/sbin/iptables -I EVOAUTH -s $ip -j ACCEPT 2>/dev/null") && &Evoauth::Functions::Log("Ajout de $ip aux connectés.") && &Evoauth::Functions::Mail("Connexion", $ip); } # mode vérification elsif ($action == 2) { &check_iptables; &check_timestamp; } # mode suppression else { my $dbh = DBI->connect( $db, $username, $userpass ) || &Evoauth::Functions::Log("La connexion a échoué : $DBI::errstr"); my $sql = qq{ UPDATE users set statut = 0 where ip = '$ip' }; my $sth = $dbh->prepare($sql); system("/sbin/iptables -D EVOAUTH -s $ip -j ACCEPT 2>/dev/null"); $sth->execute(); $sth->finish(); $sth->disconnect(); &Evoauth::Functions::Log("$ip [supprimee]"); &Evoauth::Functions::Mail("Deconnexion", $ip); } } sub check_iptables() { my ($ip, @ips); &Evoauth::Functions::Log("Suppression des règles obsolètes dans iptables."); # obtention de la liste des ips system("/sbin/iptables -L EVOAUTH -n | grep ACCEPT | awk '{ print \$4 }' > /tmp/ips.txt"); # on ouvre le fichier des ips open(IPS, "/tmp/ips.txt") || &ecriture("L'ouverture des IPs a échoué."); @ips = ; close(IPS); foreach $ip (@ips) { chomp $ip; my $dbh = DBI->connect( $db, $username, $userpass ) || &Evoauth::Functions::Log("La connexion a échoué : $DBI::errstr"); my $sql = "SELECT statut FROM users where ip = '".$ip."'"; my $sth = $dbh->prepare( $sql ); $sth->execute(); my $statut; $sth->bind_columns(undef, \$statut); $sth->fetch(); $sth->disconnect(); # si entrée iptables présente mais statut non connecté, on supprime if ($statut != 1) { &Evoauth::Functions::Log("$ip [supprimée]\n"); &Evoauth::Functions::Mail("Suppression", $ip); &Alter(3, $ip); } } } sub check_timestamp() { &Evoauth::Functions::Log("Suppression des règles obsolètes dans iptables."); # on travaille sur tous les utilisateurs présents my $dbh = DBI->connect( $db, $username, $userpass ) || &Evoauth::Functions::Log("La connexion a échoué : $DBI::errstr"); my $sql = "SELECT * FROM users"; my $sth = $dbh->prepare($sql); $sth->execute(); my($id, $login, $pass, $groupe, $utype, $credit, $ip, $statut, $actif, $firstcon, $lastupdate, $kick); $sth->bind_columns(undef, \$id, \$login, \$pass, \$groupe, \$utype, \$credit, \$ip, \$statut, \$actif, \$firstcon, \$lastupdate, \$kick); &Evoauth::Functions::Log("Vérification de la base."); my ($newtime, $oldtime, $cpt); while ($sth->fetch() && $sth != 0) { if ($statut == 1) { $newtime = time(); $oldtime = $lastupdate; # si le dernier update est trop ancien, on supprime my $timestamp = $newtime - $oldtime; if ($timestamp > $conf{timetorem}) { # dernière connexion est < 1 min -> suppresion &Alter(3, $ip) && &Evoauth::Functions::Log("$ip [supprimée]") && &Evoauth::Functions::Mail("Suppression", $ip); } # sinon conservation else { &Evoauth::Functions::Log("$ip [conservée]"); } } } $sth->finish(); $sth->disconnect(); } sub Control() { my $action = shift; my ( @tmp1, @tmp2, $key, $value ); # initialisation d'Evoauth if ($action == 1) { while ( ($key, $value) = each(%conf) ) { @tmp1 = split (/\t/, $value); system("/sbin/iptables -t nat -A PREROUTING -p $tmp1[2] -i ppp0 --dport $tmp1[1] -j DNAT --to $tmp1[0]:$tmp1[1] 2>/dev/null"); } &Evoauth::Functions::Log("1 - Règles de PREROUTING charges"); system("/sbin/iptables -N EVOAUTH 2>/dev/null"); system("/sbin/iptables -A EVOAUTH -j DROP 2>/dev/null"); &Evoauth::Functions::Log("2 - Tables crées"); # chargement des règles du fichier de configuration while ( ($key, $value) = each(%conf) ) { @tmp2 = split (/\t/, $value); system("/sbin/iptables -A FORWARD -p $tmp2[2] -i ppp0 -o eth0 --dport $tmp2[1] -j EVOAUTH 2>/dev/null"); } &Evoauth::Functions::Log("3 - Règles chargées"); &Evoauth::Functions::Log("Evoauth vient de démarrer."); } # arret elsif ($action == 2) { system("/sbin/iptables -F EVOAUTH 2>/dev/null") && &Evoauth::Functions::Log("1 - Flush de la table EVOAUTH"); while ( ($key, $value) = each(%conf) ) { my @tmp3 = split (/\t/, $value); system("/sbin/iptables -D FORWARD -p $tmp3[2] -i ppp0 -o eth0 --dport $tmp3[1] -j EVOAUTH 2>/dev/null"); system("/sbin/iptables -t nat -D PREROUTING -p $tmp3[2] -i ppp0 --dport $tmp3[1] -j DNAT --to $tmp3[0]:$tmp3[1] 2>/dev/null"); } &Evoauth::Functions::Log("2 - Annulation FORWARD + PREROUTING"); system("/sbin/iptables -X EVOAUTH 2>/dev/null") && &Evoauth::Functions::Log("3 - Suppression de la table EVOAUTH"); &Evoauth::Functions::Log("Evoauth vient de s'arreter."); } # restart else { &stop(); &start(); &Evoauth::Functions::Log("Evoauth vient de redémarrer."); } } 1; __END__ =head1 NAME Evoauth::Iptables - Firewall =head1 SYNOPSIS use Evoauth::Iptables; =head1 DESCRIPTION Fonctions d'administration d'Evoauth. =head2 EXPORT ... =head1 SEE ALSO ... =head1 AUTHOR Alexandre Anriot, Eaanriot@evolix.fr =head1 COPYRIGHT AND LICENSE Copyright (C) 2005 by Alexandre Anriot This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.6 or, at your option, any later version of Perl 5 you may have available. =cut