Location: PHPKode > projects > SCOP Heartbeat Administration interface > scop-2.0/html/scop/config/firewallwizard.php

<?
include ("../inc/header.inc");
include ("../inc/functions.inc");

# This page allows you to upload a new firewall script...
# The firewall script is /etc/rc.d/rc.firewall
$trans="111";
$a111 = "${$l.$trans}";
$trans="4";
$a4 = "${$l.$trans}";
//echo "<center><h2>$a18c</h2>";
?>
<div id="contentArea">
<h1><a href="/scop/index.php?menu=maint&l=<?=$l?>"><?=$a4?></a> &gt; <?=$a111?></h1>
<div class="border">			
<?



if ($action=="update") {
		#/etc/rc.d/rc.lockdownwizard
		SCOP_log("Config : Firewall lock down activated");
		$adminip = $_POST['adminip'];
		$adminsubnet = $_POST['adminsubnet'];
		if ($adminip=="") { exit("No data posted ?"); }
		if ($adminsubnet=="") { $adminsubnet="255.255.255.255"; }
		#Display the sugested firewall settings
		#Iterate through all the VIPs and Ports
		# open a new file
		$target="/etc/rc.d/rc.lockdownwizard";
		exec ("sudo rm $target");
		exec ("sudo touch $target");
		exec ("sudo chmod 777 $target");
		if ($file=fopen("$target","w")) {
			fputs($file,"#!/bin/sh\n");
			fputs($file,"#$target\n");
			fputs($file,"# Auto generated by SCOP.org appliance\n");
			fputs($file,"# Make sure the default INPUT policy is drop\n");
			fputs($file,"iptables -P INPUT   DROP\n");
			fputs($file,"# Allow unlimited traffic on the loopback interface for local administration\n");
			fputs($file,"iptables -A INPUT -i lo -j ACCEPT\n");
			fputs($file,"iptables -A OUTPUT -o lo -j ACCEPT\n");
			fputs($file,"# Define an administration ip address or subnet\n");
			fputs($file,"ADMINIP=\"$adminip\"\n");
			fputs($file,"ADMINSUBNET=\"$adminsubnet\"\n");
			fputs($file,"# Grant the administration ip address access\n");
			fputs($file,"iptables -A INPUT -p tcp -s \$ADMINIP/\$ADMINSUBNET -m multiport --destination-port 80,443,9080,9443,22,7777 -j ACCEPT\n");
			fputs($file,"# Layer 4 VIPs\n");
			global $VIRTUAL;
			global $PROTOCOL;
			parse_config_file();
			for ( $i=1; $i<count($VIRTUAL); $i++) {
				$INVIP = Get_ip ($VIRTUAL[$i]);
				$INVIPPORT = Get_port($VIRTUAL[$i]);
				if ($PROTOCOL[$i]=="tcp") {$prot="tcp";}
				if ($PROTOCOL[$i]=="udp" || $PROTOCOL[$i]=="ops") {$prot="udp";}
				if ($PROTOCOL[$i]=="fwm") {$prot="fwm";} else {
					fputs($file,"iptables -A INPUT -p $prot -d $INVIP --dport $INVIPPORT -j ACCEPT\n");
					for ( $b=0; $b<count($REAL[$i]); $b++) {
						$INRIP = Get_ip ($REAL[$i][$b]);
						$INRIPPORT = Get_port($REAL[$i][$b]);
						fputs($file,"iptables -A INPUT -p $prot -s $INRIP --sport $INRIPPORT -j ACCEPT\n");				
					}
				}
			}
			fputs($file,"# Layer 7 VIPs\n");
			global $L7VIRTUAL;
			L7parse_config_file();
			for ( $i=1; $i<count($L7VIRTUAL); $i++) {
				$INVIP = Get_ip ($L7VIRTUAL[$i]);
				$INVIPPORT = Get_port($L7VIRTUAL[$i]);
				if ($INVIPPORT<>"7777") {
					fputs($file,"iptables -A INPUT -p tcp -d $INVIP --dport $INVIPPORT -j ACCEPT\n");
					for ( $b=0; $b<count($L7REAL[$i]); $b++) {
						$INRIP = Get_ip ($L7REAL[$i][$b]);
						$INRIPPORT = Get_port($L7REAL[$i][$b]);
						fputs($file,"iptables -A INPUT -p tcp -s $INRIP --sport $INRIPPORT -j ACCEPT\n");				
					}
				}
			}


			fputs($file,"# SSL VIPs\n");
			global $SLLVIRTUAL;
			SLLparse_config_file();
			for ( $i=1; $i<=count($SLLVIRTUAL); $i++) {
				$INVIP = Get_ip ($SLLVIRTUAL[$i]);
				$INVIPPORT = Get_port($SLLVIRTUAL[$i]);
				fputs($file,"iptables -A INPUT -p tcp -d $INVIP --dport $INVIPPORT -j ACCEPT\n");
				$INRIP = Get_ip ($SLLVIRTUAL_LABEL[$i]);
				$INRIPPORT = Get_port($SLLVIRTUAL_LABEL[$i]);
				fputs($file,"iptables -A INPUT -p tcp -s $INRIP --sport $INRIPPORT -j ACCEPT\n");					
			}
			fclose($file);
		} else { draw_no_access ("$target");}
		exec ("sudo scp $target hide@address.com:$target > /dev/null 2>&1 &");
		exec ("sudo /etc/rc.d/rc.firewall > /dev/null 2>&1 &");
		exec ("sudo ssh hide@address.com chmod +x $target  > /dev/null 2>&1 &");
		exec ("sudo ssh hide@address.com /etc/rc.d/rc.firewall  > /dev/null 2>&1 &");
		$trans="112";
		$a112 = "${$l.$trans}";
		echo "<center><p>$a112</p></center>";
		echo "<table width=\"60%\" align=\"center\"><tr><td>";
			$output = `sudo cat $target`;
			echo "<pre>$output</pre>";
		echo "</td></tr></table>";
} else {

	


// Setup the java script first
			?>
			<script language="javascript" type="text/javascript">
			<!--
			function checkformfirewallwizard()
			{ // Check the new user fields are correct


				var stringtotest = document.firewallwizard.adminip.value;
				var check = verifyIP(stringtotest);
				if ( !check  ) return check

				var stringtotest2 = document.firewallwizard.adminnetmask.value;
				var check = verifyIP(stringtotest2);
				if ( !check  ) return check

				return true
			}
			//-->
			</script>
			<?
	$sourceip = getenv("REMOTE_ADDR");
	#Display the form to change the firewall wizard settings
	?><table border="0" cellspacing="0" align="center" class="form"><td colspan="4" class="sep2"></td><?
	echo "<FORM method=\"post\" action=\"?action=update&t=$t\" name=\"firewallwizard\">";
	
	echo "<tr><th>Admin IP: </th><td><INPUT type=\"text\" size=20 name=\"adminip\" value=\"$sourceip\"></td>";
	echo "<th>Admin Network: </th><td><INPUT type=\"text\" size=20 name=\"adminsubnet\" value=\"255.255.255.255\"></td></tr>";
	?><td colspan="4" class="sep1"></td><?
	echo "</table>";
	echo "<center><INPUT type=\"submit\" value=\"Submit\" name=\"go\" onclick=\"return checkformfirewallwizard()\" >";
	echo "</FORM></center>";
}
?>
</div>
<div class="bottom"><span>-----</span></div>
</div>
<?




include ("../inc/footer.inc");

?>


Return current item: SCOP Heartbeat Administration interface