top of page

Controlling Linux Iptables( Firewall )

#!/bin/bash # find_log.bash # # Purpose: to find the log that we want from /var/log/messages # # USAGE: ./find_log # # Author: *** Hagi Lerman *** # Date: *** NOV 10th 2016 *** set +x if [ $PWD != "/root" ] # only runs if in root's directory then zenity --error --text "You must be located in /root" >&2 exit 1 fi LOGGING(){ date1=$(zenity --entry --text "Enter a Date. usage: month-day ex: NOV 10") starttime=$(zenity --entry --text "Enter start time. usage: hour:min:sec") endtime=$(zenity --entry --text "Enter end time. usage: hour:min:sec") portnumber=$(zenity --entry --text "Enter Port number.") logprefix=$(zenity --entry --text "Enter Chain+Action ex: INPUT-ACCEPTED.") protocol=$(zenity --entry --text "Enter Protocol. ex: tcp, udp, icmp") grep "$date1.*$logprefix.*$portnumber" /var/log/messages | awk -v var1="$starttime" -v var2="$endtime" '$3 >= var1 && $3 <= var2' | zenity --text-info --width 850 } LOGGING2(){ TIME=$(zenity --forms --title="Enter Time and Date" --text="Enter Time and Date" \ --add-calendar="Date" --add-entry="Start Log Time (Hour:Min:Sec):" --add-entry="End Log time (Hour:Min:Sec):" --forms-date-format="%b %d" --separator=" " ) #earch_line=${TIME:0:15}#3 all line date1=${TIME:0:6} starttime=${TIME:7:8} endtime=${TIME:16:8} portnumber=$(zenity --entry --text "Enter Port number.") logprefix=$(zenity --entry --text "Enter Chain+Action ex: INPUT-ACCEPTED.") protocol=$(zenity --entry --text "Enter Protocol. ex: tcp, udp, icmp") grep "$date1.*$logprefix.*$portnumber" /var/log/messages | awk -v var1="$starttime" -v var2="$endtime" '$3 >= var1 && $3 <= var2' | zenity --text-info --width 850 } Senario0(){ #POLICY iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP #create ACCEPT chains iptables -N accept-input iptables -N accept-forward iptables -N accept-output #create DROP chain iptables -N drop-input iptables -N drop-forward iptables -N drop-output #ACCEPT LOGGING iptables -A accept-input -j LOG --log-prefix "INPUT-ACCEPTED " iptables -A accept-input -j ACCEPT iptables -A accept-forward -j LOG --log-prefix "FORWARD-ACCEPTED " iptables -A accept-forward -j ACCEPT iptables -A accept-output -j LOG --log-prefix "OUTPUT-ACCEPTED " iptables -A accept-output -j ACCEPT #DROP LOGGING iptables -A drop-input -j LOG --log-prefix "INPUT-DROPPED " iptables -A drop-input -j DROP iptables -A drop-forward -j LOG --log-prefix "FORWARD-DROPPED " iptables -A drop-forward -j DROP iptables -A drop-output -j LOG --log-prefix "OUTPUT-DROPPED " iptables -A drop-output -j ACCEPT #LOGGING THE REST OF THE PACKET THAT NOT LISTED iptables -A INPUT -j drop-input iptables -A OUTPUT -j drop-output iptables -A FORWARD -j drop-output #iptables -A INPUT -j LOG ## ENABLING DHCP ## check by running ipconfig /renew cmd iptables -A FORWARD -p udp --dport 67:68 --sport 67:68 -j accept-forward # ENABLE SSH port 3131 iptables -A INPUT -p tcp -s 0/0 --dport 3131 -m state --state NEW,ESTABLISHED,RELATED -j accept-input iptables -A OUTPUT -p tcp -d 0/0 --sport 3131 -m state --state ESTABLISHED,RELATED -j accept-output ## ENABLING APACHE PORT 8181 ## check by http://router.gryu1.com:8181 iptables -A INPUT -p tcp -m tcp --dport 8181 -j accept-input iptables -A OUTPUT -p tcp -m tcp --sport 8181 -j accept-output ## ENABLING SFTP Server port 2121 ## Check by running FileZilla/WinSCP iptables -A FORWARD -p tcp -m tcp --dport 2121 -j accept-forward iptables -A FORWARD -p tcp -m tcp --sport 2121 -j accept-forward ## ENABLING FTP Server port 21 ## Check by running FileZilla/WinSCP iptables -A FORWARD -p tcp -m tcp --dport 21 -j accept-forward iptables -A FORWARD -p tcp -m tcp --sport 21 -j accept-forward ## ENABLING MYSQL Server port 3306 ## ## Check by running MySQL WorkBench iptables -A FORWARD -p tcp -m tcp --dport 3306 -j accept-forward iptables -A FORWARD -p tcp -m tcp --sport 3306 -j accept-forward ## ENABLING IIS PORT 9191 ## check by http://winserv.gryu1.com:9191/ iptables -A FORWARD -p tcp -m tcp --dport 9191 -j accept-forward iptables -A FORWARD -p tcp -m tcp --sport 9191 -j accept-forward ## ENABLING Email Server port 25 ## NOT WORKING! 143 587 ## check by opening Mozilla Thunderbird iptables -A FORWARD -p tcp -m tcp --dport 25 -j accept-forward iptables -A FORWARD -p tcp -m tcp --sport 25 -j accept-forward ## ENABLING DNS port 53 ## check by running nslookup cmd iptables -A FORWARD -p udp -m udp --dport 53 -j accept-forward iptables -A FORWARD -p udp -m udp --sport 53 -j accept-forward } Senario1(){ #POLICY iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP #create ACCEPT chains iptables -N accept-input iptables -N accept-forward iptables -N accept-output #create DROP chain iptables -N drop-input iptables -N drop-forward iptables -N drop-output #ACCEPT LOGGING iptables -A accept-input -j LOG --log-prefix "INPUT-ACCEPTED " iptables -A accept-input -j ACCEPT iptables -A accept-forward -j LOG --log-prefix "FORWARD-ACCEPTED " iptables -A accept-forward -j ACCEPT iptables -A accept-output -j LOG --log-prefix "OUTPUT-ACCEPTED " iptables -A accept-output -j ACCEPT #DROP LOGGING iptables -A drop-input -j LOG --log-prefix "INPUT-DROPPED " iptables -A drop-input -j DROP iptables -A drop-forward -j LOG --log-prefix "FORWARD-DROPPED " iptables -A drop-forward -j DROP iptables -A drop-output -j LOG --log-prefix "OUTPUT-DROPPED " iptables -A drop-output -j DROP #LOG THE REST OF THE PACKETS THAT PACKED itables -A INPUT -j drop-input iptables -A OUTPUT -j drop-output iptables -A FORWARD -j drop-output ## ENABLING IIS PORT 9191 ## check by http://winserv.gryu1.com:9191/ iptables -A FORWARD -p tcp -m tcp --dport 9191 -j accept-forward iptables -A FORWARD -p tcp -m tcp --sport 9191 -j accept-forward ## ENABLING DNS port 53 ## check by running nslookup cmd iptables -A FORWARD -p udp -m udp --dport 53 -j accept-forward iptables -A FORWARD -p udp -m udp --sport 53 -j accept-forward ## ENABLING DHCP ## check by running ipconfig /renew cmd iptables -A FORWARD -p udp --dport 67:68 --sport 67:68 -j accept-forward ## ENABLING SSH port 3131 ## check by running putty router.gryu1.com iptables -A INPUT -p tcp -s 0/0 --dport 3131 -m state --state NEW,ESTABLISHED,RELATED -j accept-input iptables -A OUTPUT -p tcp -d 0/0 --sport 3131 -m state --state ESTABLISHED,RELATED -j accept-output ## ENABLING FTP Server port 21 ## Check by running FileZilla/WinSCP iptables -A FORWARD -p tcp -m tcp --dport 21 -j accept-forward iptables -A FORWARD -p tcp -m tcp --sport 21 -j accept-forward ## ENABLING MYSQL Server port 3306 ## ## Check by running MySQL WorkBench iptables -A FORWARD -p tcp -m tcp --dport 3306 -j accept-forward iptables -A FORWARD -p tcp -m tcp --sport 3306 -j accept-forward } Senario2(){ #POLICY iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP #create ACCEPT chains iptables -N accept-input iptables -N accept-forward iptables -N accept-output #create DROP chain iptables -N drop-input iptables -N drop-forward iptables -N drop-output #ACCEPT LOGGING iptables -A accept-input -j LOG --log-prefix "INPUT-ACCEPTED " iptables -A accept-input -j ACCEPT iptables -A accept-forward -j LOG --log-prefix "FORWARD-ACCEPTED " iptables -A accept-forward -j ACCEPT iptables -A accept-output -j LOG --log-prefix "OUTPUT-ACCEPTED " iptables -A accept-output -j ACCEPT #DROP LOGGING iptables -A drop-input -j LOG --log-prefix "INPUT-DROPPED " iptables -A drop-input -j DROP iptables -A drop-forward -j LOG --log-prefix "FORWARD-DROPPED " iptables -A drop-forward -j DROP iptables -A drop-output -j LOG --log-prefix "OUTPUT-DROPPED " iptables -A drop-output -j DROP ## ENABLING APACHE PORT 8181 ## check by http://router.gryu1.com:8181 iptables -A INPUT -p tcp -m tcp --dport 8181 -j accept-input iptables -A OUTPUT -p tcp -m tcp --sport 8181 -j accept-output ## ENABLING SFTP Server port 2121 ## Check by running FileZilla/WinSCP iptables -A FORWARD -p tcp -m tcp --dport 2121 -j accept-forward iptables -A FORWARD -p tcp -m tcp --sport 2121 -j accept-forward ## ENABLING FTP Server port 21 ## Check by running FileZilla/WinSCP iptables -A FORWARD -p tcp -m tcp --dport 21 -j accept-forward iptables -A FORWARD -p tcp -m tcp --sport 21 -j accept-forward ## ENABLING MYSQL Server port 3306 ## ## Check by running MySQL WorkBench iptables -A FORWARD -p tcp -m tcp --dport 3306 -j accept-forward iptables -A FORWARD -p tcp -m tcp --sport 3306 -j accept-forward ## ENABLING IIS PORT 9191 ## check by http://winserv.gryu1.com:9191/ iptables -A FORWARD -p tcp -m tcp --dport 9191 -j accept-forward iptables -A FORWARD -p tcp -m tcp --sport 9191 -j accept-forward ## ENABLING Email Server port 25 ## NOT WORKING! 143 587 ## check by opening Mozilla Thunderbird iptables -A FORWARD -p tcp -m tcp --dport 25 -j accept-forward iptables -A FORWARD -p tcp -m tcp --sport 25 -j accept-forward ## ENABLING DNS port 53 ## check by running nslookup cmd iptables -A FORWARD -p udp -m udp --dport 53 -j accept-forward iptables -A FORWARD -p udp -m udp --sport 53 -j accept-forward # ENABLE SSH port 3131 iptables -A INPUT -p tcp -s 0/0 --dport 3131 -m state --state NEW,ESTABLISHED,RELATED -j drop-input iptables -A OUTPUT -p tcp -d 0/0 --sport 3131 -m state --state ESTABLISHED,RELATED -j drop-output #all other iptables -A INPUT -j accept-input iptables -A OUTPOT -j accept-output iptables -A FORWARD -j accept-forward } Senario3(){ # will run this senario #POLICY iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP #create ACCEPT chains iptables -N accept-input iptables -N accept-forward iptables -N accept-output #create DROP chain iptables -N drop-input iptables -N drop-forward iptables -N drop-output #ACCEPT LOGGING iptables -A accept-input -j LOG --log-prefix "INPUT-ACCEPTED " iptables -A accept-input -j ACCEPT iptables -A accept-forward -j LOG --log-prefix "FORWARD-ACCEPTED " iptables -A accept-forward -j ACCEPT iptables -A accept-output -j LOG --log-prefix "OUTPUT-ACCEPTED " iptables -A accept-output -j ACCEPT #DROP LOGGING iptables -A drop-input -j LOG --log-prefix "INPUT-DROPPED " iptables -A drop-input -j DROP iptables -A drop-forward -j LOG --log-prefix "FORWARD-DROPPED " iptables -A drop-forward -j DROP iptables -A drop-output -j LOG --log-prefix "OUTPUT-DROPPED " iptables -A drop-output -j DROP #LOG THE REST OF THE PACKETS THAT PACKED itables -A INPUT -j drop-input iptables -A OUTPUT -j drop-output iptables -A FORWARD -j drop-output ## ENABLING DNS port 53 ## check by running nslookup cmd iptables -A FORWARD -p udp -m udp --dport 53 -j accept-forward iptables -A FORWARD -p udp -m udp --sport 53 -j accept-forward ## ENABLING DHCP ## check by running ipconfig /renew cmd iptables -A FORWARD -p udp --dport 67:68 --sport 67:68 -j accept-forward ## ENABLING SFTP Server port 2121 ## Check by running FileZilla/WinSCP iptables -A FORWARD -p tcp -m tcp --dport 2121 -j accept-forward iptables -A FORWARD -p tcp -m tcp --sport 2121 -j accept-forward ## ENABLING FTP Server port 21 ## Check by running FileZilla/WinSCP iptables -A FORWARD -p tcp -m tcp --dport 21 -j accept-forward iptables -A FORWARD -p tcp -m tcp --sport 21 -j accept-forward itables -A INPUT -j drop-input iptables -A OUTPUT -j drop-output } Iptablessave(){ # will save iptables filename=$(zenity --entry --text "Enter a file name . note: your file will be saved in /etc/sysconfig/your_file_name ") iptables-save > /etc/sysconfig/$filename } Flush(){ #will Flush the iptables zenity --question --text "You are about to FLUSH IPTABLS, Are you sure?" if [ $? -eq 0 ] then iptables -F fi } showiptables(){ #Show IP TABLES iptables -L -n | zenity --text-info --width 850 } Crontab(){ when=$(zenity --entry --text "Enter when you want to run. usage: * any value/, value listed sepetator/- range of values/ /step values/ @yearly/@annually/@monthly/@weekly?@daily/@hourly/@reboot" ) minute=$(zenity --entry --text "Enter minutes usage:range 1-60 or * for any value" ) hour=$(zenity --entry --text "Enter hours usage:range 0-23 or * for any value" ) dayofmonth=$(zenity --entry --text "Enter day of month usage:range 1-31 or * for any value" ) month=$(zenity --entry --text "Enter month number usage:range 1-12 or * for any value" ) dayofweek=$(zenity --entry --text "Enter days usage:range 1-7 or * for any value" ) crontab -e > @$when $minute $hour @dayofmonth $month $dayofweek } x=1 while [ $x -ne 0 ] do Senario=$(zenity --list --radiolist --text "<b>Please</b> make a selection:" --title "Welcome to to my scrip created by Hagi Lerman" --hide-header --column "Buy" --column "Item" FALSE "Senario0" FALSE "Senario1" FALSE "Senario2" FALSE "Senario3" FALSE "LOGGING" FALSE "LOGGING2" FALSE "SHOW IPTABLES" FALSE "SAVE IP TABLES" FALSE "FLUSH IPTABLES" FALSE "Add To Crontab" FALSE "Quit") case "$Senario" in "Senario0")Senario0;; "Senario1")Senario1;; "Senario2")Senario2;; "Senario3")Senario3;; "LOGGING")LOGGING;; "LOGGING2")LOGGING2;; "SHOW IPTABLES")showiptables;; "SAVE IP TABLES")Iptablessave;; "FLUSH IPTABLES")Flush;; "Add To Crontab")Crontab;; "Quit")break;; esac done

Tags:

Featured Posts
Recent Posts
Archive
Search By Tags
Follow Us
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square
bottom of page