[LON-CAPA-cvs] cvs: loncom /init.d loncontrol
matthew
lon-capa-cvs@mail.lon-capa.org
Thu, 02 Dec 2004 18:49:55 -0000
matthew Thu Dec 2 13:49:55 2004 EDT
Modified files:
/loncom/init.d loncontrol
Log:
Added firewall port opening code.
Index: loncom/init.d/loncontrol
diff -u loncom/init.d/loncontrol:1.19 loncom/init.d/loncontrol:1.20
--- loncom/init.d/loncontrol:1.19 Thu Aug 19 14:31:42 2004
+++ loncom/init.d/loncontrol Thu Dec 2 13:49:55 2004
@@ -22,6 +22,74 @@
$ENV{'PATH'}="/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin";
$ENV{'BASH_ENV'}="";
+{ # Firewall variable scoping
+ # Firewall code is based on the code in FC2 /etc/init.d/ntpd
+ my $fw_chain = 'RH-Firewall-1-INPUT';
+ my $iptables = '/sbin/iptables';
+ my $port = 5663;
+
+sub firewall_open_port {
+ return if (! &firewall_is_active);
+ print "Opening firewall access on port $port\n";
+ if (! `$iptables -L -n 2>/dev/null | grep $fw_chain | wc -l`) { return; }
+ # iptables is running with our chain
+ #
+ # We could restrict the servers allowed to attempt to communicate
+ # here, but the logistics of updating the /home/httpd/lonTabs/host.tab
+ # file are likely to be a problem
+ my $firewall_command =
+ "$iptables -I $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
+ system($firewall_command);
+ my $return_status = $?>>8;
+ if ($return_status == 1) {
+ # Error
+ print "Error opening port.\n";
+ } elsif ($return_status == 2) {
+ # Bad command
+ print "Bad command error opening port. Command was\n".
+ " ".$firewall_command."\n";
+ }
+}
+
+sub firewall_is_port_open {
+ # returns 1 if the firewall port is open, 0 if not.
+ #
+ # check if firewall is active or installed
+ return if (! &firewall_is_active);
+ if (`$iptables -L -n 2>/dev/null | grep "tcp dpt:$port"`) {
+ return 1;
+ } else {
+ return 0;
+ }
+}
+
+sub firewall_is_active {
+ if (-e '/proc/net/ip_tables_names') {
+ return 1;
+ } else {
+ return 0;
+ }
+}
+
+sub firewall_close_port {
+ return if (! &firewall_is_active);
+ print "Closing firewall access on port $port\n";
+ my $firewall_command =
+ "$iptables -D $fw_chain -p tcp -d 0/0 --dport $port -j ACCEPT";
+ system($firewall_command);
+ my $return_status = $?>>8;
+ if ($return_status == 1) {
+ # Error
+ print "Error closing port.\n";
+ } elsif ($return_status == 2) {
+ # Bad command
+ print "Bad command error closing port. Command was\n".
+ " ".$firewall_command."\n";
+ }
+}
+
+} # End firewall variable scope
+
sub stop_daemon {
my ($daemon,$killallname)=@_;
my $pidfile="/home/httpd/perl/logs/$daemon.pid";
@@ -55,6 +123,7 @@
print("\n");
}
+
if (($command eq "restartold") or ($command eq "reloadold")) {
print 'Restarting LON-CAPA'."\n";
print 'Ending LON-CAPA client and daemon processes'."\n";
@@ -82,12 +151,15 @@
if ($daemon eq 'lonc') { $killallname='loncnew'; }
&stop_daemon($daemon,$killallname);
}
+ &firewall_close_port();
} elsif ($command eq "startold") {
+ &firewall_open_port();
print 'Starting LON-CAPA'."\n";
print 'Starting LON-CAPA client and daemon processes (please be patient)'.
"\n";
system("su www -c '/home/httpd/perl/loncron --oldlonc --justcheckdaemons'");
} elsif ($command eq "start") {
+ &firewall_open_port();
print 'Starting LON-CAPA'."\n";
print 'Starting LON-CAPA client and daemon processes (please be patient)'.
"\n";
@@ -100,6 +172,14 @@
print 'LON-CAPA is running.'."\n";
system("su www -c '/home/httpd/perl/loncron --justcheckconnections'");
}
+ if (! &firewall_is_active) {
+ print 'The iptables firewall is not active'."\n";
+ }
+ if (&firewall_is_port_open()) {
+ print 'The LON-CAPA port is open in firewall.'."\n";
+ } elsif (&firewall_is_active) {
+ print 'The LON-CAPA port is NOT open in running firewall!'."\n";
+ }
} else {
print 'You need to specify one of restart|stop|start|status on the command line.'."\n";
}