239 lines
5.3 KiB
Perl
239 lines
5.3 KiB
Perl
package Evoauth::Iptables;
|
|
|
|
use strict;
|
|
use warnings;
|
|
use Config::Tiny;
|
|
use Evoauth::Functions;
|
|
|
|
my $Config = Config::Tiny->read( '/etc/evoauth/evoauth.conf' );
|
|
|
|
# Paramètres de configuration
|
|
my $activation = $Config->{control}->{enable};
|
|
my $timetorem = $Config->{control}->{timetorem};
|
|
|
|
# Connexion à la base de données
|
|
my $db = $Config->{bdd}->{db};
|
|
my $username = $Config->{bdd}->{username};
|
|
my $userpass = $Config->{bdd}->{userpass};
|
|
|
|
my $dbh = DBI->connect( $db, $username, $userpass )
|
|
&& &Evoauth::Functions::Log("La connexion a réussie.") ||
|
|
&Evoauth::Functions::Log("La connexion a échoué : $DBI::errstr");
|
|
|
|
# Règles
|
|
our %conf;
|
|
my $cpt = 1;
|
|
|
|
while ($cpt <= 4) {
|
|
$conf{"rule".$cpt} = $Config->{rules}->{"rule".$cpt};
|
|
$cpt++;
|
|
}
|
|
|
|
sub Alter() {
|
|
my $action = shift;
|
|
my $ip = shift;
|
|
|
|
# ajout
|
|
if ($action == 1) {
|
|
system("/sbin/iptables -I EVOAUTH -s $ip -j ACCEPT > /dev/null") &&
|
|
&Evoauth::Functions::Log("Ajout de $ip aux connectés.") &&
|
|
&Evoauth::Functions::Mail("Connexion", $ip);
|
|
}
|
|
|
|
# verification
|
|
elsif ($action == 2) {
|
|
&check_iptables;
|
|
&check_timestamp;
|
|
}
|
|
|
|
# suppression
|
|
else {
|
|
my $sql = qq{ UPDATE users set statut = 0 where ip = '$ip' };
|
|
my $sth = $dbh->prepare($sql);
|
|
|
|
system("/sbin/iptables -D EVOAUTH -s $ip -j ACCEPT") &&
|
|
$sth->execute() &&
|
|
$sth->finish() &&
|
|
&Evoauth::Functions::Log("$ip [supprimee]") &&
|
|
&Evoauth::Functions::Mail("Deconnexion", $ip);
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
|
|
sub check_iptables() {
|
|
my ($ip, @ips);
|
|
|
|
&Evoauth::Functions::Log("Suppression des règles obsolètes dans iptables.");
|
|
|
|
# obtention de la liste des ips
|
|
system("/sbin/iptables -L EVOAUTH -n |grep ACCEPT |awk '{ print \$4 }' > /tmp/ips.txt");
|
|
|
|
# on ouvre le fichier des ips
|
|
open(IPS, "/tmp/ips.txt") || &ecriture("L'ouverture des IPs a échoué.");
|
|
@ips = <IPS>;
|
|
close(IPS);
|
|
|
|
foreach $ip (@ips) {
|
|
chomp $ip;
|
|
|
|
my $sql = "SELECT statut FROM users where ip = '".$ip."'";
|
|
my $sth = $dbh->prepare( $sql );
|
|
$sth->execute();
|
|
|
|
my $statut;
|
|
$sth->bind_columns(undef, \$statut);
|
|
|
|
$sth->fetch();
|
|
|
|
if ($statut != 1) {
|
|
&Evoauth::Functions::Log("$ip [supprimée]\n");
|
|
&Evoauth::Functions::Mail("Suppression", $ip);
|
|
&Alter(3, $ip);
|
|
}
|
|
}
|
|
}
|
|
|
|
sub check_timestamp() {
|
|
&Evoauth::Functions::Log("Suppression des règles obsolètes dans iptables.");
|
|
|
|
# on travaille sur tous les utilisateurs présents
|
|
my $sql = "SELECT * FROM users";
|
|
my $sth = $dbh->prepare($sql);
|
|
$sth->execute();
|
|
|
|
my($id, $login, $pass, $groupe, $utype, $credit, $ip, $statut,
|
|
$actif, $firstcon, $lastupdate, $kick);
|
|
|
|
$sth->bind_columns(undef, \$id, \$login, \$pass, \$groupe,
|
|
\$utype, \$credit, \$ip, \$statut, \$actif, \$firstcon,
|
|
\$lastupdate, \$kick);
|
|
|
|
my ($newtime, $oldtime);
|
|
|
|
&Evoauth::Functions::Log("Vérification de la base.");
|
|
|
|
# compteur
|
|
my $cpt;
|
|
|
|
while ($sth->fetch() && $sth != 0) {
|
|
if ($statut == 1) {
|
|
$newtime = time();
|
|
$oldtime = $lastupdate;
|
|
|
|
my $timestamp = $newtime - $oldtime;
|
|
if ($timestamp > $conf{timetorem}) {
|
|
# dernière connexion est < 1 min -> suppresion
|
|
&Alter(3, $ip) && &Evoauth::Functions::Log("$ip [supprimée]") &&
|
|
&Evoauth::Functions::Mail("Suppression", $ip);
|
|
}
|
|
|
|
else {
|
|
# sinon conservation
|
|
&Evoauth::Functions::Log("$ip [conservée]");
|
|
}
|
|
}
|
|
}
|
|
|
|
$sth->finish();
|
|
return 0;
|
|
}
|
|
|
|
sub Control() {
|
|
my $action = shift;
|
|
my ( @tmp1, @tmp2, $key, $value );
|
|
|
|
# start
|
|
if ($action == 1) {
|
|
while ( ($key, $value) = each(%conf) ) {
|
|
@tmp1 = split (/\t/, $value);
|
|
system("/sbin/iptables -t nat -A PREROUTING -p $tmp1[2] -i ppp0 --dport $tmp1[1] -j DNAT --to $tmp1[0]:$tmp1[1]");
|
|
}
|
|
|
|
&Evoauth::Functions::Log("1 - Regles de PREROUTING charges");
|
|
|
|
system("/sbin/iptables -N EVOAUTH") &&
|
|
system("/sbin/iptables -A EVOAUTH -j DROP");
|
|
|
|
&Evoauth::Functions::Log("2 - Tables crées");
|
|
|
|
while ( ($key, $value) = each(%conf) ) {
|
|
@tmp2 = split (/\t/, $value);
|
|
system("/sbin/iptables -A FORWARD -p $tmp2[2] -i ppp0 -o eth0 --dport $tmp2[1] -j EVOAUTH");
|
|
}
|
|
|
|
&Evoauth::Functions::Log("3 - Règles chargées");
|
|
|
|
&Evoauth::Functions::Log("Evoauth vient de démarrer.");
|
|
}
|
|
|
|
# arret
|
|
elsif ($action == 2) {
|
|
system("/sbin/iptables -F EVOAUTH") &&
|
|
&Evoauth::Functions::Log("1 - Flush de la table EVOAUTH");
|
|
|
|
my @tmp3;
|
|
|
|
while ( ($key, $value) = each(%conf) ) {
|
|
@tmp3 = split $value;
|
|
system("/sbin/iptables -D FORWARD -p $tmp3[2] -i ppp0 -o eth0 --dport $tmp3[1] -j EVOAUTH");
|
|
system("/sbin/iptables -t nat -D PREROUTING -p $tmp3[2] -i ppp0 --dport $tmp3[1] -j DNAT --to $tmp3[0]:$tmp3[1]");
|
|
}
|
|
|
|
&Evoauth::Functions::Log("2 - Annulation FORWARD + PREROUTING");
|
|
|
|
system("/sbin/iptables -X EVOAUTH") &&
|
|
&Evoauth::Functions::Log("3 - Suppression de la table EVOAUTH");
|
|
|
|
&Evoauth::Functions::Log("Evoauth vient de s'arreter.");
|
|
}
|
|
|
|
# restart
|
|
else {
|
|
&stop() &&
|
|
&start() &&
|
|
&Evoauth::Functions::Log("Evoauth vient de redémarrer.");
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
1;
|
|
__END__
|
|
|
|
=head1 NAME
|
|
|
|
Evoauth::Iptables - Firewall
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
use Evoauth::Iptables;
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
Fonctions d'administration d'Evoauth.
|
|
|
|
=head2 EXPORT
|
|
|
|
...
|
|
|
|
=head1 SEE ALSO
|
|
|
|
...
|
|
|
|
=head1 AUTHOR
|
|
|
|
Alexandre Anriot, E<lt>aanriot@evolix.fr<gt>
|
|
|
|
=head1 COPYRIGHT AND LICENSE
|
|
|
|
Copyright (C) 2005 by Alexandre Anriot
|
|
|
|
This library is free software; you can redistribute it and/or modify
|
|
it under the same terms as Perl itself, either Perl version 5.8.6 or,
|
|
at your option, any later version of Perl 5 you may have available.
|
|
|
|
|
|
=cut
|