Re: Bash scripting info needed.

To: "James Morton" <jmorton@viata.com>, "Stefan Srdic" <linuxbox@telusplanet.net>, <debian-security@lists.debian.org>
Subject: Re: Bash scripting info needed.
From: "Thor" <thor@tech-center.com>
Date: Sat, 8 Sep 2001 11:31:48 +0200
Message-id: <[🔎] 005e01c1384a$6c69e860$0101a8c0@zac>
References: <[🔎] JKEOLFCJBLDKJIFDJAHDAEADCAAA.jmorton@viata.com>

Hi


> I'm not sure I understand you correctly, but how about this:
>
> ## 0 == LOG
> ## 1 == DROP
> ## 2 == LOG & DROP
> LOGTCP=2;
> if [ $LOGTCP -eq 0 ]; then
>     #Log forbidden TCP datagrams
>     iptables -A TCP --protocol tcp -m limit --limit 1/minute \
>      --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '
> elif [ $LOGTCP -eq 1 ]; then
>     # Disallow NEW and INVALID incoming from the external interface
>     iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP
>     # Drop all TCP
>     iptables -A TCP -j DROP
> elif [ $LOGTCP -eq 2 ]; then
>     #Log forbidden TCP datagrams
>     iptables -A TCP --protocol tcp -m limit --limit 1/minute \
>      --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '
>     iptables -A TCP --protocol tcp -m -j DROP
> fi

if the question is the above then IMHO is better to use the "case" statement

case "$LOGTCP" in
        0)   #Log forbidden TCP datagrams
              iptables -A TCP --protocol tcp -m limit --limit 1/minute \
                --limit-burst 4 -j LOG --log-level DEBUG --log-prefix
'Denied TCP: ';
              ;;
       1)   # Disallow NEW and INVALID incoming from the external interface
              iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j
DROP;
             # Drop all TCP
              iptables -A TCP -j DROP;
              ;;
       2)   #Log forbidden TCP datagrams
              iptables -A TCP --protocol tcp -m limit --limit 1/minute \
                --limit-burst 4 -j LOG --log-level DEBUG --log-prefix
'Denied TCP: ';
              iptables -A TCP --protocol tcp -m -j DROP;
              ;;
esac




---
;---+---;
bye |
bye |hor
>
> - James
>
> -----Original Message-----
> From: Stefan Srdic [mailto:linuxbox@telusplanet.net]
> Sent: Friday, September 07, 2001 8:55 AM
> To: debian-security@lists.debian.org
> Subject: Bash scripting info needed.
>
>
> Hi,
>
>     Once again I've re-written my firewall script. Only this time I've
> attempted to make use of a few loops and if statements to make my script
> prettier. I have no formal education in programming at all!! Please be
> patient with me :-D For reference I have been using some of the well
> written init scripts that come packaged with Debian.
>
> What I am attempting to do is have a variable that determines whether
> IPtables LOGs or DROPs datagrams or does both functions. So far I'm half
> way there.
>
> This is what I've come up with using the Linux Network Administrators
> Guide and the internet as a reference:
>
> #!/bin/sh
>
> # Define our path
> PATH=/sbin:/bin:/usr/sbin:/usr/bin
> export PATH
>
> #LOGTCP=1
>
> # Load IPTables module (s)
>
> depmod -a
> modprobe ip_tables || exit 1
>
> # Set the default policies on the filter table.
> for p in INPUT FORWARD OUTPUT; do
>     iptables -t filter -P $p ACCEPT
> done
>
> # flush all rules and erase all user defined chains on all tables
> for t in filter nat mangle; do
>     iptables -t $t -F
>     iptables -t $t -X
> done
>
> # TCP filters
> # create a new chain for TCP communications
> iptables -N TCP 2>/dev/null
>
> # divert all TCP datagrams on all interfaces into the TCP chain
> iptables -A INPUT --protocol tcp -j TCP
> iptables -A OUTPUT --protocol tcp -j TCP
>
> # Allow full access on our localhost
> iptables -A TCP -i $LOOPBACK -j ACCEPT
> iptables -A TCP -o $LOOPBACK -j ACCEPT
>
> # Allow full access between our LAN and our host
> iptables -A TCP -i $LANIFACE -s $LAN -j ACCEPT
> iptables -A TCP -o $LANIFACE -d $LAN -j ACCEPT
>
> # Allow established and related connections
> iptables -A TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> # Allow new connections on external interface
> iptables -A TCP -m state --state NEW -i ! $EXTIFACE -j ACCEPT
>
> if [ "$LOGTCP" ]; then
>     #Log forbidden TCP datagrams
>     iptables -A TCP --protocol tcp -m limit --limit 1/minute \
>      --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '
> else
>     # Disallow NEW and INVALID incoming from the external interface
>     iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP
>     # Drop all TCP
>     iptables -A TCP -j DROP
> fi
>
> I've found (through trial and error) that if I uncomment $LOGTCP things
> are logged as they should be. However, I'm trying to figure out a way I
> could declare whether my script logs, drops, or does both actions
> according to the value of $LOGTCP.
>
> Is this possible > ?
>
> I would appreciate it if any of you could offer me some advice or even
> some insight on the basics of these statements.
>
> Thanks,
>
> Stef
>
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>

Reply to:

Follow-Ups:
- Re: Bash scripting info needed.
  - From: Stefan Srdic <linuxbox@telusplanet.net>

References:
- RE: Bash scripting info needed.
  - From: "James Morton" <jmorton@viata.com>

Prev by Date: RE: Bash scripting info needed.
Next by Date: Controlling the network throughput
Previous by thread: RE: Bash scripting info needed.
Next by thread: Re: Bash scripting info needed.
Index(es):
- Date
- Thread