Bourne shell script to check if iptable & ipfilter is running & if so add rules

Need a Bourne Shell script to do the following:

RHEL5/6  & SuSE
=============
Check if iptables is running & if so, add in the following rule
a) permit a rule to allow Tcp4120 from current server to 172.11.3.30 & to 172.11.3.31
b) permit a rule to allow Tcp4118 from 172.11.3.30 and .31 to the current server

Solaris 10 x86
===========
Check if ipfilter is running & if so, add in the following rule
c) permit a rule to allow Tcp4120 from current server to 172.11.3.30 & to 172.11.3.31
d) permit a rule to allow Tcp4118 from 172.11.3.30 and .31 to the current server
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
The best is to patch config file ans completely reload iptables. That approach will make sure it persists on reboot.
Face the fact - you need two scripts, and there is no sane reason to use bourne shell when you have PERL on both platforms.
0
sunhuxAuthor Commented:
Ok, Perl or Korn scripts are fine too
0
gheistCommented:
Lets face the truth - it is not simple to do even manually., and such script does not exist.
1) you need to patch and reload ipf.conf (if it was loaded and if file on disk is in sync with in-memory config)
2) on Linux you need to detect if iptables are loaded and filtering anything, then guess if it is configured using defaults/sysconfig or ufw or firewalld, then accordingly make permanent configuration.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

sunhuxAuthor Commented:
For Linux, Can't we do something like:

service iptables status > /tmp/iptable.status
grep -i running  /tmp/iptable.status
if [ $? -eq 0 ]
  then
    iptables is running
  else
    iptables not running
fi
0
gheistCommented:
It will work for narrow case of RHEL5 and RHEL6, in case you detect one from /etc/redhat-release (or respective SL/OEL/CentOS) then you can just patch /etc/sysconfig/firewall the way system-config-* would do and indeet it will work.
0
sunhuxAuthor Commented:
Ok how do we patch /etc/sysconfig/firewall   to
permit Tcp4120 from current server to  a.b.c.d  & e.f.g.h   and
permit Tcp4118 from a.b.c.d & e.f.g.h to the current server?

Pls provide exact command syntax
0
sunhuxAuthor Commented:
What about for Solaris x86  ipfilter?  What's the syntax?
0
sunhuxAuthor Commented:
So what's the exact command syntax to add to /etc/sysconfig/firewall to
permit tcp4120 outgoing &
permit tcp4118 incoming.

What's the syntax for Solaris x86  ipfilter?
0
gheistCommented:
It is anything iptables-save can make.
0
sunhuxAuthor Commented:
I'm not referring to iptables in Solaris but ipfilter as it's the default firewall in our Solaris 10 x86
VMs.

I'm referring to examples in links below but I'm still confused:
  http://docs.oracle.com/cd/E23824_01/html/821-1453/ipfilter-admin-2.html
  http://docs.oracle.com/cd/E23824_01/html/821-1453/eubbd.html


Q1:
So do I just add the following lines to the top (not the bottom, right? )  of /etc/ipf/ipf.conf  ?
  pass in log (quick) on "all_interfaces" proto tcp from 172.21.a.b to "all_interfaces" port = 4118 keep state
 pass out log (quick) on "all_interfaces" proto tcp from "all_interfaces"  to 172.21.a.b port = 4120 keep state

Q2:
What's the the purpose of "quick" in the above rules?  What's the difference if it's absent or
present?

Q3:
As our Solaris x86 VMs has about four interfaces, can someone substitute "all_interfaces" in the
above rules with actual global value: I reckon there must be an actual Solaris implementation
value that refers to "all interfaces";  if there's none, let me know so that I can repeat it four times
for all the four interfaces

Q4:
What's the purpose of "keep state"?  is it needed in my case?

Q5:
if ipf.conf is not present in /etc/ipf  folder, does this mean ipfilter (as given by 'svcs -a |grep -i ipfilter')
is offline?

Q6:
if it's offline & I just create the absent ipf.conf file anyway so that one day if ipfilter is onlined/used,
the rules will already be there?  If ipfilter is offline, no harm creating ipf.conf, right?
Did I miss out anything in my assumptions?
0
gheistCommented:
Manual installed on the system should have answred your question long ago:
http://docs.oracle.com/cd/E23824_01/html/821-1453/euqex.html
0
sunhuxAuthor Commented:
Ok, I'm dim;  kindly answer my questions Q1 to Q6 exactly esp Q1 & Q2 on the exact
syntax / commands to be entered.

The Oracle links are still too 'cryptic'/unfriendly to me
0
gheistCommented:
You need to use human eye to follow logic of IPF.conf, you cannot add one line that does it all.
A1-A4: I insist that you read manual of ipf.conf before editing it
A5: No, you can load IPF module and rules in other way
A6: You need to allow SSH in at least, but no harm in it.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
The oracle URL is either not clear or missing what does "keep state" mean
& it does not give an example of what's the term to use for "all_interfaces"
0
gheistCommented:
Alias for all interfaces is nothing.... i.e just dont filter packets by interface...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Shell Scripting

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.