zydronium/internetee-registry
1
0
Fork 0
mirror of https://github.com/internetee/registry.git synced 2025-07-01 16:53:37 +02:00
Code Issues Projects Releases Packages Wiki Activity

Added iptables counter update script

Browse source
This commit is contained in:
Priit Tark 2015-05-31 23:28:15 +03:00
parent 80e4fe0529
commit bb6186c33b
6 changed files with 47 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

4
CHANGELOG.md
View file

@ -1,3 +1,7 @@
29.05.2015
* Removed old 'iptables_counter_update_command' and added 'iptables_counter_enabled'
26.05.2015 26.05.2015
* Updated deploy script, now staging comes from staging branch * Updated deploy script, now staging comes from staging branch

3
app/controllers/epp_controller.rb
View file

@ -285,6 +285,7 @@ class EppController < ApplicationController
# rubocop: enable Metrics/CyclomaticComplexity # rubocop: enable Metrics/CyclomaticComplexity
def iptables_counter_update def iptables_counter_update
`ENV['iptables_counter_update_command']` if ENV['iptables_counter_update_command'].present? return if ENV['iptables_counter_enabled'].blank? && ENV['iptables_counter_enabled'] != 'true'
Iptable.counter_update(current_user.registrar_code, request.remote_ip)
end end
end end

5
app/models/api_user.rb
View file

@ -11,13 +11,16 @@ class ApiUser < User
} }
end end
# TODO: should have max request limit per day # TODO: should have max request limit per day?
belongs_to :registrar belongs_to :registrar
has_many :certificates has_many :certificates
validates :username, :password, :registrar, :roles, presence: true validates :username, :password, :registrar, :roles, presence: true
validates :username, uniqueness: true validates :username, uniqueness: true
# TODO: probably cache, because it's requested on every EPP
delegate :code, to: :registrar, prefix: true
attr_accessor :registrar_typeahead attr_accessor :registrar_typeahead
ROLES = %w(super epp billing) # should not match to admin roles ROLES = %w(super epp billing) # should not match to admin roles

4
config/application-example.yml
View file

@ -30,8 +30,8 @@ webclient_cert_common_name: 'webclient'
# and returns 2306 "Parameter value policy error" # and returns 2306 "Parameter value policy error"
contact_org_enabled: 'false' contact_org_enabled: 'false'
# Firewall countrer update command # Enable iptables counter updater
# iptables_counter_update_command: '' # iptables_counter_enabled: 'true'
# DEPP server configuration (both for Registrar/Registrant servers) # DEPP server configuration (both for Registrar/Registrant servers)
show_ds_data_fields: 'false' show_ds_data_fields: 'false'

39
doc/debian_build_doc.md
View file

@ -42,8 +42,7 @@ Please install following lib, otherwise your bundler install might not be succes
### Firewall rate limit config ### Firewall rate limit config
First increase the maximum possible value for the hitcount parameter First increase the maximum possible value form 20 to 100 of the hitcount parameter.
from its default value of 20 by setting the option
ip_pkt_list_tot of the xt_recent kernel module. ip_pkt_list_tot of the xt_recent kernel module.
This can be done by creating an ip_pkt_list_tot.conf file in /etc/modeprobe.d/ which contains: This can be done by creating an ip_pkt_list_tot.conf file in /etc/modeprobe.d/ which contains:
@ -53,7 +52,6 @@ options xt_recent ip_pkt_list_tot=100
Once the file is created, reload the xt_recent kernel module via modprobe -r xt_recent && modprobe xt_recent or reboot the system. Once the file is created, reload the xt_recent kernel module via modprobe -r xt_recent && modprobe xt_recent or reboot the system.
#### Registrar, REPP, Restful-whois #### Registrar, REPP, Restful-whois
```` ````
@ -70,22 +68,6 @@ $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
```` ````
#### EPP
````
#!/bin/bash
# Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/
IPT=/sbin/iptables
# Max connection in seconds
SECONDS=60
# Max connections per IP
BLOCKCOUNT=100
# default action can be DROP or REJECT or something else.
DACTION="REJECT"
$IPT -A INPUT -p tcp --dport 700 -i eth0 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp --dport 700 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
````
#### Whois #### Whois
```` ````
@ -102,3 +84,22 @@ $IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION} $IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
```` ````
#### EPP
We need to update iptables hitcounter from application.
````
#!/bin/bash
# Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/
IPT=/sbin/iptables
# Registrar handler
REGISTRAR_CODE="test"
# Max connection in seconds
SECONDS=60
# Max connections per IP
BLOCKCOUNT=100
# default action can be DROP or REJECT or something else.
DACTION="REJECT"
$IPT -A INPUT -p tcp --dport 700 -i eth0 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp --dport 700 -m recent --name $REGISTRAR_CODE --rdest --rcheck --hitcount ${BLOCKCOUNT} --seconds ${SECONDS} -j ${DACTION}
````

15
lib/iptable.rb Normal file
View file

@ -0,0 +1,15 @@
module Iptable
def counter_update(registrar_code, ip)
counter_proc = "/proc/net/xt_recent/#{registrar_code}"
begin
File.open(counter_proc, 'a') do |f|
f.puts "+#{ip}"
end
rescue Errno::ENOENT => e
logger.error "ERROR: cannot open #{counter_proc}: #{e}"
rescue IOError => e
logger.error "ERROR: cannot write #{ip} to #{counter_proc}: #{e}"
end
end
end