Added iptables counter update script

2025-07-01 16:53:37 +02:00 · 2015-05-31 23:28:15 +03:00 · 2015-05-31 23:28:15 +03:00 · bb6186c33b
commit bb6186c33b
parent 80e4fe0529
6 changed files with 47 additions and 23 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,7 @@
+29.05.2015
+
+* Removed old 'iptables_counter_update_command' and added 'iptables_counter_enabled'
+
 26.05.2015

 * Updated deploy script, now staging comes from staging branch
--- a/app/controllers/epp_controller.rb
+++ b/app/controllers/epp_controller.rb
@ -285,6 +285,7 @@ class EppController < ApplicationController
  # rubocop: enable Metrics/CyclomaticComplexity

  def iptables_counter_update
-    `ENV['iptables_counter_update_command']` if ENV['iptables_counter_update_command'].present?
+    return if ENV['iptables_counter_enabled'].blank? && ENV['iptables_counter_enabled'] != 'true'
+    Iptable.counter_update(current_user.registrar_code, request.remote_ip)
  end
 end
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@ -11,13 +11,16 @@ class ApiUser < User
    }
  end

-  # TODO: should have max request limit per day
+  # TODO: should have max request limit per day?
  belongs_to :registrar
  has_many :certificates

  validates :username, :password, :registrar, :roles, presence: true
  validates :username, uniqueness: true

+  # TODO: probably cache, because it's requested on every EPP
+  delegate :code, to: :registrar, prefix: true
+
  attr_accessor :registrar_typeahead

  ROLES = %w(super epp billing) # should not match to admin roles
--- a/config/application-example.yml
+++ b/config/application-example.yml
@ -30,8 +30,8 @@ webclient_cert_common_name: 'webclient'
 # and returns 2306 "Parameter value policy error"
 contact_org_enabled: 'false'

-# Firewall countrer update command
-# iptables_counter_update_command: ''
+# Enable iptables counter updater 
+# iptables_counter_enabled: 'true'

 # DEPP server configuration (both for Registrar/Registrant servers)
 show_ds_data_fields: 'false'
--- a/doc/debian_build_doc.md
+++ b/doc/debian_build_doc.md
@ -42,8 +42,7 @@ Please install following lib, otherwise your bundler install might not be succes

 ### Firewall rate limit config

-First increase the maximum possible value for the hitcount parameter
-from its default value of 20 by setting the option 
+First increase the maximum possible value form 20 to 100 of the hitcount parameter.
 ip_pkt_list_tot of the xt_recent kernel module. 
 This can be done by creating an ip_pkt_list_tot.conf file in /etc/modeprobe.d/ which contains:

@ -53,7 +52,6 @@ options xt_recent ip_pkt_list_tot=100

 Once the file is created, reload the xt_recent kernel module via modprobe -r xt_recent && modprobe xt_recent or reboot the system.

-
 #### Registrar, REPP, Restful-whois

 ````
@ -70,22 +68,6 @@ $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set
 $IPT -A INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
 ````

-#### EPP
-
-````
-#!/bin/bash
-# Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/
-IPT=/sbin/iptables
-# Max connection in seconds
-SECONDS=60
-# Max connections per IP
-BLOCKCOUNT=100
-# default action can be DROP or REJECT or something else.
-DACTION="REJECT"
-$IPT -A INPUT -p tcp --dport 700 -i eth0 -m state --state NEW -m recent --set
-$IPT -A INPUT -p tcp --dport 700 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
-````
-
 #### Whois

 ````
@ -102,3 +84,22 @@ $IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --set
 $IPT -A INPUT -p tcp --dport 43 -i eth0 -m state --state NEW -m recent --rcheck --seconds ${SECONDS} --hitcount ${BLOCKCOUNT} -j ${DACTION}
 ````

+#### EPP
+
+We need to update iptables hitcounter from application.
+
+````
+#!/bin/bash
+# Inspired and credits to Vivek Gite: http://www.cyberciti.biz/faq/iptables-connection-limits-howto/
+IPT=/sbin/iptables
+# Registrar handler
+REGISTRAR_CODE="test"
+# Max connection in seconds
+SECONDS=60
+# Max connections per IP
+BLOCKCOUNT=100
+# default action can be DROP or REJECT or something else.
+DACTION="REJECT"
+$IPT -A INPUT -p tcp --dport 700 -i eth0 -m state --state NEW -m recent --set
+$IPT -A INPUT -p tcp --dport 700 -m recent --name $REGISTRAR_CODE --rdest --rcheck --hitcount ${BLOCKCOUNT} --seconds ${SECONDS} -j ${DACTION}
+````
--- a/lib/iptable.rb
+++ b/lib/iptable.rb
@ -0,0 +1,15 @@
+module Iptable
+  def counter_update(registrar_code, ip)
+    counter_proc = "/proc/net/xt_recent/#{registrar_code}"
+
+    begin
+      File.open(counter_proc, 'a') do |f|
+        f.puts "+#{ip}"
+      end
+    rescue Errno::ENOENT => e
+      logger.error "ERROR: cannot open #{counter_proc}: #{e}"
+    rescue IOError => e
+      logger.error "ERROR: cannot write #{ip} to #{counter_proc}: #{e}"
+    end
+  end
+end