From da3fe71d69e35c208b8bb05fc6e47344b0e1c017 Mon Sep 17 00:00:00 2001 From: cmaffio Date: Tue, 21 Jun 2016 16:23:20 +0200 Subject: [PATCH] Aggiunta gestione regole in ingresso --- core/function.php | 4 +- firewall/firewall_azzera.php | 9 + firewall/firewall_gest.php | 26 ++ firewall/firewall_library.php | 136 +++++++++-- firewall/firewall_regole_versointerno.php | 148 ++++++++++++ firewall/firewall_regoleinterno.php | 192 +++++++++++++++ firewall/firewall_vpn.php | 6 +- firewall/index.php | 277 +++++++++++++++++----- firewall/tmp/fw.new | 18 +- 9 files changed, 733 insertions(+), 83 deletions(-) create mode 100755 firewall/firewall_azzera.php create mode 100755 firewall/firewall_regole_versointerno.php create mode 100755 firewall/firewall_regoleinterno.php diff --git a/core/function.php b/core/function.php index f857d31..1559afb 100755 --- a/core/function.php +++ b/core/function.php @@ -657,8 +657,8 @@ class html { print "\t\n"; } - public function riga () { - print "\tsize\">conf['base_url']."/img/spazio.gif\">\n"; + public function riga ($size=15) { + print "\tsize\">\n"; } public function close () { diff --git a/firewall/firewall_azzera.php b/firewall/firewall_azzera.php new file mode 100755 index 0000000..5fee987 --- /dev/null +++ b/firewall/firewall_azzera.php @@ -0,0 +1,9 @@ + diff --git a/firewall/firewall_gest.php b/firewall/firewall_gest.php index c08eb4e..3249bf2 100755 --- a/firewall/firewall_gest.php +++ b/firewall/firewall_gest.php @@ -73,6 +73,32 @@ if (isset($_GET['id'])) { $testo = "Confermate la disattivazione della regola?"; break; + case "vpn_rm": + $query = "DELETE FROM firewall_vpn WHERE id = $id"; + $testo = "Confermate la rimozione della regola da quelle disponibili?"; + break; + case "vpn_up": + $query = "UPDATE firewall_vpn SET attivo = 1 WHERE id = $id"; + $testo = "Confermate l'attivazione della regola?"; + break; + case "vpn_down": + $query = "UPDATE firewall_vpn SET attivo = 0 WHERE id = $id"; + $testo = "Confermate la disattivazione della regola?"; + break; + + case "regolaint_rm": + $query = "DELETE FROM firewall_versointerno WHERE id = $id"; + $testo = "Confermate la rimozione della regola da quelle disponibili?"; + break; + case "regolaint_up": + $query = "UPDATE firewall_versointerno SET attivo = 1 WHERE id = $id"; + $testo = "Confermate l'attivazione della regola?"; + break; + case "regolaint_down": + $query = "UPDATE firewall_versointerno SET attivo = 0 WHERE id = $id"; + $testo = "Confermate la disattivazione della regola?"; + break; + default: $testo = "Regola non implementata"; diff --git a/firewall/firewall_library.php b/firewall/firewall_library.php index 4ac344c..d97bfd9 100644 --- a/firewall/firewall_library.php +++ b/firewall/firewall_library.php @@ -1,9 +1,6 @@ 0 + GROUP BY + firewall_versointerno_regole.id_firewall_versointerno + "; + + $nomi = array (); + $file = array (); + $esegui = array (); + + $res = mysql_query( $query, $DB_ID ); + while ($dato = mysql_fetch_array ( $res )) { + $id = $dato['id']; + $proto = $dato['proto']; + $stato = $dato['stato']; + $int_port = $dato['int_port']; + $ext_port = $dato['fw_port']; + $int_ip = $dato['int_ip']; + $ext_ip = $dato['ext_ip']; + $portaIN = $FW_conf['portaIN']; + + array_push($nomi, "REGOLA-I$id"); + + if ($stato == 2) $perm = "PERMANENTE"; else $perm = ""; + + $regola = "### START REGOLA-I$id $perm ###\n"; + $regola .= "iptables -I PREROUTING -t nat -p $proto -i $portaIN --dport $ext_port -j DNAT --to $int_ip:$int_port\n"; + $regola .= "iptables -N REGOLA-I$id\n"; + $regola .= "iptables -I REGOLA-I$id -p $proto -i $portaIN -s $ext_ip -d $int_ip --dport $int_port -j ACCEPT\n"; + $regola .= "iptables -I REGOLA-I$id -p $proto -o $portaIN -d $ext_ip -s $int_ip --sport $int_port -j ACCEPT\n"; + $regola .= "iptables -I FORWARD -j REGOLA-I$id\n"; + $regola .= "### STOP REGOLA-I$id $perm ###\n"; + + array_push($file, $regola); + + $regola .= "sudo iptables -I PREROUTING -t nat -p $proto -i $portaIN --dport $ext_port -j DNAT --to $int_ip:$int_port; "; + $regola .= "sudo iptables -N REGOLA-I$id; "; + $regola .= "sudo iptables -I REGOLA-I$id -p $proto -i $portaIN -s $ext_ip -d $int_ip --dport $int_port -j ACCEPT; "; + $regola .= "sudo iptables -I REGOLA-I$id -p $proto -o $portaIN -d $ext_ip -s $int_ip --sport $int_port -j ACCEPT; "; + $regola .= "sudo iptables -I FORWARD -j REGOLA-I$id; "; + + $esegui['REGOLA-I'.$id] = $regola; + } + + $ritorna[0] = $nomi; + $ritorna[1] = $file; + $ritorna[2] = $esegui; + return $ritorna; +} + +function genera_ext () { + global $UTENTE, $DB_ID, $CONF, $FW_conf; $query = " SELECT firewall_versoesterno_regole.id, @@ -70,10 +156,8 @@ function genera_ext () { firewall_versoesterno.ext_port, proxy_pool.ip AS int_ip, firewall_macchine_ext.ip AS ext_ip - FROM firewall_versoesterno_regole - JOIN firewall_versoesterno ON @@ -90,8 +174,6 @@ function genera_ext () { firewall_macchine_ext ON firewall_versoesterno.id_firewall_macchine_ext = firewall_macchine_ext.id - - WHERE firewall_versoesterno_regole.attivo = 1 AND @@ -162,18 +244,14 @@ function genera_ext () { $regola .= "sudo iptables -I FORWARD -j REGOLA-U$id"; $esegui['REGOLA-U'.$id] = $regola; - } - $ritorna[0] = $nomi; $ritorna[1] = $file; $ritorna[2] = $esegui; - return $ritorna; } function elimina ($cerca) { - exec ("sudo iptables -nL FORWARD --line-numbers | grep $cerca", $ritorno); foreach (array_reverse($ritorno) as $riga) { $pezzi = explode (" " , $riga); @@ -183,4 +261,28 @@ function elimina ($cerca) { } } +function azzera () { + global $UTENTE, $DB_ID, $CONF, $FW_conf; + + $query = " UPDATE + firewall_versoesterno_regole + SET + stato = 0, + modifica = NOW() + WHERE + stato = 1 + "; + $res = mysql_query( $query, $DB_ID ); + + $query = " UPDATE + firewall_versointerno_regole + SET + stato = 0, + modifica = NOW() + WHERE + stato = 1 + "; + $res = mysql_query( $query, $DB_ID ); +} + ?> diff --git a/firewall/firewall_regole_versointerno.php b/firewall/firewall_regole_versointerno.php new file mode 100755 index 0000000..2396ea4 --- /dev/null +++ b/firewall/firewall_regole_versointerno.php @@ -0,0 +1,148 @@ + +
+ + + + + + + + + + + + + + + + + + +
+ + + + + Utente attivo + + Utente non attivo + + + + + Utenza + + Regola + + Perm + + + + + + + + +riga(); +} +$tabella->close(); +view_footer(); +?> diff --git a/firewall/firewall_regoleinterno.php b/firewall/firewall_regoleinterno.php new file mode 100755 index 0000000..90a8fde --- /dev/null +++ b/firewall/firewall_regoleinterno.php @@ -0,0 +1,192 @@ + +
+ + + + Nome regola + + VPN + Porta FW + + Macchina interna + Porta + + Proto + + + + + + + + + + + + + + + + + + +
+riga(); +$query = " SELECT + firewall_versointerno.id, + firewall_versointerno.nome, + firewall_versointerno.proto, + firewall_vpn.utenza, + firewall_vpn.ip AS vpn_ip, + proxy_pool.ip AS int_ip, + proxy_pool.nome AS int_nome, + firewall_versointerno.int_port, + firewall_versointerno.fw_port, + DATE_FORMAT(firewall_versointerno.data, '%d.%m.%Y %H:%i:%s') AS data, + firewall_versointerno.attivo + FROM + firewall_versointerno + JOIN + firewall_macchine + ON + firewall_versointerno.id_firewall_macchine = firewall_macchine.id + JOIN + proxy_pool + ON + firewall_macchine.id_proxy_pool = proxy_pool.id + JOIN + firewall_vpn + ON + firewall_versointerno.id_firewall_vpn = firewall_vpn.id + ORDER BY + firewall_versointerno.nome + "; + +$res = mysql_query( $query, $DB_ID ); +while ($dato = mysql_fetch_array ( $res )) { +?> + + + + Regola attiva + + Regola non attiva + + + + + + + + + + + + + + + + + + + + + + +riga(); +} +$tabella->close(); +view_footer(); +?> diff --git a/firewall/firewall_vpn.php b/firewall/firewall_vpn.php index 14fef75..356cf45 100755 --- a/firewall/firewall_vpn.php +++ b/firewall/firewall_vpn.php @@ -78,12 +78,12 @@ while ($dato = mysql_fetch_array ( $res )) { - Regola attiva + VPN attiva - Regola non attiva + VPN non attiva - + diff --git a/firewall/index.php b/firewall/index.php index 21f1e29..9812c34 100755 --- a/firewall/index.php +++ b/firewall/index.php @@ -5,83 +5,234 @@ $UTENTE = login(); $DIRITTI = diritti('Utente'); view_top(); -if (isset($_POST['utente'])) { +if (isset($_POST['regola'])) { + $utente = $_POST['utente']; - $modificato = 0; - $old = $new = array(); foreach ($_POST as $id => $valore) { if (preg_match ("/^new-(\d+)/", $id, $ris)) $new[$ris[1]] = $valore; if (preg_match ("/^old-(\d+)/", $id, $ris)) $old[$ris[1]] = $valore; } - foreach ($new as $id => $valore) { - if ($new[$id] == $old[$id]) continue; - - $modificato = 1; - if ($valore >1) - $stato = 1; - else - $stato = $valore; - - $query = " SELECT - firewall_versoesterno_regole.id_firewall_versoesterno - FROM + if ($_POST['regola'] == "intext") { + foreach ($new as $id => $valore) { + if ($new[$id] == $old[$id]) continue; + + $modificato = 1; + if ($valore >1) + $stato = 1; + else + $stato = $valore; + + $query = " SELECT + firewall_versoesterno_regole.id_firewall_versoesterno + FROM firewall_versoesterno_regole - WHERE - firewall_versoesterno_regole.id = $id - "; - - $res = mysql_query( $query, $DB_ID ); - $dato = mysql_fetch_array ( $res ); - - $query = " UPDATE - firewall_versoesterno_regole - SET - stato = $valore, - modifica = NOW() - WHERE - id_firewall_versoesterno = ".$dato['id_firewall_versoesterno']; - $res = mysql_query( $query, $DB_ID ); - - $query = " INSERT INTO - firewall_logs - SET - id_utenti = ".$UTENTE['id'].", - tabella = 'versoesterno', - id_regole = $id, - stato = $valore, - data = NOW() - "; - $res = mysql_query( $query, $DB_ID ); - - } + WHERE + firewall_versoesterno_regole.id = $id + "; + + $res = mysql_query( $query, $DB_ID ); + $dato = mysql_fetch_array ( $res ); + + $query = " UPDATE + firewall_versoesterno_regole + SET + stato = $valore, + modifica = NOW() + WHERE + id_firewall_versoesterno = ".$dato['id_firewall_versoesterno']; + $res = mysql_query( $query, $DB_ID ); + + $query = " INSERT INTO + firewall_logs + SET + id_utenti = ".$UTENTE['id'].", + tabella = 'versoesterno', + id_regole = $id, + stato = $valore, + data = NOW() + "; + $res = mysql_query( $query, $DB_ID ); + } + } else if ($_POST['regola'] == "extint") { + foreach ($new as $id => $valore) { + if ($new[$id] == $old[$id]) continue; + $modificato = 1; + if ($valore >1) + $stato = 1; + else + $stato = $valore; + + $query = " SELECT + firewall_versointerno_regole.id_firewall_versointerno + FROM + firewall_versointerno_regole + WHERE + firewall_versointerno_regole.id = $id + "; + + $res = mysql_query( $query, $DB_ID ); + $dato = mysql_fetch_array ( $res ); + + $query = " UPDATE + firewall_versointerno_regole + SET + stato = $valore, + modifica = NOW() + WHERE + id_firewall_versointerno = ".$dato['id_firewall_versointerno']; + $res = mysql_query( $query, $DB_ID ); + + $query = " INSERT INTO + firewall_logs + SET + id_utenti = ".$UTENTE['id'].", + tabella = 'versointerno', + id_regole = $id, + stato = $valore, + data = NOW() + "; + $res = mysql_query( $query, $DB_ID ); + } + } if ($modificato) genera(); - } -$tabella = new html (0,"90%",array(15,2,20,2,5,0)); +$tabella = new html (0,"90%",array(15,2,30,2,5,0)); ?>
- + - + + Regole Esterno -> Interno + riga (); +$tabella->riga (10); +$query = " SELECT + firewall_versointerno_regole.id, + firewall_versointerno_regole.permanente, + firewall_versointerno_regole.stato, + firewall_versointerno.nome, + firewall_versointerno.int_port, + firewall_versointerno.fw_port, + firewall_versointerno.proto, + proxy_pool.nome AS int_nome, + proxy_pool.ip AS int_ip, + firewall_vpn.utenza, + firewall_vpn.ip AS vpn_ip + FROM + firewall_versointerno_regole + JOIN + firewall_versointerno + ON + firewall_versointerno_regole.id_firewall_versointerno = firewall_versointerno.id + JOIN + firewall_macchine + ON + firewall_versointerno.id_firewall_macchine = firewall_macchine.id + JOIN + proxy_pool + ON + firewall_macchine.id_proxy_pool = proxy_pool.id + JOIN + firewall_vpn + ON + firewall_versointerno.id_firewall_vpn = firewall_vpn.id + JOIN + utenti + ON + firewall_versointerno_regole.id_utenti = utenti.id + AND + utenti.id = ".$UTENTE['id']." + WHERE + firewall_versointerno_regole.attivo = 1 + ORDER BY + firewall_versointerno.nome + "; +$res = mysql_query( $query, $DB_ID ); +while ($dato = mysql_fetch_array ( $res )) { ?> + + + + + + + Regola + + Perm + + + + "; + if ($dato['int_nome'] != "") { + print $dato['int_nome']; + } else { + print $dato['int_ip']; + } + print ":".$dato['fw_port']." (".$dato['proto'].")";; +?> + + +riga (5); +} ?> +
+ +riga (30) ?> +
+ + + + + + Regole Interno -> Esterno + + +riga (10); $query = " SELECT firewall_versoesterno_regole.id, firewall_versoesterno_regole.stato, firewall_versoesterno.nome, - firewall_versoesterno_regole.permanente + firewall_versoesterno.int_port, + firewall_versoesterno.ext_port, + firewall_versoesterno.proto, + firewall_versoesterno_regole.permanente, + proxy_pool.nome AS int_nome, + proxy_pool.ip AS int_ip, + firewall_macchine_ext.nome AS ext_nome, + firewall_macchine_ext.ip AS ext_ip FROM firewall_versoesterno_regole + JOIN + firewall_versoesterno + ON + firewall_versoesterno_regole.id_firewall_versoesterno = firewall_versoesterno.id + JOIN + firewall_macchine + ON + firewall_versoesterno.id_firewall_macchine = firewall_macchine.id + JOIN + proxy_pool + ON + firewall_macchine.id_proxy_pool = proxy_pool.id JOIN utenti ON @@ -89,9 +240,9 @@ $query = " SELECT AND utenti.id = ".$UTENTE['id']." JOIN - firewall_versoesterno + firewall_macchine_ext ON - firewall_versoesterno_regole.id_firewall_versoesterno = firewall_versoesterno.id + firewall_versoesterno.id_firewall_macchine_ext = firewall_macchine_ext.id WHERE firewall_versoesterno_regole.attivo = 1 ORDER BY @@ -119,12 +270,32 @@ while ($dato = mysql_fetch_array ( $res )) { - + "; + if ($dato['ext_nome'] != "") { + print $dato['ext_nome']; + } else { + print $dato['ext_ip']; + } + print ":".$dato['ext_port']." (".$dato['proto'].")";; + + +?> riga (); +$tabella->riga (5); } ?> + + + +
close (); diff --git a/firewall/tmp/fw.new b/firewall/tmp/fw.new index 29d1c58..61baeb1 100644 --- a/firewall/tmp/fw.new +++ b/firewall/tmp/fw.new @@ -1,19 +1,20 @@ fw_custom_after_chain_creation() { - # REGOLE DINAMICHE + # REGOLE DINAMICHE ### START REGOLA-U1 PERMANENTE ### iptables -N REGOLA-U1 iptables -I REGOLA-U1 -p tcp -o -s 192.168.1.1 --sport 25 -d 151.1.219.70 --dport 443 -j ACCEPT iptables -I REGOLA-U1 -p tcp -i -d 192.168.1.1 --dport 25 -s 151.1.219.70 --sport 443 -j ACCEPT iptables -I FORWARD -j REGOLA-U1 ### STOP REGOLA-U1 PERMANENTE ### -### START REGOLA-U3 ### -iptables -N REGOLA-U3 -iptables -I REGOLA-U3 -p udp -o -s 192.168.1.3 --sport 45 -d 151.1.219.70 --dport 6754 -j ACCEPT -iptables -I REGOLA-U3 -p udp -i -d 192.168.1.3 --dport 45 -s 151.1.219.70 --sport 6754 -j ACCEPT -iptables -I FORWARD -j REGOLA-U3 -### STOP REGOLA-U3 ### - # FINE REGOLE DINAMICHE +### START REGOLA-I1 PERMANENTE ### +iptables -I PREROUTING -t nat -p tcp -i --dport 3056 -j DNAT --to 192.168.1.2:3306 +iptables -N REGOLA-I1 +iptables -I REGOLA-I1 -p tcp -i -s 10.10.40.9 -d 192.168.1.2 --dport 3306 -j ACCEPT +iptables -I REGOLA-I1 -p tcp -o -d 10.10.40.9 -s 192.168.1.2 --sport 3306 -j ACCEPT +iptables -I FORWARD -j REGOLA-I1 +### STOP REGOLA-I1 PERMANENTE ### + # FINE REGOLE DINAMICHE @@ -39,3 +40,4 @@ fw_custom_after_finished() { true } +