From e1bbd3aad5cf5ab7ffd9e876269c815e21be062b Mon Sep 17 00:00:00 2001
From: latham <latham@ispconfig3>
Date: Thu, 30 Jun 2011 16:42:06 +0000
Subject: [PATCH] start iptables plugin, just documenting now

---
 .../plugins-available/iptables_plugin.inc.php | 78 +++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 server/plugins-available/iptables_plugin.inc.php

diff --git a/server/plugins-available/iptables_plugin.inc.php b/server/plugins-available/iptables_plugin.inc.php
new file mode 100644
index 0000000000..2aba144668
--- /dev/null
+++ b/server/plugins-available/iptables_plugin.inc.php
@@ -0,0 +1,78 @@
+<?php
+
+class iptables_plugin
+{
+ var $plugin_name = 'iptables_plugin';
+ var $class_name  = 'iptables_plugin';
+
+ function onInstall()
+ {
+  global $conf;
+  if($conf['iptables']['installed'] = true) return true;
+  else return false;
+ }
+
+ function onLoad()
+ {
+  global $app;
+  $app->plugins->registerEvent('iptables_insert',$this->plugin_name,'insert');
+  $app->plugins->registerEvent('iptables_update',$this->plugin_name,'update');
+  $app->plugins->registerEvent('iptables_delete',$this->plugin_name,'delete');
+ }
+
+ function insert($event_name,$data)
+ {
+  global $app, $conf;
+  $this->update($event_name,$data);
+ }
+
+ function update($event_name,$data)
+ {
+  global $app, $conf;
+/*
+ok, here is where we do some fun stuff.  First off we need to see the currently
+running iptables (sans the fail2ban) and compare with the database.  This is
+the method that is good for multi servers and keeping the firewall read only so
+a comromised box will not corrupt the master server.
+
+If the running iptables and the new iptables don't match, lets send a note to 
+the monitoring data to say that there is a difference.  Maybe we can have the
+iptables gui inteface check the data field for changes and post a warning and
+or the changes as disabled rules.  If an admin adds a rule on the comand line
+we should make it easy to add to the database, but hard to overwrite the data.
+
+1.
+So first is a reading of the current rules by filter:table with our friend awk
+
+2.
+Compare with database
+
+3.
+Send notices or updates
+
+4.
+Apply rules from database
+
+5.
+Preform some type of sainity check like the apache restart script
+
+6.
+Profit
+
+# automate this with a loop, but here it is for santity sake.
+exec('iptables -S INPUT');
+exec('iptables -S OUTPUT');
+exec('iptables -S FORWARD');
+
+$data['new'] should have lots of fun stuff
+exec('iptables -I XYZ');
+*/
+ }
+	
+ function delete($event_name,$data)
+ {
+  global $app, $conf;
+  exec('iptables -D xyz');
+ }
+}
+?>
\ No newline at end of file
-- 
GitLab