version 1.35, 2009/04/22 14:58:59
|
version 1.36, 2009/06/07 23:20:38
|
Line 50
|
Line 50
|
use strict; |
use strict; |
use lib '/home/httpd/lib/perl/'; |
use lib '/home/httpd/lib/perl/'; |
use LONCAPA::Configuration; |
use LONCAPA::Configuration; |
|
use Apache::lonnet; |
|
|
my $command=$ARGV[0]; $command=~s/[^a-z]//g; |
my $command=$ARGV[0]; $command=~s/[^a-z]//g; |
|
|
Line 67 $ENV{'BASH_ENV'}="";
|
Line 68 $ENV{'BASH_ENV'}="";
|
} |
} |
} |
} |
my $suse_config = "/etc/sysconfig/SuSEfirewall2"; |
my $suse_config = "/etc/sysconfig/SuSEfirewall2"; |
if (!-e $suse_config) { |
if (-e $suse_config) { |
|
$fw_chain = 'input_ext'; |
|
} else { |
if (!-e '/etc/sysconfig/iptables') { |
if (!-e '/etc/sysconfig/iptables') { |
print("Unable to find iptables file containing static definitions\n"); |
print("Unable to find iptables file containing static definitions\n"); |
} |
} |
Line 81 sub firewall_open_port {
|
Line 84 sub firewall_open_port {
|
return 'inactive firewall' if (! &firewall_is_active); |
return 'inactive firewall' if (! &firewall_is_active); |
return 'port number unknown' if !$lond_port; |
return 'port number unknown' if !$lond_port; |
my @opened; |
my @opened; |
my $suse_config = "/etc/sysconfig/SuSEfirewall2"; |
if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) { |
if (-e $suse_config) { |
return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n"; |
if (open(my $fh,"<$suse_config")) { |
} |
while(<$fh>) { |
# iptables is running with expected chain |
chomp(); |
# |
if (/^FW_SERVICES_EXT_TCP="([^"]+)"\s*$/) { |
# For lond port, restrict the servers allowed to attempt to communicate |
my $portstr = $1; |
# to include only source IPs in the LON-CAPA cluster. |
my @suseports = split(/\s+/,$portstr); |
foreach my $port ($lond_port) { |
foreach my $port ($lond_port) { |
print "Opening firewall access on port $port.\n"; |
if (grep/^\Q$port\E$/,@suseports) { |
my $result; |
push(@opened,$port); |
if ($port eq $lond_port) { |
} |
my (@port_error,@command_error,@lond_port_open); |
|
my %iphost = &Apache::lonnet::get_iphost(); |
|
if (keys(%iphost) > 0) { |
|
&firewall_close_anywhere($port); |
|
foreach my $ip (keys(%iphost)) { |
|
my $firewall_command = |
|
"$iptables -I $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT"; |
|
system($firewall_command); |
|
my $return_status = $?>>8; |
|
if ($return_status == 1) { |
|
push (@port_error,$ip); |
|
} elsif ($return_status == 2) { |
|
push(@command_error,$ip); |
|
} elsif ($return_status == 0) { |
|
push(@lond_port_open,$ip); |
} |
} |
} |
} |
} |
} |
} |
if (@lond_port_open) { |
} else { |
push(@opened,$port); |
if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) { |
print "Port $port opened for ".scalar(@lond_port_open)." IP addresses\n"; |
return 'chain error'; |
} |
} |
if (@port_error) { |
# iptables is running with our chain |
print "Error opening port $port for following IP addresses: ".join(', ',@port_error)."\n"; |
# |
} |
# We could restrict the servers allowed to attempt to communicate |
if (@command_error) { |
# here, but the logistics of updating the /home/httpd/lonTabs/host.tab |
print "Bad command error opening port for following IP addresses: ". |
# file are likely to be a problem |
join(', ',@command_error)."\n". |
foreach my $port ($lond_port) { |
'Command was: "'."$iptables -I $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n"; |
print "Opening firewall access on port $port.\n"; |
} |
my $result; |
} else { |
my $firewall_command = |
my $firewall_command = |
"$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT"; |
"$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT"; |
system($firewall_command); |
system($firewall_command); |
my $return_status = $?>>8; |
my $return_status = $?>>8; |
Line 135 sub firewall_open_port {
|
Line 152 sub firewall_open_port {
|
|
|
sub firewall_is_port_open { |
sub firewall_is_port_open { |
my ($port) = @_; |
my ($port) = @_; |
# returns 1 if the firewall port is open, 0 if not. |
# for lond port returns number of source IPs for which firewall port is open |
|
# for other ports returns 1 if the firewall port is open, 0 if not. |
# |
# |
# check if firewall is active or installed |
# check if firewall is active or installed |
return if (! &firewall_is_active); |
return if (! &firewall_is_active); |
if (`$iptables -L -n 2>/dev/null | grep "tcp dpt:$port"`) { |
if ($port eq $lond_port) { |
return 1; |
my %iphost = &Apache::lonnet::get_iphost(); |
|
foreach my $ip (keys(%iphost)) { |
|
my $count = `$iptables -L -n 2>/dev/null | grep "tcp dpt:$port" | wc -l`; |
|
return $count; |
|
} |
} else { |
} else { |
return 0; |
if (`$iptables -L -n 2>/dev/null | grep "tcp dpt:$port"`) { |
|
return 1; |
|
} else { |
|
return 0; |
|
} |
} |
} |
} |
} |
|
|
Line 157 sub firewall_is_active {
|
Line 183 sub firewall_is_active {
|
sub firewall_close_port { |
sub firewall_close_port { |
return 'inactive firewall' if (! &firewall_is_active); |
return 'inactive firewall' if (! &firewall_is_active); |
return 'port number unknown' if !$lond_port; |
return 'port number unknown' if !$lond_port; |
my $suse_config = "/etc/sysconfig/SuSEfirewall2"; |
if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) { |
return if (-e $suse_config); |
return 'Expected chain "'.$fw_chain.'" missing from iptables'."\n"; |
|
} |
foreach my $port ($lond_port) { |
foreach my $port ($lond_port) { |
print "Closing firewall access on port $port\n"; |
print "Closing firewall access on port $port\n"; |
my $firewall_command = |
if ($port eq $lond_port) { |
"$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT"; |
my (@port_error,@command_error,@lond_port_close); |
system($firewall_command); |
my %iphost = &Apache::lonnet::get_iphost(); |
my $return_status = $?>>8; |
my %toclose; |
if ($return_status == 1) { |
if (keys(%iphost) > 0) { |
# Error |
open(PIPE, "$iptables -n -L $fw_chain |"); |
print "Error closing port.\n"; |
while (<PIPE>) { |
} elsif ($return_status == 2) { |
chomp(); |
# Bad command |
next unless (/dpt:\Q$port\E\s*$/); |
print "Bad command error closing port. Command was\n". |
if (/^ACCEPT\s+tcp\s+\-{2}\s+([\S]+)\s+/) { |
" ".$firewall_command."\n"; |
$toclose{$1} = $port; |
|
} |
|
} |
|
close(PIPE); |
|
} |
|
foreach my $ip (keys(%iphost)) { |
|
next unless (exists($toclose{$ip})); |
|
my $firewall_command = |
|
"$iptables -D $fw_chain -p tcp -s $ip -d 0/0 --dport $port -j ACCEPT"; |
|
system($firewall_command); |
|
my $return_status = $?>>8; |
|
if ($return_status == 1) { |
|
push (@port_error,$ip); |
|
} elsif ($return_status == 2) { |
|
push(@command_error,$ip); |
|
} elsif ($return_status == 0) { |
|
push(@lond_port_close,$ip); |
|
} |
|
} |
|
if (@lond_port_close) { |
|
print "Port $port closed for ".scalar(@lond_port_close)." IP addresses\n"; |
|
} |
|
if (@port_error) { |
|
print "Error closing port $port for following IP addresses: ".join(', ',@port_error)."\n"; |
|
} |
|
if (@command_error) { |
|
print "Bad command error opening port for following IP addresses: ". |
|
join(', ',@command_error)."\n". |
|
'Command was: "'."$iptables -D $fw_chain -p tcp -s ".'$ip'." -d 0/0 --dport $port -j ACCEPT".'", where $ip is IP address'."\n"; |
|
} |
|
&firewall_close_anywhere($port); |
} else { |
} else { |
print "Port closed.\n"; |
my $firewall_command = |
|
"$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT"; |
|
system($firewall_command); |
|
my $return_status = $?>>8; |
|
if ($return_status == 1) { |
|
# Error |
|
print "Error closing port.\n"; |
|
} elsif ($return_status == 2) { |
|
# Bad command |
|
print "Bad command error closing port. Command was\n". |
|
" ".$firewall_command."\n"; |
|
} else { |
|
print "Port closed.\n"; |
|
} |
} |
} |
} |
} |
return; |
return; |
Line 190 sub get_lond_port {
|
Line 260 sub get_lond_port {
|
return $lond_port; |
return $lond_port; |
} |
} |
|
|
|
sub firewall_close_anywhere { |
|
my ($port) = @_; |
|
open(PIPE, "$iptables --line-numbers -n -L $fw_chain |"); |
|
while (<PIPE>) { |
|
next unless (/dpt:\Q$port\E/); |
|
chomp(); |
|
if (/^(\d+)\s+ACCEPT\s+tcp\s+\-{2}\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0/) { |
|
my $firewall_command = "$iptables -D $fw_chain $1"; |
|
system($firewall_command); |
|
my $return_status = $?>>8; |
|
if ($return_status == 1) { |
|
print 'Error closing port '.$port.' for source "anywhere"'."\n"; |
|
} elsif ($return_status == 2) { |
|
print 'Bad command error closing port '.$port.' for source "anywhere". Command was'."\n". |
|
' '.$firewall_command."\n"; |
|
} else { |
|
print 'Port '.$port.' closed for source "anywhere"'."\n"; |
|
} |
|
} |
|
} |
|
close(PIPE); |
|
} |
|
|
} # End firewall variable scope |
} # End firewall variable scope |
|
|
sub stop_daemon { |
sub stop_daemon { |