Solved

php and iptables - safely?

Posted on 2014-11-20
73
242 Views
Last Modified: 2014-12-10
This is some php code I was given as a solution in another question.

<?php
$mysqli = new mysqli('localhost', 'my_user', 'my_password', 'my_db');

/* check connection */
if (!$link) {
    die('Connect Error (' . mysqli_connect_errno() . ') '
            . mysqli_connect_error());
            }
            $filename = 'thelist.txt';
            $fp = fopen($filename, "w");

            /* Select queries return a resultset */
            if ($result = $link->query("SELECT * FROM MyTable WHERE runtest = '1'")) {
    while ($row = $result->fetch_array(MYSQLI_ASSOC)) {
        echo $row['ip']."\r\n";
        fwrite($fp, $row['ip'].",");
}
    }
    /* free result set */
    $link->close();
    fclose($fp);

?>

Open in new window


When I run it,
# php get_test.php
1.2.3.4
2.3.4.5

The file list it generates is slightly different as it is comma delimited.
# more thelist.txt
1.2.3.4,2.3.4.5,

Now, the purpose behind the query to begin with was to extract IPs of clients which are allowed to connect to a certain port on a Linux server. I was going to use another script to next update the iptables for port (example) 500.
All IPs in the list should be allowed and any which are no longer there should be removed from iptables.

The 'safely' part. I would like to make this a function of an existing php file but that one is on a web server.
This php script doesn't have to run on a web site, it can run on the server itself, via a cron job for example so giving php access to iptables might not be such a big deal. In other words, it would not be a public php file.

Anyhow, looking for the code solution to this please since I am not a programmer.

Thanks very much.
0
Comment
Question by:projects
  • 38
  • 35
73 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40455386
If you would run "iptables --list -n --line-numbers", I'll need the line numbers to insert a new rule in the script.
0
 

Author Comment

by:projects
ID: 40456298
Line numbers?
Do you mean the file with the IPs needs to generate line numbers for every IP inserted?
Right now, it only adds an IP on a new line, the next on a new line, etc.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40456316
What I do is get the line numbers -- particularly of the icmp reject and use that number to insert the new rule.  So, if your input icmp reject is line 24:

iptables -I INPUT 24 -s <some ip> -p tcp -m tcp --dport 22 -j ACCEPT

The script would take up to three variables:  IP, protocol and port.

Knowing what line number to use to insert the rules should be hard coded into the script.
0
 

Author Comment

by:projects
ID: 40456343
Ah, I see. One problem with that is that I am blocking IPs now and then also as you can see if you still have my previous question. This means that when I add or remove blocked IPs, that will change the line number.

This is why I was wondering if I could have a 'section name' for example, and a script would read from that line to what ever end line was chosen and adding/removing IPs in between.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40457308
if you add another chain, then you forward to that chain and you have the same (what line number?) issue.

i suggest putting all permit entries that are static (will not change) first and we can use the subsequent line number for insertion.

in standalone, i don't see where iptables has an "include <filename>" feature.

another option would be to create a beginning section of iptables in a template file (iptables.start.template) and the reject stuff in a template (iptables.end.template) and create script that builds an updated iptables using the start template, your permit file and the end template, sets the selinux permissions, puts it into place and restarts iptables.
0
 

Author Comment

by:projects
ID: 40459819
You lost me :)

The DROP items do keep changing and they are above. I thought DROP's always have to be at the top? If they don't really have to be, then the rest is pretty static. If I change anything above, then I could update our script right?

-A INPUT -s 107.23.208.48/32 -j DROP
-A INPUT -s 107.23.240.102/32 -j DROP
-A INPUT -s 112.78.8.80/32 -j DROP
-A INPUT -s 112.78.197.217/32 -j DROP
-A INPUT -s 146.0.73.0/24 -j DROP
-A INPUT -s 146.0.74.0/24 -j DROP
# the above always changes... below never changes
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 0000 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 3000 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 500 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 500 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A INPUT -s 23.21.230.0/24 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jan 15 20:57:58 2014

Not sure about your 'filename' question but if you mean in the script, that's just an output file being created which contains the IPs of the allowed clients to service port 500.

Your idea of using templates also works but might be more complicated than if we could just move things around in the iptables file to get our line number.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40459823
absolutely.  if you're doing drops regardless, then you'll put them first.

either way, you'll split your iptables into two templates and insert your drops between the two.
0
 

Author Comment

by:projects
ID: 40459828
So you're confirming that drops to have to be at the top right? It's how I've always understood firewalls at least. You drop what you don't want at the top, allowing toward the bottom.

So you figure the best way is using templates? Ok, let's do this.
Should this be a bash script or php? I can run either one as root only of course.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40459865
yes and no.

if i want all traffic to and from an IP blocked, I'll drop it first.

if i want to be able to initiate traffic to an IP and get the return traffic, i'll put the drop after the "established" line.

i would do a bash script.  you'll have three files (iptables.start.template, droplist, iptables.end.template) and a cron job.

(not tested so do a dry run first)

#!/bin/bash

PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
export PATH

$workdir = "/path/to/some/workdirectory"

cp $workdir/iptables.start.template $workdir/iptables.new

cat $workdir/droplist | while read line
 do
  set $line
  echo "iptables -A INPUT -s $line -j DROP" >> $workdir/iptables.new
 done

cat $workdir/iptables.end.template >> $workdir/iptables.new
chcon -u unconfined_u -t system_conf_t  $workdir/iptables
chmod 600 /etc/sysconfig/iptables

service iptables stop
mv /etc/sysconfig/iptables /etc/sysconfig/iptables.previous
mv $workdir/iptables.new /etc/sysconfig/iptables
service iptables start
0
 

Author Comment

by:projects
ID: 40459917
So how do you want me to break down the current iptables as a starting point to test this?
The file which contains the IPs to be allowed or removed for port 500 is called allowed_ips
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40459924
yes.  make a backup first of your original working iptables (you might call it iptables.production).

everything above the drops goes into 'start' and everything after the drops goes into 'end'.

just put the IPs, one per line, in the drop file.

if these are IPs are permitted to take an action, I would put them after the 'established' line.

your additions or removals go into the "drop" file.  but if this file is used to allow traffic, i would call it something else.
0
 

Author Comment

by:projects
ID: 40459936
I put a copy of iptables in my working directory and will check the final output there once it's all done.
Once it's working as it should and the iptables looks right, then I'll change the paths to the real iptables and see how things go.

So, I get what we are doing but just a little confusing right now :).
Made a copy of original iptables to iptables.start.template and iptables.end.template.

The only IPs in the allowed_ips are those allowed, there is no list of removed or disallowed, I can only generate a new list of allowed IPs.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40459952
you can actually have both if you want, called 'dropfile' and 'acceptfile'.  you will have this once for each:

cat $workdir/droplist | while read line
 do
  set $line
  echo "iptables -A INPUT -s $line -j DROP" >> $workdir/iptables.new
 done

cat $workdir/acceptlist | while read line
 do
  set $line
  ! you can allow all IP, a single tcp or udp port or a range of tcp or udp ports
  echo "iptables -A INPUT -s $line -p udp -m udp --dport 500 -j ACCEPT" >> $workdir/iptables.new
 done
0
 

Author Comment

by:projects
ID: 40460742
Sorry, not quite sure what I am supposed to do here.
I have the following files in a work dir.

-rw-r--r-- 1 root root   27 Nov 22 13:40 allowed_ips (the allowed IPs file)
-rw------- 1 root root 1941 Nov 22 13:22 iptables.end.template (copy of iptables.org)
-rw------- 1 root root 1941 Nov 22 13:22 iptables.org (original iptables)
-rw------- 1 root root 1941 Nov 22 13:22 iptables.start.template (copy of iptables.org)
-rwxr-xr-x 1 root root  676 Nov 22 13:22 mod_iptables.sh (the script you posted)

# more mod_iptables.sh
#!/bin/bash

PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
export PATH

$workdir = "/new/progs"

cp $workdir/iptables.start.template $workdir/iptables.new

cat $workdir/droplist | while read line
 do
  set $line
  echo "iptables -A INPUT -s $line -j DROP" >> $workdir/iptables.new
 done

cat $workdir/iptables.end.template >> $workdir/iptables.new
chcon -u unconfined_u -t system_conf_t  $workdir/iptables
chmod 600 /etc/sysconfig/iptables

#service iptables stop
#mv /etc/sysconfig/iptables /etc/sysconfig/iptables.previous
#mv $workdir/iptables.new /etc/sysconfig/iptables
#service iptables start

mv iptables iptables.previous
mv iptables.new iptables


# more iptables.org
# DO NOT CHANGE WITHOUT ASKING CUSTOMER!!

# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*nat
:PREROUTING ACCEPT [334216:25598960]
:POSTROUTING ACCEPT [319279:20338388]
:OUTPUT ACCEPT [319279:20338388]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*mangle
:PREROUTING ACCEPT [27015165:19172637819]
:INPUT ACCEPT [27014858:19172613225]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21624194:7365342073]
:POSTROUTING ACCEPT [21624194:7365342073]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1174:209854]
#
-A INPUT -s 14.63.212.77/32 -j DROP
-A INPUT -s 14.63.170.53/32 -j DROP
-A INPUT -s 74.62.91.27/32 -j DROP
-A INPUT -s 107.23.208.48/32 -j DROP
-A INPUT -s 107.23.240.102/32 -j DROP
-A INPUT -s 112.78.8.80/32 -j DROP
-A INPUT -s 112.78.197.217/32 -j DROP
-A INPUT -s 146.0.73.0/24 -j DROP
-A INPUT -s 146.0.74.0/24 -j DROP
#
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 1000 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 3000 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 500 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 500 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A INPUT -s 23.21.230.0/24 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40460869
Does iptables.new look like you want it to?

And a question: are you adding IPs to block or to allow or both?
0
 

Author Comment

by:projects
ID: 40460933
The ip list is being generated now and then automatically. It is only updated in that any clients no longer allowed are simply no longer in the list. This means probably just re-creating that section instead of trying to remove IPs as well.

I've not run anything yet so don't know what iptables.new looks like. I needed more information as explained above :)
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40462212
the script creates an iptables file based upon the list of drops to insert at the beginning.

when complete, it moves it into place and start the service.

the part to move it into place and stop/start the service is commented out so you should be good to do a dry run and see what the iptables file will look like.
0
 

Author Comment

by:projects
ID: 40466772
It's sort of working :)
The script created a new iptables file but it doubled up some stuff.

# DO NOT CHANGE WITHOUT ASKING CUSTOMER!!

# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*nat
:PREROUTING ACCEPT [334216:25598960]
:POSTROUTING ACCEPT [319279:20338388]
:OUTPUT ACCEPT [319279:20338388]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*mangle
:PREROUTING ACCEPT [27015165:19172637819]
:INPUT ACCEPT [27014858:19172613225]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21624194:7365342073]
:POSTROUTING ACCEPT [21624194:7365342073]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1174:209854]
#
-A INPUT -s 14.63.212.77/32 -j DROP
-A INPUT -s 14.63.170.53/32 -j DROP
-A INPUT -s 74.62.91.27/32 -j DROP
-A INPUT -s 107.23.208.48/32 -j DROP
-A INPUT -s 107.23.240.102/32 -j DROP
-A INPUT -s 112.78.8.80/32 -j DROP
-A INPUT -s 112.78.197.217/32 -j DROP
-A INPUT -s 146.0.73.0/24 -j DROP
-A INPUT -s 146.0.74.0/24 -j DROP
#
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 1000 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 3000 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 500 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 500 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A INPUT -s 23.21.230.0/24 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
iptables -A INPUT -s x.x.x.x -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -s x.x.x.x -p udp -m udp --dport 500 -j ACCEPT
# DO NOT CHANGE WITHOUT ASKING CUSTOMER!!

# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*nat
:PREROUTING ACCEPT [334216:25598960]
:POSTROUTING ACCEPT [319279:20338388]
:OUTPUT ACCEPT [319279:20338388]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*mangle
:PREROUTING ACCEPT [27015165:19172637819]
:INPUT ACCEPT [27014858:19172613225]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21624194:7365342073]
:POSTROUTING ACCEPT [21624194:7365342073]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1174:209854]
#
-A INPUT -s 14.63.212.77/32 -j DROP
-A INPUT -s 14.63.170.53/32 -j DROP
-A INPUT -s 74.62.91.27/32 -j DROP
-A INPUT -s 107.23.208.48/32 -j DROP
-A INPUT -s 107.23.240.102/32 -j DROP
-A INPUT -s 112.78.8.80/32 -j DROP
-A INPUT -s 112.78.197.217/32 -j DROP
-A INPUT -s 146.0.73.0/24 -j DROP
-A INPUT -s 146.0.74.0/24 -j DROP
#
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 1000 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 3000 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 500 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 500 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A INPUT -s 23.21.230.0/24 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jan 15 20:57:58 2014

Open in new window


This is what the test script looks like at the moment

#!/bin/bash

PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
export PATH

cp iptables.start.template iptables.new

cat allowed_ips | while read line
do
set $line
echo "iptables -A INPUT -s $line -p udp -m udp --dport 500 -j ACCEPT" >> iptables.new
done

cat iptables.end.template >> iptables.new
chcon -u unconfined_u -t system_conf_t  iptables
chmod 600 /etc/sysconfig/iptables

#service iptables stop
#mv /etc/sysconfig/iptables /etc/sysconfig/iptables.previous
#mv $workdir/iptables.new /etc/sysconfig/iptables
#service iptables start

mv iptables iptables.previous
mv iptables.new iptables

Open in new window

0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40467006
can you post the 'start' and 'end' template files?
0
 

Author Comment

by:projects
ID: 40470761
Allowed IPs (filename: allowed_ips)
5.6.7.8
6.7.8.9

Open in new window


iptables.org
# DO NOT CHANGE WITHOUT ASKING CUSTOMER!!

# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*nat
:PREROUTING ACCEPT [334216:25598960]
:POSTROUTING ACCEPT [319279:20338388]
:OUTPUT ACCEPT [319279:20338388]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*mangle
:PREROUTING ACCEPT [27015165:19172637819]
:INPUT ACCEPT [27014858:19172613225]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21624194:7365342073]
:POSTROUTING ACCEPT [21624194:7365342073]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1174:209854]
#
-A INPUT -s 14.63.212.77/32 -j DROP
-A INPUT -s 14.63.170.53/32 -j DROP
-A INPUT -s 74.62.91.27/32 -j DROP
-A INPUT -s 107.23.208.48/32 -j DROP
-A INPUT -s 107.23.240.102/32 -j DROP
-A INPUT -s 112.78.8.80/32 -j DROP
-A INPUT -s 112.78.197.217/32 -j DROP
-A INPUT -s 146.0.73.0/24 -j DROP
-A INPUT -s 146.0.74.0/24 -j DROP
#
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p tcp -m state --state NEW -m tcp --dport 1000 -j ACCEPT
-A INPUT -s 2.3.4.5/32 -p tcp -m state --state NEW -m tcp --dport 3000 -j ACCEPT
-A INPUT -s 3.4.5.6/32 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A INPUT -s 23.21.230.0/24 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jan 15 20:57:58 2014

Open in new window


iptables.start.template
# DO NOT CHANGE WITHOUT ASKING CUSTOMER!!

# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*nat
:PREROUTING ACCEPT [334216:25598960]
:POSTROUTING ACCEPT [319279:20338388]
:OUTPUT ACCEPT [319279:20338388]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*mangle
:PREROUTING ACCEPT [27015165:19172637819]
:INPUT ACCEPT [27014858:19172613225]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21624194:7365342073]
:POSTROUTING ACCEPT [21624194:7365342073]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1174:209854]
#
-A INPUT -s 14.63.212.77/32 -j DROP
-A INPUT -s 14.63.170.53/32 -j DROP
-A INPUT -s 74.62.91.27/32 -j DROP
-A INPUT -s 107.23.208.48/32 -j DROP
-A INPUT -s 107.23.240.102/32 -j DROP
-A INPUT -s 112.78.8.80/32 -j DROP
-A INPUT -s 112.78.197.217/32 -j DROP
-A INPUT -s 146.0.73.0/24 -j DROP
-A INPUT -s 146.0.74.0/24 -j DROP
#
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p tcp -m state --state NEW -m tcp --dport 1000 -j ACCEPT
-A INPUT -s 2.3.4.5/32 -p tcp -m state --state NEW -m tcp --dport 3000 -j ACCEPT
-A INPUT -s 3.4.5.6/32 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A INPUT -s 23.21.230.0/24 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jan 15 20:57:58 2014

Open in new window


iptables.end.template
# DO NOT CHANGE WITHOUT ASKING CUSTOMER!!

# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*nat
:PREROUTING ACCEPT [334216:25598960]
:POSTROUTING ACCEPT [319279:20338388]
:OUTPUT ACCEPT [319279:20338388]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*mangle
:PREROUTING ACCEPT [27015165:19172637819]
:INPUT ACCEPT [27014858:19172613225]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21624194:7365342073]
:POSTROUTING ACCEPT [21624194:7365342073]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1174:209854]
#
-A INPUT -s 14.63.212.77/32 -j DROP
-A INPUT -s 14.63.170.53/32 -j DROP
-A INPUT -s 74.62.91.27/32 -j DROP
-A INPUT -s 107.23.208.48/32 -j DROP
-A INPUT -s 107.23.240.102/32 -j DROP
-A INPUT -s 112.78.8.80/32 -j DROP
-A INPUT -s 112.78.197.217/32 -j DROP
-A INPUT -s 146.0.73.0/24 -j DROP
-A INPUT -s 146.0.74.0/24 -j DROP
#
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p tcp -m state --state NEW -m tcp --dport 1000 -j ACCEPT
-A INPUT -s 2.3.4.5/32 -p tcp -m state --state NEW -m tcp --dport 3000 -j ACCEPT
-A INPUT -s 3.4.5.6/32 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A INPUT -s 23.21.230.0/24 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jan 15 20:57:58 2014

Open in new window


bash code
#!/bin/bash

PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
export PATH

cp iptables.start.template iptables.new

cat allowed_ips | while read line
do
set $line
echo "iptables -A INPUT -s $line -p udp -m udp --dport 500 -j ACCEPT" >> iptables.new
done

cat iptables.end.template >> iptables.new
chcon -u unconfined_u -t system_conf_t  iptables
chmod 600 /etc/sysconfig/iptables

#service iptables stop
#mv /etc/sysconfig/iptables /etc/sysconfig/iptables.previous
#mv $workdir/iptables.new /etc/sysconfig/iptables
#service iptables start

mv iptables iptables.previous
mv iptables.new iptables

Open in new window


resulting iptables
# DO NOT CHANGE WITHOUT ASKING CUSTOMER!!

# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*nat
:PREROUTING ACCEPT [334216:25598960]
:POSTROUTING ACCEPT [319279:20338388]
:OUTPUT ACCEPT [319279:20338388]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*mangle
:PREROUTING ACCEPT [27015165:19172637819]
:INPUT ACCEPT [27014858:19172613225]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21624194:7365342073]
:POSTROUTING ACCEPT [21624194:7365342073]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1174:209854]
#
-A INPUT -s 14.63.212.77/32 -j DROP
-A INPUT -s 14.63.170.53/32 -j DROP
-A INPUT -s 74.62.91.27/32 -j DROP
-A INPUT -s 107.23.208.48/32 -j DROP
-A INPUT -s 107.23.240.102/32 -j DROP
-A INPUT -s 112.78.8.80/32 -j DROP
-A INPUT -s 112.78.197.217/32 -j DROP
-A INPUT -s 146.0.73.0/24 -j DROP
-A INPUT -s 146.0.74.0/24 -j DROP
#
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p tcp -m state --state NEW -m tcp --dport 1000 -j ACCEPT
-A INPUT -s 2.3.4.5/32 -p tcp -m state --state NEW -m tcp --dport 3000 -j ACCEPT
-A INPUT -s 3.4.5.6/32 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A INPUT -s 23.21.230.0/24 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
iptables -A INPUT -s 5.6.7.8 -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -s 6.7.8.9 -p udp -m udp --dport 500 -j ACCEPT
iptables -A INPUT -s  -p udp -m udp --dport 500 -j ACCEPT
# DO NOT CHANGE WITHOUT ASKING CUSTOMER!!

# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*nat
:PREROUTING ACCEPT [334216:25598960]
:POSTROUTING ACCEPT [319279:20338388]
:OUTPUT ACCEPT [319279:20338388]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*mangle
:PREROUTING ACCEPT [27015165:19172637819]
:INPUT ACCEPT [27014858:19172613225]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21624194:7365342073]
:POSTROUTING ACCEPT [21624194:7365342073]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1174:209854]
#
-A INPUT -s 14.63.212.77/32 -j DROP
-A INPUT -s 14.63.170.53/32 -j DROP
-A INPUT -s 74.62.91.27/32 -j DROP
-A INPUT -s 107.23.208.48/32 -j DROP
-A INPUT -s 107.23.240.102/32 -j DROP
-A INPUT -s 112.78.8.80/32 -j DROP
-A INPUT -s 112.78.197.217/32 -j DROP
-A INPUT -s 146.0.73.0/24 -j DROP
-A INPUT -s 146.0.74.0/24 -j DROP
#
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p tcp -m state --state NEW -m tcp --dport 1000 -j ACCEPT
-A INPUT -s 2.3.4.5/32 -p tcp -m state --state NEW -m tcp --dport 3000 -j ACCEPT
-A INPUT -s 3.4.5.6/32 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A INPUT -s 23.21.230.0/24 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jan 15 20:57:58 2014

Open in new window

0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40470770
This is what the start template should look like:

# DO NOT CHANGE WITHOUT ASKING CUSTOMER!!

# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*nat
:PREROUTING ACCEPT [334216:25598960]
:POSTROUTING ACCEPT [319279:20338388]
:OUTPUT ACCEPT [319279:20338388]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*mangle
:PREROUTING ACCEPT [27015165:19172637819]
:INPUT ACCEPT [27014858:19172613225]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [21624194:7365342073]
:POSTROUTING ACCEPT [21624194:7365342073]
COMMIT
# Completed on Wed Jan 15 20:57:58 2014
# Generated by iptables-save v1.4.7 on Wed Jan 15 20:57:58 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1174:209854]
#


This is what the end template should look like:

#
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s 1.2.3.4/32 -p tcp -m state --state NEW -m tcp --dport 1000 -j ACCEPT
-A INPUT -s 2.3.4.5/32 -p tcp -m state --state NEW -m tcp --dport 3000 -j ACCEPT
-A INPUT -s 3.4.5.6/32 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
#-A INPUT -s 23.21.230.0/24 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jan 15 20:57:58 2014

If you make changes to either the start or end (within the regular iptables file) and/or do an iptables-save, you may need to generate a new end template.
0
 

Author Comment

by:projects
ID: 40470850
Opps, of course :).

This would be missing the DROP section however.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40470852
Yes, the script adds the drop section using that file.
0
 

Author Comment

by:projects
ID: 40470863
Thought I missed that too and also thought you meant any IPs I wanted to drop from the previous port5 5000 allowed list.

I think I commented that or took it out of the script in fact? Can you confirm the section of iptables I'll need to copy to create the drop section.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40470973
Well, in theory, the idea behind the script is that with keeping an updated file of IPs to drop, you can automate the rebuilding of iptables as frequently as needed.

I'll offer a rewrite to include both drops and accepts by port and post once it's tested.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40471023
this script has some typos fixed and the input file (dropfile) has been changed to ip-addrs.

it allows everything to be in one file in the format of ip, protocol, port, status in a comma delimited file:

14.0.0.0/8
23.234.224.0/24
139.175.55.158
172.16.8.0/21,tcp,25,ACCEPT
192.168.1.204,udp,514,DROP
192.168.1.0/24,udp,53,ACCEPT
10.99.88.3

it puts all of the explicit drops and allows together:

#!/bin/bash

PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
export PATH

workdir=/path/to/some/directory

cp -f $workdir/iptables.start.template $workdir/iptables.new

cat $workdir/ip-addrs | while read line
 do
  set $line
    IP=""; PROTO=""; PORT=""; STATUS=""

    IP=`echo $line | awk 'BEGIN { FS = "," } ; {print $1}'`
    PROTO=`echo $line | awk 'BEGIN { FS = "," } ; {print $2}'`
    PORT=`echo $line | awk 'BEGIN { FS = "," } ; {print $3}'`
    STATUS=`echo $line | awk 'BEGIN { FS = "," } ; {print $4}'`
   
    if [ -z "$PROTO" ]; then
       echo "iptables -A INPUT -s $IP -j DROP" >> $workdir/iptables.new
    else
       echo "iptables -A INPUT -s $IP -p $PROTO -m state --state NEW -m $PROTO --dport $PORT -j $STATUS" >> $workdir/iptables.new
    fi
 done

cat $workdir/iptables.end.template >> $workdir/iptables.new

chcon -u unconfined_u -t system_conf_t  $workdir/iptables.new
chmod 600 $workdir/iptables.new

service iptables stop
mv /etc/sysconfig/iptables /etc/sysconfig/iptables.previous
mv $workdir/iptables.new /etc/sysconfig/iptables
service iptables start
0
 

Author Comment

by:projects
ID: 40474256
The more I look at this solution, the more it looks too complex to implement. Too many things could go wrong, too many files needing constant updating.

Maybe if the script had more intelligence, perhaps copying the live iptables to it's work directory, splitting up the files on it's own, running the query and lookup the new IPs, re-creating the port 500 (or 5000, what ever we've used for example) section, then re-creating the full iptables file.

There are too many manual steps where something could go wrong so as it is now, I don't see this as a solid solution and one which could be prone to errors/mistakes.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40474340
that's understandable.  if you delete this question, i don't have a problem with it.
0
 

Author Comment

by:projects
ID: 40474747
I still need a solution and this is one way but it would need to have less steps so as to have less chance of making an error. I think this is something others could use too if they found the answer.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40475064
so, if you can identify either the steps or the mechanism, i should be able to supply an answer.  you'll need to be specific as to what you would like to see.
0
 

Author Comment

by:projects
ID: 40483919
I guess I need to fully trust the script to do what I need.
What if

-it copies the current iptables
-it breaks it down as needed
-it uses the new allowed_ips file to generate the new port 500 section
-it creates the iptable and for now, puts it in the current directory (for testing)

I'm just concerned about the many steps I would have to do each time I run this which would be multiple times daily.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40483967
Ok.

How about when adding:

1) make a copy of iptables
2) add the IPs to the end of iptables
3) delete the icmp reject lines
4) add the icmp reject lines so they are at the end
5) save the changes

And deleting:

1) find all lines matching the IP
2) delete it
3) save the changes

No templates, easy script.  You will have to tell me how you will differentiate between additions to iptables that are drop vs additions that are allow to port 500.
0
 

Author Comment

by:projects
ID: 40483993
In terms of dropping, I'm thinking don't even bother dropping anything.
The allowed_ips file will always be current so just re-create the port 500 section each time the script runs.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40484172
So, we should be able to script every X minutes or hours:  drop all port 500 and add these from the file.
0
 

Author Comment

by:projects
ID: 40484222
Yes, I think the easiest way would be to drop all port 500 section, then re-create it from new using the allowed_ips file which contains the allowed IPs. I could even call the script which creates that list from this script as well and set it up as a cron task.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40484675
This script will find the listing in iptables and remove it.  Following it will get the list of allowed IPs to UDP port 500 and add them.  The "iptables" command will not add or remove any lines that are not syntactically correct.

#################################################

#!/bin/bash

PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
export PATH

$workdir=/path/to/some/directory

grep "--dport 500" /etc/sysconfig/iptables > $workdir/iptables.remove

cat $workdir/iptables.remove | while read line
 do
  set $line
  iptables -D INPUT -s $line -p udp -m udp --dport 500 -j ACCEPT
 done

cat $workdir/allowed_ips | while read line
 do
  set $line
  iptables -A INPUT -s $line -p udp -m udp --dport 500 -j ACCEPT"
 done

iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited

iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

iptables-save
service iptables save

################################################

If you have this line in iptables:

     -A INPUT -s  -p udp -m udp --dport 500 -j ACCEPT

You will want to remove it:

     iptables -D INPUT -s  -p udp -m udp --dport 500 -j ACCEPT
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:projects
ID: 40485651
I removed all port 500 entries in the iptables file.
I then copied the iptables file into the work directory.
I created your new script and edited a few problems out.
-grep didn't want to use ---dport so I changed it to "dport 500"
-there was an extraneous " which I removed.

I then ran the script and it seemed to create a new live iptables which I need confirmation is in the correct format?

# Generated by iptables-save v1.4.7 on Sun Dec  7 11:32:33 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [27:6514]
-A INPUT -s 5.135.162.190/32 -j DROP
-A INPUT -s 14.63.212.77/32 -j DROP
-A INPUT -s 14.63.170.53/32 -j DROP
-A INPUT -s 74.62.91.27/32 -j DROP
-A INPUT -s 103.7.40.10/32 -j DROP
-A INPUT -s 103.15.64.18/32 -j DROP
-A INPUT -s 107.23.208.48/32 -j DROP
-A INPUT -s 107.23.240.102/32 -j DROP
-A INPUT -s 109.200.1.213/32 -j DROP
-A INPUT -s 110.82.165.189/32 -j DROP
-A INPUT -s 112.78.8.80/32 -j DROP
-A INPUT -s 112.78.197.217/32 -j DROP
-A INPUT -s 125.253.122.137/32 -j DROP
-A INPUT -s 146.0.73.0/24 -j DROP
-A INPUT -s 146.0.74.0/24 -j DROP
-A INPUT -s 173.239.5.252/32 -j DROP
-A INPUT -s 176.62.198.186/32 -j DROP
-A INPUT -s 178.18.130.140/32 -j DROP
-A INPUT -s 192.69.223.70/32 -j DROP
-A INPUT -s 192.99.39.158/32 -j DROP
-A INPUT -s 216.240.36.214/32 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 1000 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 3000 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 500 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 500 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sun Dec  7 11:32:33 2014
# Generated by iptables-save v1.4.7 on Sun Dec  7 11:32:33 2014
*mangle
:PREROUTING ACCEPT [1074751:210664317]
:INPUT ACCEPT [1074751:210664317]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1146235:565184584]
:POSTROUTING ACCEPT [1146235:565184584]
COMMIT
# Completed on Sun Dec  7 11:32:33 2014
# Generated by iptables-save v1.4.7 on Sun Dec  7 11:32:33 2014
*nat
:PREROUTING ACCEPT [170543:10647330]
:POSTROUTING ACCEPT [2261:140218]
:OUTPUT ACCEPT [2261:140218]
COMMIT
# Completed on Sun Dec  7 11:32:33 2014

Open in new window


If this is in the correct format, then the only change I need to make would be to allow the script to directly modify the live iptables file?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40485735
This looks good.  And know that if there is a syntax error for any reason, the iptables command will throw an error and not damage the file.
0
 

Author Comment

by:projects
ID: 40485773
No syntax errors now. Just a couple of little things as mentioned.
Does the output file look ok to you, safe, usable as it is?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40486703
Yes and yes.

I forgot about escaping the dashes.  You can leave them out or put them in as "\-\-dport 500".

Backup up your original iptables and when you have run the script, verify it.
0
 

Author Comment

by:projects
ID: 40487356
So, the only things I am unclear about at this point are;

-should we now add a line which nabs the live iptables file from etc/sysconfig?

-is this all running in memory instead of creating a local file? what if my list grows to hundreds or thousands of allowed ips?

And to understand the flow; once the script runs, it is keeping this in memory then updating iptables as it I would enter from the command line?

Should it not instead create a backup of the current iptables in the work dir, then create the new iptables in the work dir, then copy that to /etc/sysconfig and reload?
0
 

Author Comment

by:projects
ID: 40487365
# ./mod_iptables.sh
./mod_iptables.sh: line 6: =/new/progs/iptables: No such file or directory
cat: /allowed_ips: No such file or directory
# Generated by iptables-save v1.4.7 on Mon Dec  8 11:49:43 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-ApacheAuth - [0:0]

Hmm, I must have changed something?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40487369
If you want to avoid syntax errors and problems with iptables loading, then you're best off doing what is being done in the last script.

iptables-save = dumps the *running* rules to stdout
service iptables save = writes then changes to /etc/sysconfig/iptables

If you don't want to write the changes, then we'll need to change the grep statement to grab them from memory to remove the necessary lines.

If you want to create a new iptables each time, then the first script using templates is the way to go.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40487370
cat ./mod_iptables.sh
0
 

Author Comment

by:projects
ID: 40487374
Yes, I agree and want to use the second version so long as it doesn't blow up if my allowed_ips list is 5000 long :)

Now I am trying to figure out why the script broke.

#!/bin/bash

PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
export PATH

$workdir=/new/progs/iptables

grep "dport 500" /etc/sysconfig/iptables > $workdir/iptables.remove

cat $workdir/iptables.remove | while read line
do
set $line
iptables -D INPUT -s $line -p udp -m udp --dport 500 -j ACCEPT
done

cat $workdir/allowed_ips | while read line
do
set $line
iptables -A INPUT -s $line -p udp -m udp --dport 500 -j ACCEPT
done

iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited

iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

iptables-save
service iptables save

Open in new window

0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40487437
I need to fix this.  Please give me a few minutes.
0
 

Author Comment

by:projects
ID: 40487456
Oh, I thought it was something I messed up.

BTW, thanks for sticking to this question. It is VERY appreciated!
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 40487495
#!/bin/bash

PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
export PATH

$workdir=/new/progs/iptables

#remove any stale file
rm -f $workdir/iptables.remove

#set the shell so we can this as a script
echo "#!/bin/bash > $workdir/iptables.remove

#get all current lines that have a destination port of 500
grep "--dport 500" /etc/sysconfig/iptables >> $workdir/iptables.remove

#substitute the "add" for a "delete"
sed -i 's/-A INPUT/-D INPUT/g' $workdir/iptables.remove

#set the new script as executable
chmod 755 $workdir/iptables.remove

#process the deletes
$workdir/iptables.remove

#get the IPs that we want to allow to destination port 500
#to the end of the INPUT section
cat $workdir/allowed_ips | while read line
 do
  set $line
  iptables -A INPUT -s $line -p udp -m udp --dport 500 -j ACCEPT"
 done

#delete the reject which is above the new additions
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited

#re-add the reject section so that it appears at the end
#of the INPUT section
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

#print to stdout the running configuration
iptables-save

#save the running configuration to /etc/sysconfig/iptables
service iptables save

#remove the completed file
rm -f $workdir/iptables.remove
0
 

Author Comment

by:projects
ID: 40487615
# ./mod_tables2.sh
./mod_tables2.sh: line 6: =/new/progs/iptables: No such file or directory
#!/bin/bash > /iptables.remove

#get all current lines that have a destination port of 500
    grep dport 500 /etc/sysconfig/iptables >> /iptables.remove

#substitute the add for a delete
    sed -i 's/-A INPUT/-D INPUT/g' /iptables.remove

#set the new script as executable
    chmod 755 /iptables.remove

#process the deletes
    /iptables.remove

#get the IPs that we want to allow to destination port 500
#to the end of the INPUT section
    cat /allowed_ips | while read line
    do
    set
    iptables -A INPUT -s  -p udp -m udp --dport 500 -j ACCEPT
./mod_tables2.sh: line 32: syntax error near unexpected token `done'
./mod_tables2.sh: line 32: `    done'
0
 

Author Comment

by:projects
ID: 40487619
Strange since the file is there
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40487628
No, too many languages.  Shell variables do not take the '$' when declaring.

Change this:

 $workdir=/new/progs/iptables

To this:

 workdir=/new/progs/iptables
0
 

Author Comment

by:projects
ID: 40487668
Ok, removed $ and tried again...

# ./mod_tables2.sh

#!/bin/bash > /new/progs/iptables/iptables.remove

#get all current lines that have a destination port of 500
    grep dport 500 /etc/sysconfig/iptables >> /new/progs/iptables/iptables.remove

#substitute the add for a delete
    sed -i 's/-A INPUT/-D INPUT/g' /new/progs/iptables/iptables.remove

#set the new script as executable
    chmod 755 /new/progs/iptables/iptables.remove

#process the deletes
    /new/progs/iptables/iptables.remove

#get the IPs that we want to allow to destination port 500
#to the end of the INPUT section
    cat /new/progs/iptables/allowed_ips | while read line
    do
    set
    iptables -A INPUT -s  -p udp -m udp --dport 500 -j ACCEPT
./mod_tables2.sh: line 32: syntax error near unexpected token `done'
./mod_tables2.sh: line 32: `    done'
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40487681
can you post the script?  

it's possible that "do" and "done" may have to be completely left justified but i'd like to see it first.
0
 

Author Comment

by:projects
ID: 40488217
Sure. I had not noticed that each time the workdir was being called, there was a $ in front of them so I removed those.

#!/bin/bash

PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
export PATH

workdir=/new/progs/iptables

#remove any stale file
    rm -f workdir/iptables.remove

#set the shell so we can this as a script
    echo "#!/bin/bash > workdir/iptables.remove

#get all current lines that have a destination port of 500
    grep "dport 500" /etc/sysconfig/iptables >> workdir/iptables.remove

#substitute the "add" for a "delete"
    sed -i 's/-A INPUT/-D INPUT/g' workdir/iptables.remove

#set the new script as executable
    chmod 755 workdir/iptables.remove

#process the deletes
    workdir/iptables.remove

#get the IPs that we want to allow to destination port 500
#to the end of the INPUT section
    cat workdir/allowed_ips | while read line
    do
    set $line
    iptables -A INPUT -s $line -p udp -m udp --dport 500 -j ACCEPT"
    done

#delete the reject which is above the new additions
    iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
    iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited

#re-add the reject section so that it appears at the end
#of the INPUT section
    iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
    iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

#print to stdout the running configuration
    iptables-save

#save the running configuration to /etc/sysconfig/iptables
    service iptables save

#remove the completed file
    rm -f workdir/iptables.remove

Open in new window


Then I ran it again;

# ./mod_tables2.sh
#!/bin/bash > workdir/iptables.remove

#get all current lines that have a destination port of 500
    grep dport 500 /etc/sysconfig/iptables >> workdir/iptables.remove

#substitute the add for a delete
    sed -i 's/-A INPUT/-D INPUT/g' workdir/iptables.remove

#set the new script as executable
    chmod 755 workdir/iptables.remove

#process the deletes
    workdir/iptables.remove

#get the IPs that we want to allow to destination port 500
#to the end of the INPUT section
    cat workdir/allowed_ips | while read line
    do
    set
    iptables -A INPUT -s  -p udp -m udp --dport 500 -j ACCEPT
./mod_tables2.sh: line 32: syntax error near unexpected token `done'
./mod_tables2.sh: line 32: `    done'
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40488911
There is only no dollar sign when defining the variable.

Using the variable requires the dollar sign.
0
 

Author Comment

by:projects
ID: 40489094
Geez, that's true. Sorry, doing too many things at once last night. I'll update that again and show you the results. No need to re-post the script, it'll be the same but each workdir will be called as $workdir after the initial variable setting.

]# ./mod_tables2.sh
#!/bin/bash > /new/progs/iptables/iptables.remove

#get all current lines that have a destination port of 500
    grep dport 500 /etc/sysconfig/iptables >> /new/progs/iptables/iptables.remove

#substitute the add for a delete
    sed -i 's/-A INPUT/-D INPUT/g' /new/progs/iptables/iptables.remove

#set the new script as executable
    chmod 755 /new/progs/iptables/iptables.remove

#process the deletes
    /new/progs/iptables/iptables.remove

#get the IPs that we want to allow to destination port 500
#to the end of the INPUT section
    cat /new/progs/iptables/allowed_ips | while read line
    do
    set
    iptables -A INPUT -s  -p udp -m udp --dport 500 -j ACCEPT
./mod_tables2.sh: line 32: syntax error near unexpected token `done'
./mod_tables2.sh: line 32: `    done'
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40489150
i think a repost of the script itself is necessary.  i tested it and came up with no errors.
0
 

Author Comment

by:projects
ID: 40489157
# cat mod_tables2.sh
#!/bin/bash

PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
export PATH

workdir=/new/progs/iptables

#remove any stale file
    rm -f $workdir/iptables.remove

#set the shell so we can this as a script
    echo "#!/bin/bash > $workdir/iptables.remove

#get all current lines that have a destination port of 500
    grep "dport 500" /etc/sysconfig/iptables >> $workdir/iptables.remove

#substitute the "add" for a "delete"
    sed -i 's/-A INPUT/-D INPUT/g' $workdir/iptables.remove

#set the new script as executable
    chmod 755 $workdir/iptables.remove

#process the deletes
    $workdir/iptables.remove

#get the IPs that we want to allow to destination port 500
#to the end of the INPUT section
    cat $workdir/allowed_ips | while read line
    do
    set $line
    iptables -A INPUT -s $line -p udp -m udp --dport 500 -j ACCEPT"
    done

#delete the reject which is above the new additions
    iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
    iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited

#re-add the reject section so that it appears at the end
#of the INPUT section
    iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
    iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

#print to stdout the running configuration
    iptables-save

#save the running configuration to /etc/sysconfig/iptables
    service iptables save

#remove the completed file
    rm -f $workdir/iptables.remove

Open in new window

0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40489215
iptables -A INPUT -s $line -p udp -m udp --dport 500 -j ACCEPT"

please removed the quote mark (") at the end of this sentence.
0
 

Author Comment

by:projects
ID: 40489474
So instead of editing anything that seems obvious to me... I've removed that one " but...

# ./mod_tables2.sh
./mod_tables2.sh: line 17: unexpected EOF while looking for matching `"'
./mod_tables2.sh: line 51: syntax error: unexpected end of file
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40489604
these lines:

    echo "#!/bin/bash > $workdir/iptables.remove
    sed -i 's/-A INPUT/-D INPUT/g' $workdir/iptables.remove

to these:
    echo "#!/bin/bash > $workdir/iptables.remove"
    sed -i 's/-A INPUT/iptables -D INPUT/g' $workdir/iptables.remove
0
 

Author Comment

by:projects
ID: 40490019
Strange output? iptables file looks fine however.

#!/bin/bash > /new/progs/iptables/iptables.remove
BASH=/bin/bash
BASHOPTS=cmdhist:extquote:force_fignore:hostcomplete:interactive_comments:progcomp:promptvars:sourcepath
BASH_ALIASES=()
BASH_ARGC=()
BASH_ARGV=()
BASH_CMDS=()
BASH_LINENO=([0]="0")
BASH_SOURCE=([0]="./mod_tables2.sh")
BASH_VERSINFO=([0]="4" [1]="1" [2]="2" [3]="1" [4]="release" [5]="x86_64-redhat-linux-gnu")
BASH_VERSION='4.1.2(1)-release'
CVS_RSH=ssh
DIRSTACK=()
EUID=0
GROUPS=()
G_BROKEN_FILENAMES=1
HISTCONTROL=ignoredups
HISTSIZE=1000000
HISTTIMEFORMAT='%m/%d %H:%M '
HOME=/root
HOSTNAME=x.x.x
HOSTTYPE=x86_64
IFS=$' \t\n'
LANG=en_US.UTF-8
LESSOPEN='|/usr/bin/lesspipe.sh %s'
LOGNAME=root
LS_COLORS='rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=01;05;37;41:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.tbz=01;31:*.tbz2=01;31:*.bz=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=01;36:*.au=01;36:*.flac=01;36:*.mid=01;36:*.midi=01;36:*.mka=01;36:*.mp3=01;36:*.mpc=01;36:*.ogg=01;36:*.ra=01;36:*.wav=01;36:*.axa=01;36:*.oga=01;36:*.spx=01;36:*.xspf=01;36:'
MACHTYPE=x86_64-redhat-linux-gnu
MAIL=/var/spool/mail/root
OPTERR=1
OPTIND=1
OSTYPE=linux-gnu
PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
PIPESTATUS=([0]="0")
PPID=21457
PS4='+ '
PWD=/new/progs/iptables
SHELL=/bin/bash
SHELLOPTS=braceexpand:hashall:interactive-comments
SHLVL=2
SSH_CLIENT='x.x.x.x'
SSH_CONNECTION='x.x.x.x 19141 x.x.x.x '
SSH_TTY=/dev/pts/4
TERM=xterm
UID=0
USER=root
_=line
line=
workdir=/new/progs/iptables
Bad argument `udp'
Try `iptables -h' or 'iptables --help' for more information.
# Generated by iptables-save v1.4.7 on Tue Dec  9 14:59:31 2014
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-NoScript - [0:0]
-A INPUT -p tcp -m tcp --dport 80 -j fail2ban-NoScript
-A INPUT -s 5.135.162.190/32 -j DROP
-A INPUT -s 14.63.212.77/32 -j DROP
-A INPUT -s 14.63.170.53/32 -j DROP
-A INPUT -s 67.231.240.190/32 -j DROP
-A INPUT -s 74.62.91.27/32 -j DROP
-A INPUT -s 103.7.40.10/32 -j DROP
-A INPUT -s 103.15.64.18/32 -j DROP
-A INPUT -s 107.23.208.48/32 -j DROP
-A INPUT -s 107.23.240.102/32 -j DROP
-A INPUT -s 109.200.1.213/32 -j DROP
-A INPUT -s 110.82.165.189/32 -j DROP
-A INPUT -s 112.78.8.80/32 -j DROP
-A INPUT -s 112.78.197.217/32 -j DROP
-A INPUT -s 125.253.122.137/32 -j DROP
-A INPUT -s 146.0.73.0/24 -j DROP
-A INPUT -s 146.0.74.0/24 -j DROP
-A INPUT -s 173.239.5.252/32 -j DROP
-A INPUT -s 176.62.198.186/32 -j DROP
-A INPUT -s 178.18.130.140/32 -j DROP
-A INPUT -s 192.69.223.70/32 -j DROP
-A INPUT -s 192.99.39.158/32 -j DROP
-A INPUT -s 216.240.36.214/32 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 1000 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 3000 -j ACCEPT
-A INPUT -s x.x.x.x/32 -p tcp -m state --state NEW -m tcp --dport 4000 -j ACCEPT
-A INPUT -s 5.6.7.8/32 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -s 6.7.8.9/32 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -s 7.8.9.10/32 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -s 8.9.10.11/32 -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A fail2ban-NoScript -j RETURN
COMMIT
# Completed on Tue Dec  9 14:59:31 2014
# Generated by iptables-save v1.4.7 on Tue Dec  9 14:59:31 2014
*mangle
:PREROUTING ACCEPT [7570131:1170227911]
:INPUT ACCEPT [7570131:1170227911]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8024987:3617926243]
:POSTROUTING ACCEPT [8024987:3617926243]
COMMIT
# Completed on Tue Dec  9 14:59:31 2014
# Generated by iptables-save v1.4.7 on Tue Dec  9 14:59:31 2014
*nat
:PREROUTING ACCEPT [1229231:76786011]
:POSTROUTING ACCEPT [17018:1064916]
:OUTPUT ACCEPT [17018:1064916]
COMMIT
# Completed on Tue Dec  9 14:59:31 2014
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

Open in new window

0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40490028
you're seeing the shell variables.  the output looks good but i'm puzzled about the "udp" error toward the top.
0
 

Author Comment

by:projects
ID: 40490043
Maybe we should not remove the iptables.remove file and see what is in it? Aren't you sending #!/bin/bash into it?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40490049
yes, that's the first echo statement.  

i am curious.
0
 

Author Comment

by:projects
ID: 40490052
Tried it, nothing weird in the file, just the new port 500 rules.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40490068
it should be good but keep obviously keep an eye on it.
0
 

Author Comment

by:projects
ID: 40490072
Doesn't seem like a good idea to have it spewing all that system info :)
I'd like to know why it's doing it to be sure it's safe and really, to stop it from doing it.
0
 

Author Comment

by:projects
ID: 40491175
I want to accept this as the solution but I just want to get rid of the weird shell variables showing up before I do so that anyone else could use this if needed.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40491388
do you have an extra blank line or lines in your allowed_ips file?
0
 

Author Comment

by:projects
ID: 40492826
Indeed, there certainly is.
0
 

Author Comment

by:projects
ID: 40492830
However, that was a hand made file.
The actual file being generated works perfectly.

Thanks so very much for sticking to this!
0
 

Author Closing Comment

by:projects
ID: 40492831
Works perfectly and nice to see someone stick to a question like that. Thanks!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now