############################################################################### # Name: addRules() # Parameters: hash: # protocol - Network protocol (ipv6 or ipv4) # ports - List of Net::Port objects. # addresses - List of addresses of this type. # domains - List of iptables domains # Return: 0 failure, 1 success # Description: # For a given set of ports add accept rules for all the specified addresses # across all the specified net protocols and domains. ############################################################################### sub addRules { my %args = @_; my $protocol = $args{protocol}; my $ports = $args{ports}; my $addresses = $args{addresses}; my $domain = $args{domain}; my $appendCmd = "iptablesAdm append"; $appendCmd .= " --type=rule"; $appendCmd .= " --table=filter"; $appendCmd .= " --chain=INPUT"; $appendCmd .= " --protocol=${protocol}"; $appendCmd .= " --domain=${domain}"; $appendCmd .= " --persist=yes"; Dbug->debug("Base Insert CMD: ${appendCmd}"); # # Loop over the ports and create a rule for each of the addresses with each port: foreach my $port (@$ports) { my $portNum = $port->port(); my $transport = $port->transportStr(); Dbug->log("Inserting rules for ${portNum} addresses @{$addresses}"); # # Build up the match string portion of the iptables command: my $matchString = "-m state"; $matchString .= " --state NEW"; $matchString .= " -m ${transport}"; $matchString .= " --protocol ${transport}"; $matchString .= " --dport ${portNum}"; $matchString .= " -s " . join(',', @$addresses); $matchString .= " -j ACCEPT"; # # Build the full command: my $cmd = "${appendCmd} --match=\"${matchString}\""; # # Run the command: Dbug->log("\tCMD: ${cmd}\n"); system($cmd) && do { Dbug->error("Rule insert failed!"); Dbug->error("CMD: ${cmd}"); return 0; }; } # # As a side effect of getting the rules we will display what they are right # now, and we would like to see what things look like after adding this # rule: printRules('protocol' => $protocol, 'domain' => $domain); return 1; }