sunhux
asked on
Bourne shell script to check if iptable & ipfilter is running & if so add rules
Need a Bourne Shell script to do the following:
RHEL5/6 & SuSE
=============
Check if iptables is running & if so, add in the following rule
a) permit a rule to allow Tcp4120 from current server to 172.11.3.30 & to 172.11.3.31
b) permit a rule to allow Tcp4118 from 172.11.3.30 and .31 to the current server
Solaris 10 x86
===========
Check if ipfilter is running & if so, add in the following rule
c) permit a rule to allow Tcp4120 from current server to 172.11.3.30 & to 172.11.3.31
d) permit a rule to allow Tcp4118 from 172.11.3.30 and .31 to the current server
RHEL5/6 & SuSE
=============
Check if iptables is running & if so, add in the following rule
a) permit a rule to allow Tcp4120 from current server to 172.11.3.30 & to 172.11.3.31
b) permit a rule to allow Tcp4118 from 172.11.3.30 and .31 to the current server
Solaris 10 x86
===========
Check if ipfilter is running & if so, add in the following rule
c) permit a rule to allow Tcp4120 from current server to 172.11.3.30 & to 172.11.3.31
d) permit a rule to allow Tcp4118 from 172.11.3.30 and .31 to the current server
ASKER
Ok, Perl or Korn scripts are fine too
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
For Linux, Can't we do something like:
service iptables status > /tmp/iptable.status
grep -i running /tmp/iptable.status
if [ $? -eq 0 ]
then
iptables is running
else
iptables not running
fi
service iptables status > /tmp/iptable.status
grep -i running /tmp/iptable.status
if [ $? -eq 0 ]
then
iptables is running
else
iptables not running
fi
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok how do we patch /etc/sysconfig/firewall to
permit Tcp4120 from current server to a.b.c.d & e.f.g.h and
permit Tcp4118 from a.b.c.d & e.f.g.h to the current server?
Pls provide exact command syntax
permit Tcp4120 from current server to a.b.c.d & e.f.g.h and
permit Tcp4118 from a.b.c.d & e.f.g.h to the current server?
Pls provide exact command syntax
ASKER
What about for Solaris x86 ipfilter? What's the syntax?
ASKER
So what's the exact command syntax to add to /etc/sysconfig/firewall to
permit tcp4120 outgoing &
permit tcp4118 incoming.
What's the syntax for Solaris x86 ipfilter?
permit tcp4120 outgoing &
permit tcp4118 incoming.
What's the syntax for Solaris x86 ipfilter?
It is anything iptables-save can make.
ASKER
I'm not referring to iptables in Solaris but ipfilter as it's the default firewall in our Solaris 10 x86
VMs.
I'm referring to examples in links below but I'm still confused:
http://docs.oracle.com/cd/E23824_01/html/821-1453/ipfilter-admin-2.html
http://docs.oracle.com/cd/E23824_01/html/821-1453/eubbd.html
Q1:
So do I just add the following lines to the top (not the bottom, right? ) of /etc/ipf/ipf.conf ?
pass in log (quick) on "all_interfaces" proto tcp from 172.21.a.b to "all_interfaces" port = 4118 keep state
pass out log (quick) on "all_interfaces" proto tcp from "all_interfaces" to 172.21.a.b port = 4120 keep state
Q2:
What's the the purpose of "quick" in the above rules? What's the difference if it's absent or
present?
Q3:
As our Solaris x86 VMs has about four interfaces, can someone substitute "all_interfaces" in the
above rules with actual global value: I reckon there must be an actual Solaris implementation
value that refers to "all interfaces"; if there's none, let me know so that I can repeat it four times
for all the four interfaces
Q4:
What's the purpose of "keep state"? is it needed in my case?
Q5:
if ipf.conf is not present in /etc/ipf folder, does this mean ipfilter (as given by 'svcs -a |grep -i ipfilter')
is offline?
Q6:
if it's offline & I just create the absent ipf.conf file anyway so that one day if ipfilter is onlined/used,
the rules will already be there? If ipfilter is offline, no harm creating ipf.conf, right?
Did I miss out anything in my assumptions?
VMs.
I'm referring to examples in links below but I'm still confused:
http://docs.oracle.com/cd/E23824_01/html/821-1453/ipfilter-admin-2.html
http://docs.oracle.com/cd/E23824_01/html/821-1453/eubbd.html
Q1:
So do I just add the following lines to the top (not the bottom, right? ) of /etc/ipf/ipf.conf ?
pass in log (quick) on "all_interfaces" proto tcp from 172.21.a.b to "all_interfaces" port = 4118 keep state
pass out log (quick) on "all_interfaces" proto tcp from "all_interfaces" to 172.21.a.b port = 4120 keep state
Q2:
What's the the purpose of "quick" in the above rules? What's the difference if it's absent or
present?
Q3:
As our Solaris x86 VMs has about four interfaces, can someone substitute "all_interfaces" in the
above rules with actual global value: I reckon there must be an actual Solaris implementation
value that refers to "all interfaces"; if there's none, let me know so that I can repeat it four times
for all the four interfaces
Q4:
What's the purpose of "keep state"? is it needed in my case?
Q5:
if ipf.conf is not present in /etc/ipf folder, does this mean ipfilter (as given by 'svcs -a |grep -i ipfilter')
is offline?
Q6:
if it's offline & I just create the absent ipf.conf file anyway so that one day if ipfilter is onlined/used,
the rules will already be there? If ipfilter is offline, no harm creating ipf.conf, right?
Did I miss out anything in my assumptions?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, I'm dim; kindly answer my questions Q1 to Q6 exactly esp Q1 & Q2 on the exact
syntax / commands to be entered.
The Oracle links are still too 'cryptic'/unfriendly to me
syntax / commands to be entered.
The Oracle links are still too 'cryptic'/unfriendly to me
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The oracle URL is either not clear or missing what does "keep state" mean
& it does not give an example of what's the term to use for "all_interfaces"
& it does not give an example of what's the term to use for "all_interfaces"
Alias for all interfaces is nothing.... i.e just dont filter packets by interface...
Face the fact - you need two scripts, and there is no sane reason to use bourne shell when you have PERL on both platforms.