Category: Shell

Checks the Linux supported release

3.1.1.005-GEN000100.bash

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

 
#!/bin/bash
# Copyright (C) 2011 simonalsa
# http://www.simonalsa.com
# Author Simon Alonso Sanchez <simonalsa@simonalsa.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; version 2
# of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
 
# Security Technical Implementation Guide (STIG)
# Security Readiness Review (SRR)
# Tested in GNU/Linux Debian distribution
 
# STIG|SRR definition
NUMBER="3.1.1.005"
LABEL="GEN000100"
 
# Section:
SECTION="Linux overview and site information"
 
# Process:
PROCESS="Operating system"
 
# Description:
DESCRIPTION="Checks the Linux supported release"
 
# Include global preferences
if [ -e $PWD/preferences.cfg ]; then
        source $PWD/preferences.cfg
else
        echo -e "Can not include the global preferences at $PWD/preferences.cfg \r"
        exit
fi
 
# Include local preferences
if [ -e $PWD/$NUMBER-$LABEL.prefs ]; then
        source $PWD/$NUMBER-$LABEL.prefs
else
        echo -e "Can not include the local preferences at $PWD/$NUMBER-$LABEL.prefs \r"
        exit
fi
 
# Section.Description
echo -e "STIG|SRR definition \r"
echo -e "\t Number: $NUMBER \r"
echo -e "\t Label: $LABEL \r"
echo -e "\t Section: $SECTION \r"
echo -e "\t Process: $PROCESS \r"
echo -e "\t Description: $DESCRIPTION \r"
echo -e "\r"
 
# Perform
 
if [ -x $CMD_LSB_RELEASE ]; then
 
        CMD=$($CMD_LSB_RELEASE -d -s)
        if [ $? -eq 0 ]; then
                echo -e "Linux LSB release: \r"
                echo -e "\t $CMD \r"
        else
                echo -e "Can not locate the Linux LSB release \r"
        fi
else
        echo -e "Can not locate the $CMD_LSB_RELEASE in the filesystem \r"
        exit
fi
 
 
if [ -x $CMD_UNAME ]; then
        CMD=$($CMD_UNAME)
        if [ $? -eq 0 ]; then
                KERNEL_NAME=$($CMD_UNAME --kernel-name)
                KERNEL_RELEASE=$($CMD_UNAME --kernel-release)
                KERNEL_VERSION=$($CMD_UNAME --kernel-version)
                KERNEL_MACHINE=$($CMD_UNAME --machine)
                KERNEL_PROCESSOR=$($CMD_UNAME --processor)
                KERNEL_HARDWARE=$($CMD_UNAME --hardware-platform)
                KERNEL_OS=$($CMD_UNAME --operating-system)
 
                echo -e "Kernel release: \r"
                echo -e "\t Name: $KERNEL_NAME \r"
                echo -e "\t Release: $KERNEL_RELEASE \r"
                echo -e "\t Version: $KERNEL_VERSION \r"
                echo -e "\t Machine: $KERNEL_MACHINE \r"
                echo -e "\t Processor: $KERNEL_PROCESSOR \r"
                echo -e "\t Hardware: $KERNEL_HARDWARE \r"
                echo -e "\t Operating system: $KERNEL_OS \r"
 
        else
                echo -e "Can not locate the Linux Kernel release \r"
        fi
else
        echo -e "Can not locate the $CMD_UNAME in the filesystem \r"
        exit
fi
 
echo -e "\r"

3.1.1.005-GEN000100.bash

 

1

# Nothing

 

Sample output

simonalsa@Desktop-01:~/$ bash 3.1.1.005-GEN000100.bash
STIG|SRR definition
         Number: 3.1.1.005
         Label: GEN000100
         Section: Linux overview and site information
         Process: Operating system
         Description: Checks the Linux supported release

Linux LSB release:
         Debian GNU/Linux 6.0.3 (squeeze)
Kernel release:
         Name: Linux
         Release: 2.6.32-5-amd64
         Version: #1 SMP Thu Nov 3 03:41:26 UTC 2011
         Machine: x86_64
         Processor: unknown
         Hardware: unknown
         Operating system: GNU/Linux
 

Tags: , , , , ,

categories Debian, Linux, Programación, Scripting, Scripts, Security, Shell, SRR, STIG | | datetime January 26, 2012 9:24 pm | comments Comments (0)

Bash shell script for test the availability about commands in the filesystem

The objective is the reuse about variables and why not all GNU/Linux distributions installs the commands by default in the same place

I am going to allocate  a variable per each different command. This file will be included in other shell scripts.

preferences.cfg

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

CMD_AWK="/usr/bin/awk"
CMD_CAT="/bin/cat"
CMD_CHGRP="/bin/chgrp"
CMD_CHMOD="/bin/chmod"
CMD_DD="/bin/dd"
CMD_DIFF="/usr/bin/diff"
CMD_ECHO="/bin/echo"
CMD_FIND="/usr/bin/find"
CMD_GREP="/bin/grep"
CMD_LAST="/usr/bin/last"
CMD_LASTB="/usr/bin/lastb"
CMD_LS="/bin/ls"
CMD_LSB_RELEASE="/usr/bin/lsb_release"
CMD_MKDIR="/bin/mkdir"
CMD_MKFS="/sbin/mkfs.ext2"
CMD_MKNOD="/bin/mknod"
CMD_MOUNT="/bin/mount"
CMD_MYSQL="/usr/bin/mysql"
CMD_PHP="/usr/bin/php5"
CMD_SED="/bin/sed"
CMD_SEQ="/usr/bin/seq"
CMD_SORT="/usr/bin/sort"
CMD_STAT="/usr/bin/stat"
CMD_TAIL="/usr/bin/tail"
CMD_TOUCH="/bin/touch"
CMD_TUNE2FS="/sbin/tune2fs"
CMD_UNAME="/bin/uname"
CMD_YES="/usr/bin/yes"
CMD_WC="/usr/bin/wc"

 

This shell script "preferences.bash" checks the availability about each command defined in the variables saved in the data file "preferences.cfg".

preferences.bash

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

#!/bin/bash
# Check the availability about the commands that will be used
 
# Include global preferences
source $PWD/preferences.cfg
 
CMD=$($CMD_CAT $PWD/preferences.cfg)
 
echo -e &quot;Check the availability about the commands that will be used \r&quot;
 
# Checks if path is ok
for line in $CMD;
do
        TEST=$($CMD_ECHO &quot;$line&quot; | $CMD_AWK -F= '{ print $2 }' | $CMD_SED 's/&quot;//g')
 
        echo -n &quot;&quot;
        if [ -e $TEST ]; then
                echo -n &quot;[Passed]&quot;
        else
                echo -n &quot;[Failed]&quot;
        fi
 
        echo -n &quot; ... $TEST&quot;
        echo -e &quot;\r&quot;
done;

 

Sample output

Check the availability about the commands that will be used
[Passed] … /usr/bin/awk
[Passed] … /bin/cat
[Passed] … /bin/chgrp
[Passed] … /bin/chmod
[Passed] … /bin/dd
[Passed] … /usr/bin/diff
[Passed] … /bin/echo
[Passed] … /usr/bin/find
[Passed] … /bin/grep
[Passed] … /usr/bin/last
[Passed] … /usr/bin/lastb
[Passed] … /bin/ls
[Passed] … /usr/bin/lsb_release
[Passed] … /bin/mkdir
[Passed] … /sbin/mkfs.ext2
[Passed] … /bin/mknod
[Passed] … /bin/mount
[Failed] … /usr/bin/mysql
[Failed] … /usr/bin/php5
[Passed] … /bin/sed
[Passed] … /usr/bin/seq
[Passed] … /usr/bin/sort
[Passed] … /usr/bin/stat
[Passed] … /usr/bin/tail
[Passed] … /bin/touch
[Passed] … /sbin/tune2fs
[Passed] … /bin/uname
[Passed] … /usr/bin/yes
[Passed] … /usr/bin/wc
 

Tags: , , , , ,

categories Linux, Programación, Scripting, Scripts, Security, Shell, SRR, STIG | | datetime 8:21 pm | comments Comments (0)

Xen XCP Backup/export all the virtual machines that are in halted state availables in Xen XCP’s domain

This script export all the virtual machines that are in halted state availables in Xen XCP’s domain.

The process is simple. Exports the virtual machine to the filesystem and compress the exported virtual machine into the filesystem. Repeat the process for each one virtual machine available in the Xen XCP’s domain.

Finally (as you want) shut down the host

Backup.bash

      1 #/bin/bash
      2
      3 DATESTAMP=$(date +%F)
      4
      5 UUIDS=$(xe vm-list | grep uuid | awk -F: ‘ { print $2 }’ | sed ‘s/ //g’)
      6
      7 for UUID in $UUIDS
      8 do
      9         NAME=$(xe vm-list uuid=$UUID | grep name | awk -F: ‘ { print $2 }’ | sed ‘s/ //g’)
     10         if [ $NAME != "Controldomainonhost" ]; then
     11                 xe vm-export filename=/backup/$UUID\_$NAME\_$DATESTAMP.xva uuid=$UUID
     12                 if [ $? -eq 0 ]; then
     13                         echo -e "The virtual machine $NAME has been exported"
     14                 else
     15                         echo -e "Can not export the virtual machine $NAME"
     16                 fi
     17
     18                 gzip -9 /backup/$UUID\_$NAME\_$DATESTAMP.xva
     19                 rm -f /backup/$UUID\_$NAME\_$DATESTAMP.xva
     20         fi
     21 done
     22
     23
     24 shutdown -h now
 

Result

[root@thor 20120118]# ls -lh *.gz | awk ‘{ print $9,"(",$5,")" }’
10761c7f-70a2-1263-43d4-53fdd059cf81_Log-Server-1.0_2012-01-18.xva.gz ( 417M )
16d0b2d3-51c1-e692-7f90-2473277b0f50_Web-Server-2.0_2012-01-18.xva.gz ( 1.1G )
1b8feb8e-04fe-2a4e-5716-dde1e375b2f9_LDAP-Server-2.0_2012-01-18.xva.gz ( 394M )
3e7ae452-52fb-7f3b-b105-087981a8a8b0_Application-Server-01_2012-01-18.xva.gz ( 994M )
46f069fb-0ca1-cbb0-d64c-2a5ea1d2a4bb_File-Server-2.0_2012-01-18.xva.gz ( 37G )
526e3294-b61b-7c39-debb-325d238c85f9_DNS-Server-1.0_2012-01-18.xva.gz ( 731M )
668d4e9b-cb44-24f7-7d23-2e0efc6627c3_Sql-Server-1.0_2012-01-18.xva.gz ( 7.4G )
6a7bea88-8b49-bc77-6cc9-06601aea6eaf_XCP-Server-1.1_2012-01-18.xva.gz ( 515M )
88357478-ac9e-51d1-b27d-2a9da6d75a3d_LDAP-Server-1.0_2012-01-18.xva.gz ( 380M )
910cbd07-3dde-974d-5595-3021103ad656_File-Server-1.0_2012-01-18.xva.gz ( 78G )
9e07177c-5bee-61a3-f743-6675f6a6a81e_DNS-Server-2.0_2012-01-18.xva.gz ( 435M )
f8c2291a-a387-69ca-a95e-e0383f717f83_Debian-Desktop-1.0_2012-01-18.xva.gz ( 1.1G )
 

 

Tags: , , , , , ,

categories Linux, Programación, Scripting, Scripts, Shell, Virtualization, XEN | | datetime January 19, 2012 8:54 pm | comments Comments (1)

Xen XCP Shutdown all virtual machines which are running and are using the Xen XCP’s guest tools

This simple script lets read the uuid and name about each Xen XCP’s VM and shutdown one by one if the Xen Guest Tools are installed in each VM

Take care about NFS’s mounts because if the NFS server goes offline before the NFS clients then you must stop the services manually before the shutdown process will be effective

The script must be runned as Xen XCP domain administrator privileges

 

Shutdown.bash

      1 #/bin/bash
      2
      3 DATESTAMP=$(date +%F)
      4
      5 UUIDS=$(xe vm-list | grep uuid | awk -F: ‘ { print $2 }’ | sed ‘s/ //g’)
      6
      7 for UUID in $UUIDS
      8 do
      9         NAME=$(xe vm-list uuid=$UUID | grep name | awk -F: ‘ { print $2 }’ | sed ‘s/ //g’)
     10         if [ $NAME != "Controldomainonhost" ]; then
     11                 xe vm-shutdown uuid=$UUID
     12                 if [ $? -eq 0 ]; then
     13                         echo -e "The virtual machine $NAME has been stopped"
     14                 else
     15                         echo -e "Can not stop the virtual machine $NAME"
     16                 fi
     17         fi
     18 done
     19
     20
     21 #shutdown -h now
 

Console stdout

[root@thor Script]# bash Shutdown.bash
The virtual machine Application-Server-01 has been stopped
The virtual machine LDAP-Server-1.0 has been stopped
The virtual machine LDAP-Server-2.0 has been stopped
The virtual machine File-Server-1.0 has been stopped
The virtual machine Web-Server-2.0 has been stopped
The virtual machine File-Server-2.0 has been stopped
You attempted an operation on a VM that was not in an appropriate power state at  the time; for example, you attempted to start a VM that was already running.  The parameters returned are the VM’s handle, and the expected and actual VM state at the time of the call.
vm: 10761c7f-70a2-1263-43d4-53fdd059cf81 (Log-Server-1.0)
expected: running
actual: halted
Can not stop the virtual machine Log-Server-1.0
The virtual machine Application-Server-03 has been stopped
The virtual machine Debian-Desktop-1.0 has been stopped
The virtual machine DNS-Server-1.0 has been stopped
The virtual machine Application-Server-02 has been stopped
The virtual machine DNS-Server-2.0 has been stopped
The virtual machine Sql-Server-1.0 has been stopped
The virtual machine Web-Server-1.0 has been stopped
The virtual machine Web-Server-3.0 has been stopped
 

 

Tags: , , , , ,

categories Linux, Scripts, Shell, XEN | | datetime 8:38 pm | comments Comments (0)

Filesystem, MySQL and Crontab Backup application system

I have used two proffesional scripts for backup the application filesystem and database.

Filesystem

# (c) 2001 Chris Arrowood (GNU LGPL V2.1)
# You may view the full copyright text at:
# <a href="http://www.opensource.org/licenses/lgpl-license.html">http://www.opensource.org/licenses/lgpl-license.html</a>
# <a href="http://simplebashbu.sourceforge.net/">http://simplebashbu.sourceforge.net/</a>
# DESCRIPTION:
# A simple BASH script to do nightly backups to tarballs
# on a hard drive (not to tape)  Ideal for home linux users
# to easily backup thier system, provided they have an extra
# hard drive.
#

Basic configuration:

###############################################
#              User Variables                 #
###############################################
#
# Modify these variables to suit your needs
#
# Which day of the week do we want to do full backups? 0=Sunday
  LEVEL0DAY=0
# Where to create the backups; It should already exist
  BACKUP_DIR=/backup/fs
# Filesystems to backup seperated by spaces and the entire string in double quotes; each must start with /
  FILESYSTEMS="/var/www/www.simonalsa.com"
# Should we email results? Also should we email critical errors?  0=false, 1=true
  EMAIL=1
# EMAIL address to send results to
  EMAILADDRESS=simonalsa@simonalsa.com
# Email Subject
  EMAILSUBJECT="$HOSTNAME www.simonalsa.com Filesystem Backup"
# Only keep last weeks level0 backup (0) or keep all lvl 0 backups (1).  Keeping all data may take a lot of space!
  KEEPALL=0
# Do we wnat to compress the backup file using gzip? 0=false, 1=true
  COMPRESS=1
# Should we compress the log file when we are done?  0=false, 1=true
  COMPRESSLOG=1
# If we are compressing, what level do we use?
  COMPRESSLEVEL=6
# Determines whether we see all output to screen. It will still go to log regardless of this value.   0=false, 1=true
  QUIET=1
# Would you like to get detailed information from tar and gzip? 0=false, 1=true  
  VERBOSE=1

Script: backup_www.simonalsa.com.sh

Database 

# MySQL Backup Script
# VER. 2.5.1 - <a href="http://sourceforge.net/projects/automysqlbackup/">http://sourceforge.net/projects/automysqlbackup/</a>
# Copyright (c) 2002-2003 wipe_out@lycos.co.uk
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
Script: <a href="http://www.simonalsa.com/wp-content/uploads/2011/05/backup_mysql.simonalsa.com_.zip">backup_mysql.simonalsa.com</a>

Basic configuration:

 
### START CFG ###
 # Username to access the MySQL server e.g. dbuser
 USERNAME=dbo
 
 # Password to access the MySQL server e.g. password
 PASSWORD=
 
 # Host name (or IP address) of MySQL server e.g localhost
 DBHOST=db.simonalsa.com
 
 # List of DBNAMES for Daily/Weekly Backup e.g. "DB1 DB2 DB3"
 DBNAMES="db"
 
 # Backup directory location e.g /backups
 BACKUPDIR="/backup/db"
 
 # Mail setup
 # What would you like to be mailed to you?
 # - log   : send only log file
 # - files : send log file and sql files as attachments (see docs)
 # - stdout : will simply output the log to the screen if run manually.
 # - quiet : Only send logs if an error occurs to the MAILADDR.
 MAILCONTENT="log"
 
 # Set the maximum allowed email size in k. (4000 = approx 5MB email [see docs])
 MAXATTSIZE="4000"
 
 # Email Address to send mail to? (<a href="mailto:user@domain.com">user@domain.com</a>)
 MAILADDR="simonalsa@simonalsa.com"

Crontab

File: crontab_backup

Content:

1 1 * * * /script/backup_www.simonalsa.com.sh
30 1 * * * /script/backup_mysql.simonalsa.com.sh

Tags: , , , , ,

categories Linux, MySQL, PHP, Shell, Tareas | | datetime May 4, 2011 8:16 pm | comments Comments (0)

Simple parse registers and format the output screen with AWK

Script

filter_01.bash

#!/bin/bash
 
#Filter data file 01
 
if [ $# -ne 1 ]
then
  echo "Usage: $0 datafile.txt";
  exit -1;
fi
 
if [ -f $1 ]
then
  echo "File $1 exists";
else
  echo "File $1 does not exists";
  exit -2;
fi
 
if [ -r $1 ]
then
  echo "File $1 can be read";
else
  echo "File $1 can not be read";
  exit -3;
fi
 
#Gets the total number of lines of data file
lines=$(cat $1 | wc -l);
 
#Minus 1
let "lines = lines - 1";
 
echo "Number of registers: $lines";
echo "";
#Parse the register and format the output screen
tail -n $lines $1 | awk -F ';' '{ print $1 $2 " is from " $3 " (" $4 ")" }';

Data file

filter_01.txt

Name;Surname;City;Country
John;Dere;Chicago;USA
Pepe;Gotera;Madrid;Spain
Rompe;Techos;Madrid;Spain

Execute:

salonso@linux-01:~/war/bash/filter_01$ ./filter_01.bash filter_01.txt
File filter_01.txt exists
File filter_01.txt can be read
Number of registers: 3

JohnDere is from Chicago (USA)
PepeGotera is from Madrid (Spain)
RompeTechos is from Madrid (Spain)

Tags: , , , ,

categories Linux, Shell, Uncategorized | | datetime December 17, 2010 7:10 pm | comments Comments (0)

Reglas de FIREWALL con IPTABLES en Linux

Este es un script listo para correr que inicializa las políticas de IPTABLES y habilita las reglas de entrada y salida.

>IOS<

#!/bin/bash

################################################################################
# Constantes

$EXTENSION=”1>/dev/null 2>/dev/null”;
LAN_IP=”192.168.1.200″;
LAN_IPMASK=”255.255.255.0″
lAN_IPGATEWAY=”192.168.1.10″
LAN_DNS=”192.168.1.20″
LAN_RANGE=”192.168.1.0/24″;
LAN_IFACE=”eth0″;

GW_CISCO_1=”192.168.1.6″;
GW_ADSL_1=”192.168.1.20″;
lO_IFACE=”lo”;
LO_IP=”127.0.0.1″;

IPTABLES=”/sbin/iptables”;
IFCONFIG=”/sbin/ifconfig”;
MODPROBE=”/sbin/modprobe”;
DEPMOD=”/sbin/depmod -a”;
ROUTE=”/sbin/route”;
CROUTES=1;
if [ $CROUTES -eq 1 ];
then
   $ROUTE add -net 192.168.1.0/24 gw $GW_CISCO_1
   $ROUTE add -net 192.168.2.0/24 gw $GW_CISCO_1
   $ROUTE add -net 192.168.3.0/24 gw $GW_CISCO_1
   $ROUTE add -net 192.168.4.0/24 gw $GW_CISCO_1
   $ROUTE add -net 192.168.5.0/24 gw $GW_CISCO_1 
   $ROUTE add -net 0.0.0.0/24 gw $GW_ADSL_1
else
   echo “…Routing disable…”; 
fi
CMODULES=1;
if [ $CMODULES -eq 1 ];
then
   $MODPROBE ipt_limit $EXTENSION
   $MODPROBE ipt_state $EXTENSION
   $MODPROBE ipt_REJECT $EXTENSION
else
   echo “…Module autoload disable…”;
fi
CPROC=1;
if [ $CPROC -eq 1 ];
then
   echo 0 > /proc/sys/net/ipv4/ip_forward
   echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
   echo 1 > /proc/sys/net/ipv4/tcp_syncookies
   echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
   echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
   echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
   echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
   echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
   echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp
   echo 0 > /proc/sys/net/ipv4/conf/all/secure_redirects
   #echo “1″ > /proc/sys/net/ipv4/ip_dynaddr
else
   echo “… Proc parameters autoload disable…”
fi

CFW=1
if [ $CPROC -eq 1 ];
then
   # Flush de reglas de forwarding pre-existentes
   $IPTABLES -F $EXTENSION
   $IPTABLES -X $EXTENSION

   # Configurando tabla de filtrado de politicas por defecto
   $IPTABLES -t filter -P INPUT ACCEPT $EXTENSION
   $IPTABLES -t filter -P FORWARD ACCEPT $EXTENSION
   $IPTABLES -t filter -P OUTPUT ACCEPT $EXTENSION
   
   $IPTABLES -P INPUT DROP $EXTENSION
   $IPTABLES -P OUTPUT DROP $EXTENSION
   $IPTABLES -P FORWARD DROP $EXTENSION

   # LOG
   #$IPTABLES -A INPUT -j LOG –log-level debug –log-prefix “$LOGPREFFIX”

   # Cadena de reglas de filtrado para paquetes tcp erroneos
   $IPTABLES -N bad_tcp_packets
   # Cadena de reglas de filtrado para paquetes con permiso
   $IPTABLES -N allowed
   # Cadena de reglas de filtrado para paquetes tcp
   $IPTABLES -N tcp_packets
   # Cadena de reglas de filtrado para paquetes udp
   $IPTABLES -N udp_packets
   # Cadena de reglas de filtrado para paquetes icmp
   $IPTABLES -N icmp_packets
   # Cadena Reglas : bad_tcp_packets chain
   $IPTABLES -A bad_tcp_packets -p tcp –tcp-flags SYN,ACK SYN,ACK \
 -m state –state NEW -j REJECT –reject-with tcp-reset
   $IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP
   #$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP
   # Cadena allowed
   $IPTABLES -A allowed -p TCP –syn -j ACCEPT
   $IPTABLES -A allowed -p TCP -m state –state ESTABLISHED,RELATED -j ACCEPT
   $IPTABLES -A allowed -p TCP -j DROP
 
   # Cadena tcp
   $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 22 -j allowed    # ssh
   $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 80 -j allowed    # http apache2
   $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 81 -j allowed    # http apache
   $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 21 -j allowed    # ftp
   $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 25 -j allowed    # smtp
   $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 139 -j allowed   # smbd
   $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 445 -j allowed   # nmbd
   $IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 3000 -j allowed  # m
   $IPTABLES -A tcp_packets -p TCP -s 192.168.3.0/0 –dport 3306 -j allowed  # webm
 
 
   # Cadena udp
   $IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 137 -j ACCEPT #nmbd udp
   $IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 138 -j ACCEPT #nmbd udp
   $IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 3001 -j ACCEPT #nmbd udp
   $IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 4672 -j ACCEPT #nmbd udp
 
   # Dropeamos directamente aquellas conexiones broadcast de
   # información/solicutud de información, como son redes de ms y dhcp
   $IPTABLES -A udp_packets -p UDP -i $LAN_IFACE -d 255.255.255.255 –destination-port 135:139 -j DROP
   $IPTABLES -A udp_packets -p UDP -i $LAN_IFACE -d 255.255.255.255 –destination-port 67:68 -j DROP
 
   # Cadena icmp
   $IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT
   $IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT

   # Cadena INPUT entrada
   $IPTABLES -A INPUT -p ALL -m state –state ESTABLISHED,RELATED -j ACCEPT
   $IPTABLES -A INPUT -p TCP -i $LAN_IFACE -j tcp_packets
   $IPTABLES -A INPUT -p UDP -i $LAN_IFACE -j udp_packets
   $IPTABLES -A INPUT -p ICMP -i $LAN_IFACE -j icmp_packets
   $IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT

   # Elimina mensajes multicast de redes ms
   $IPTABLES -A INPUT -i $LAN_IFACE -d 224.0.0.0/8 -j DROP
   $IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG

   # Cadena FORWARD reevio ( no necesario para NAT )
   $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

  
   CNAT=0
   if [ $CNAT -eq 1 ];
   then
      $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
      $IPTABLES -t nat -A PREROUTING -s $LAN_RANGE -d ! $LAN_RANGE -p tcp –dport 80 -j DROP
      $IPTABLES -A FORWARD -i $INET_IFACE -o $NAT_IFACE -m state –state ESTABLISHED,RELATED -j ACCEPT
      $IPTABLES -A FORWARD -i $NAT_IFACE -o $INET_IFACE -j ACCEPT
      $IPTABLES -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu
      # La regla anterior, es necesaria para adaptar el MTU, Maximum Transfer Unit a las conexiones WWW y FTP.
      $IPTABLES -A FORWARD -j ACCEPT
      # Log weird packets that don’t match the above.
      $IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG
   else
      echo “… Nating disable …”
   fi
 
   # Cadena OUTPUT salida
   $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
   $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
   $IPTABLES -A OUTPUT -p ALL -s $LAN_RANGE -j ACCEPT
   $IPTABLES -A OUTPUT -p ALL -s 0.0.0.0/0 -j ACCEPT
   $IPTABLES -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG

   # Cadena POSTROUTING ( solo NAT )
   if [ $CNAT -eq 1 ];
   then
      $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT –to-source $NAT_IP
   fi
else
   echo “… Firewall disable …”
fi

>EOS<

categories Shell | | datetime October 16, 2009 1:39 am | comments Comments (0)

IPTABLES Firewall Batch

IOF>>

#!/bin/bash

################################################################################

# Constantes

$EXTENSION=”1>/dev/null 2>/dev/null”;

 

LAN_IP=”192.168.3.200″;

LAN_IPMASK=”255.255.255.0″

lAN_IPGATEWAY=”192.168.3.20″

LAN_DNS=”192.168.3.20″

LAN_RANGE=”192.168.3.0/24″;

LAN_IFACE=”eth0″;

GW_CISCO_1=”192.168.3.6″;

GW_ADSL_1=”192.168.3.20″;

 

lO_IFACE=”lo”;

LO_IP=”127.0.0.1″;

IPTABLES=”/sbin/iptables”;

IFCONFIG=”/sbin/ifconfig”;

MODPROBE=”/sbin/modprobe”;

DEPMOD=”/sbin/depmod -a”;

ROUTE=”/sbin/route”;

 

CROUTES=1;

if [ $CROUTES -eq 1 ];

then

$ROUTE add -net 192.168.1.0/24 gw $GW_CISCO_1

$ROUTE add -net 192.168.2.0/24 gw $GW_CISCO_1

$ROUTE add -net 192.168.3.0/24 gw $GW_CISCO_1

$ROUTE add -net 192.168.4.0/24 gw $GW_CISCO_1

$ROUTE add -net 192.168.5.0/24 gw $GW_CISCO_1

$ROUTE add -net 192.168.6.0/24 gw $GW_CISCO_1

else

echo “…Routing disable…”;

fi

 

CMODULES=1;

if [ $CMODULES -eq 1 ];

then

$MODPROBE ipt_limit $EXTENSION

$MODPROBE ipt_state $EXTENSION

$MODPROBE ipt_REJECT $EXTENSION

 

else

echo “…Module autoload disable…”;

fi

 

CPROC=1;

if [ $CPROC -eq 1 ];

then

echo 0 > /proc/sys/net/ipv4/ip_forward

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp

echo 0 > /proc/sys/net/ipv4/conf/all/secure_redirects

#echo “1″ > /proc/sys/net/ipv4/ip_dynaddr

else

echo “… Proc parameters autoload disable…”

fi

CFW=1

if [ $CPROC -eq 1 ];

then

# Flush de reglas de forwarding pre-existentes

$IPTABLES -F $EXTENSION

$IPTABLES -X $EXTENSION

# Configurando tabla de filtrado de politicas por defecto

$IPTABLES -t filter -P INPUT ACCEPT $EXTENSION

$IPTABLES -t filter -P FORWARD ACCEPT $EXTENSION

$IPTABLES -t filter -P OUTPUT ACCEPT $EXTENSION

$IPTABLES -P INPUT DROP $EXTENSION

$IPTABLES -P OUTPUT DROP $EXTENSION

$IPTABLES -P FORWARD DROP $EXTENSION

# LOG

#$IPTABLES -A INPUT -j LOG –log-level debug –log-prefix “$LOGPREFFIX”

# Cadena de reglas de filtrado para paquetes tcp erroneos

$IPTABLES -N bad_tcp_packets

# Cadena de reglas de filtrado para paquetes con permiso

$IPTABLES -N allowed

# Cadena de reglas de filtrado para paquetes tcp

$IPTABLES -N tcp_packets

# Cadena de reglas de filtrado para paquetes udp

$IPTABLES -N udp_packets

# Cadena de reglas de filtrado para paquetes icmp

$IPTABLES -N icmp_packets

# Cadena Reglas : bad_tcp_packets chain

$IPTABLES -A bad_tcp_packets -p tcp –tcp-flags SYN,ACK SYN,ACK \

-m state –state NEW -j REJECT –reject-with tcp-reset

$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP

#$IPTABLES -A bad_tcp_packets -p tcp ! –syn -m state –state NEW -j DROP

# Cadena allowed

$IPTABLES -A allowed -p TCP –syn -j ACCEPT

$IPTABLES -A allowed -p TCP -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A allowed -p TCP -j DROP

# Cadena tcp

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 22 -j allowed # ssh

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 80 -j allowed # http apache2

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 81 -j allowed # http apache

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 21 -j allowed # ftp

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 25 -j allowed # smtp

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 139 -j allowed # smbd

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 445 -j allowed # nmbd

$IPTABLES -A tcp_packets -p TCP -s 0/0 –dport 3000 -j allowed # m

$IPTABLES -A tcp_packets -p TCP -s 192.168.3.0/0 –dport 3306 -j allowed # webm

# Cadena udp

$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 137 -j ACCEPT #nmbd udp

$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 138 -j ACCEPT #nmbd udp

$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 3001 -j ACCEPT #nmbd udp

$IPTABLES -A udp_packets -p UDP -s 0/0 –destination-port 4672 -j ACCEPT #nmbd udp

# Dropeamos directamente aquellas conexiones broadcast de

# información/solicutud de información, como son redes de ms y dhcp

$IPTABLES -A udp_packets -p UDP -i $LAN_IFACE -d 255.255.255.255 –destination-port 135:139 -j DROP

$IPTABLES -A udp_packets -p UDP -i $LAN_IFACE -d 255.255.255.255 –destination-port 67:68 -j DROP

# Cadena icmp

$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 8 -j ACCEPT

$IPTABLES -A icmp_packets -p ICMP -s 0/0 –icmp-type 11 -j ACCEPT

# Cadena INPUT entrada

$IPTABLES -A INPUT -p ALL -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -p TCP -i $LAN_IFACE -j tcp_packets

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE -j udp_packets

$IPTABLES -A INPUT -p ICMP -i $LAN_IFACE -j icmp_packets

$IPTABLES -A INPUT -i $LO_IFACE -j ACCEPT

# Elimina mensajes multicast de redes ms

$IPTABLES -A INPUT -i $LAN_IFACE -d 224.0.0.0/8 -j DROP

$IPTABLES -A INPUT -m limit –limit 3/minute –limit-burst 3 -j LOG

# Cadena FORWARD reevio ( no necesario para NAT )

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

CNAT=0

if [ $CNAT -eq 1 ];

then

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

$IPTABLES -t nat -A PREROUTING -s $LAN_RANGE -d ! $LAN_RANGE -p tcp –dport 80 -j DROP

$IPTABLES -A FORWARD -i $INET_IFACE -o $NAT_IFACE -m state –state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $NAT_IFACE -o $INET_IFACE -j ACCEPT

$IPTABLES -I FORWARD -p tcp –tcp-flags SYN,RST SYN -j TCPMSS –clamp-mss-to-pmtu

# La regla anterior, es necesaria para adaptar el MTU, Maximum Transfer Unit a las conexiones WWW y FTP.

$IPTABLES -A FORWARD -j ACCEPT

# Log weird packets that don’t match the above.

$IPTABLES -A FORWARD -m limit –limit 3/minute –limit-burst 3 -j LOG

else

echo “… Nating disable …”

fi

# Cadena OUTPUT salida

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s $LAN_RANGE -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -s 0.0.0.0/0 -j ACCEPT

$IPTABLES -A OUTPUT -m limit –limit 3/minute –limit-burst 3 -j LOG

# Cadena POSTROUTING ( solo NAT )

if [ $CNAT -eq 1 ];

then

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT –to-source $NAT_IP

fi

else

echo “… Firewall disable …”

fi

<<EOF

Tags:

categories Linux, Shell | | datetime September 17, 2009 7:37 pm | comments Comments (0)

WordPress Themes