source: trunk/Modules/NetworkConfigLinux/Generators/IPTables.php

Last change on this file was 873, checked in by chronos, 5 years ago
  • Modified: Improved code format.
File size: 5.1 KB
Line 
1<?php
2if (isset($_SERVER['REMOTE_ADDR'])) die();
3include_once('../../../Common/Global.php');
4
5// Generate firewall rules
6exec('/sbin/iptables -t nat -F Block');
7exec('/sbin/iptables -t nat -F POSTROUTING');
8exec('/sbin/iptables -t nat -F PreroutingDNAT');
9// exec('/sbin/iptables -t nat -A Block -p tcp --destination-port 80 -j REDIRECT --to-ports 3128');
10
11
12
13/*
14// Blocking according IP address
15$DbResult = $Database->select('users', '*', 'inet = 0');
16while ($User = $DbResult->fetch_array())
17{
18 $DbResult2 = $Database->select('hosts', '*', "block<2 AND MAC!='' AND user=".$User['id']);
19 while ($Row = $DbResult2->fetch_array())
20 {
21 exec('/sbin/iptables -t nat -A Block -s '.$Row['IP'].' -j Local');
22 }
23}
24$DbResult = $Database->select('users', '*', 'inet = 1');
25while ($User = $DbResult->fetch_array())
26{
27 $DbResult2 = $Database->select('hosts','*',"block<2 AND MAC!='' AND vpn=1 AND user=".$User['id']);
28 while ($Row = $DbResult2->fetch_array())
29 {
30 exec('/sbin/iptables -t nat -A Block -s '.$Row['IP'].' -j Local');
31 }
32}
33
34*/
35
36// Blocking according MAC address
37$DbResult = $Database->select('users', '*');
38while ($User = $DbResult->fetch_array())
39{
40 //echo($User['fullname']."\n");
41 $DbResult2 = $Database->select('hosts', '*', '(block < 2) AND (MAC != "") AND (user='.$User['id'].') AND (IP != external_ip) ORDER BY id DESC');
42 while ($Row = $DbResult2->fetch_array())
43 {
44 //echo(' '.$Row['name']." ".$Row['MAC']." ");
45 if ($User['inet'] == 0)
46 {
47 //if (($Row['block'] == 0) and ($Row['type'] == 1)) exec('/sbin/iptables -t nat -A Block -m mac --mac-source '.$Row['MAC']." -j Proxy");
48 // else exec('/sbin/iptables -t nat -A Block -m mac --mac-source '.$Row['MAC']." -j Local");
49 } else {
50 if ($Row['vpn'] == 0)
51 {
52 $CZFreeLocalIP = $Row['IP'];
53 //echo($Row['external_ip']."\n");
54 //if ($Row['name'] == 'TBC')
55 //{
56 // exec('/sbin/iptables -t nat -A PreroutingDNAT -m tcp -p tcp --dport 3724 -d '.$Row['external_ip'].' -j DNAT --to-destination '.$Row['IP'].':3725');
57 // exec('/sbin/iptables -t nat -A POSTROUTING -m tcp -p tcp -s '.$Row['IP'].' --sport 3725 -o '.$InetInterface.' -j SNAT --to-source '.$Row['external_ip'].':3724');
58 //}
59 if (strtolower($Row['name']) != 'gate')
60 {
61 if ($Row['external_ip'] != '')
62 {
63 echo($Row['name'].'='.$Row['external_ip']."\n");
64
65 exec('/sbin/iptables -t nat -A PreroutingDNAT -i '.$InetInterface.' -d '.$Row['external_ip'].' -j DNAT --to-destination '.$Row['IP']);
66 exec('/sbin/iptables -t nat -A PreroutingDNAT -i '.$InetInterface.' -d '.$Row['external_ip'].' -j ACCEPT');
67 exec('/sbin/iptables -t nat -A POSTROUTING -s '.$Row['IP'].' -o '.$InetInterface.' -j SNAT --to-source '.$Row['external_ip']);
68 }
69 //exec('/sbin/iptables -t nat -A Block -m mac --mac-source '.$Row['MAC']." -j Proxy");
70 }
71 }
72 else
73 {
74 $CZFreeLocalIP = $Row['external_ip'];
75 //echo('vpn');
76 //exec('/sbin/iptables -t nat -A PreroutingDNAT -s '.$Row['IP'].' -p udp -m udp --dport 55556 -j DROP');
77 if ($Row['external_ip'] != '') exec('/sbin/iptables -t nat -A PreroutingDNAT -d '.$Row['external_ip'].' -j ACCEPT');
78 exec('/sbin/iptables -t nat -A Block -s '.ToVpnIp($Row)." -j Proxy");
79
80 //if ($Row['vpn'] == 1)
81 //{
82 //exec('/sbin/iptables -t nat -A Block -m mac --mac-source '.$Row['MAC']." -j Local");
83 //} else if ($Row['vpn'] == 2) exec('/sbin/iptables -t nat -A Block -m mac --mac-source '.$Row['MAC']." -j Proxy");
84 }
85 if ($Row['czfree_ip'] != '')
86 {
87 // CZFree
88 exec('/sbin/iptables -t nat -A PreroutingDNAT -i tun0 -d '.$Row['czfree_ip'].' -j DNAT --to-destination '.$CZFreeLocalIP);
89 exec('/sbin/iptables -t nat -A PreroutingDNAT -i tun0 -d '.$Row['czfree_ip'].' -j ACCEPT');
90 exec('/sbin/iptables -t nat -A POSTROUTING -s '.$CZFreeLocalIP.' -o tun0 -j SNAT --to-source '.$Row['czfree_ip']);
91 }
92 }
93 //echo("\n");
94 }
95}
96
97
98// SMTP NAT port 25
99//$DbResult = $Database->select('hosts', '*', 'name="mail"');
100//$Row = $DbResult->fetch_array();
101//exec('/sbin/iptables -t nat -A PreroutingDNAT -p tcp -m tcp --dport 25 -d 212.111.4.174 -j DROP');
102//exec('/sbin/iptables -t nat -A PreroutingDNAT -p tcp -m tcp --dport 25 -d '.$Row['external_ip'].' -j DNAT --to-destination '.$Row['IP']);
103//exec('/sbin/iptables -t nat -A PreroutingDNAT -p tcp -m tcp --dport 25 -d '.$Row['external_ip'].' -j ACCEPT');
104//exec('/sbin/iptables -t nat -A POSTROUTING -p tcp -m tcp --dport 25 -s 212.111.4.174 -o '.$InetInterface.' -j SNAT --to-source '.$Row['external_ip']);
105
106// Local network NAT
107$DbResult = $Database->select('hosts', '*', 'name="gate"');
108$Row = $DbResult->fetch_array();
109exec('/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.0.0 -o '.$InetInterface.' -j SNAT --to-source '.$Row['external_ip']);
110//exec('/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.0/255.0.0.0 -o '.$InetInterface.' -j SNAT --to-source '.$Row['external_ip']);
111//exec('/sbin/iptables -t nat -A POSTROUTING -s 212.111.16.94 -o '.$InetInterface.' -j MASQUERADE');
112
113exec('/sbin/iptables-save>/etc/sysconfig/iptables');
Note: See TracBrowser for help on using the repository browser.