I've wrote a script to start openvpn (called vpn_up) but then I want it to also run my firewall script (called firewall_up) after starting the vpn. Here is the script that works:
#!/bin/bash
#script called vpn_up
exp_login=mylogin
exp_pass=mypass
config_file=$1
expect -c "
spawn openvpn --config $config_file --script-security 2 --up /etc/openvpn/update-systemd-resolved --down /etc/openvpn/update-systemd-resolved --dhcp-option 'DOMAIN-ROUTE .' --down-pre
expect \"Auth Username:\"
send \"$exp_login\r\";
expect \"for no echo)\"
send \"$exp_pass\r\";
interact
"
After opening the vpn, I want it to run my script firewall_up
#!/bin/bash
#script called firewall_up
# get your IP address
curl -s ifconfig.me > /tmp/ip_address
#Clear any iptables rules you might have at the moment
iptables -F
#Start building the firewall by allowing tun and your localhost
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
#Add the IP address of the VPN to the firewall
IP_LIST=$(tr '\n' ' ' < /tmp/ip_address)
for IP in $IP_LIST; do
iptables -A INPUT -s $IP -j ACCEPT
iptables -A OUTPUT -d $IP -j ACCEPT
done
iptables -A INPUT -p udp --sport 1195 -j ACCEPT
iptables -A INPUT -p udp --dport 1195 -j ACCEPT
iptables -A OUTPUT -p udp --sport 1195 -j ACCEPT
iptables -A OUTPUT -p udp --dport 1195 -j ACCEPT
#iptables -A INPUT -p udp --sport 53 -j ACCEPT
#iptables -A INPUT -p udp --dport 53 -j ACCEPT
#iptables -A OUTPUT -p udp --sport 53 -j ACCEPT
#iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p udp -j DROP
iptables -A OUTPUT -p udp -j DROP
# Stop anything not from VPN or localhost
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
#Clean up your tempoary files
rm /tmp/ip_address
Currently, I have to run
sudo vpn_up some_config_file
in one terminal window and then run
sudo firewall_up
in another window and then it all works just fine.
I'd like to have just one script to do everything. I tried adding
--up /usr/sbin/firewall_up
to the spawn openvpn command to my first script i.e.
#!/bin/bash
# script called vpn_up
exp_login=mylogin
exp_pass=mypass
config_file=$1
expect -c "
spawn openvpn --config $config_file --script-security 2 --up /etc/openvpn/update-systemd-resolved --up /usr/sbin/firewall_up --down /etc/openvpn/update-systemd-resolved --dhcp-option 'DOMAIN-ROUTE .' --down-pre
expect \"Auth Username:\"
send \"$exp_login\r\";
expect \"for no echo)\"
send \"$exp_pass\r\";
interact
"
But it ends up running firewall_up before the vpn is actually up. I.e it uses my Initial IP address, not the IP address after the vpn is up and running. Is there any way to just add more code after the expect is finished and openvpn is done?
Any suggestions?
Thanks
As asked, here is the key (I think) output from openvpn:
Fri May 14 11:39:31 2021 /sbin/ip link set dev tun0 up mtu 1500
Fri May 14 11:39:31 2021 /sbin/ip addr add dev tun0 local 10.167.0.50 peer 10.167.0.49
Fri May 14 11:39:31 2021 /usr/sbin/firewall_up tun0 1500 1557 10.167.0.50 10.167.0.49 init
Fri May 14 11:39:33 2021 /sbin/ip route add 185.195.19.203/32 via 192.168.0.1
Fri May 14 11:39:33 2021 /sbin/ip route add 0.0.0.0/1 via 10.167.0.49
Fri May 14 11:39:33 2021 /sbin/ip route add 128.0.0.0/1 via 10.167.0.49
Fri May 14 11:39:33 2021 /sbin/ip route add 10.167.0.1/32 via 10.167.0.49
Fri May 14 11:39:33 2021 Initialization Sequence Completed
The problem appears to be that it runs firewall_up before completing the initialization.
Related
This question already has answers here:
Are shell scripts sensitive to encoding and line endings?
(14 answers)
Closed 2 years ago.
I input this from a bash script
#!/bin/bash
#
# iptables example configuration script
# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Flush all chains
/sbin/iptables --flush
# Allow unlimited traffic on the loopback interface
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# Set default policies
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP
# Previously initiated and accepted exchanges bypass rule checking
# Allow unlimited outbound traffic
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 69 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 69 -m state --state NEW -m recent --set
/sbin/iptables -A INPUT -p tcp --dport 69 -m state --state NEW -j ACCEPT
# Allow certain ports to be accessible from the outside
/sbin/iptables -A INPUT -p tcp --dport 25565 -m state --state NEW -j ACCEPT #Minecraft
/sbin/iptables -A INPUT -p tcp --dport 1688 -m state --state NEW -j ACCEPT #Dynmap plugin
# Other rules for future use if needed. Uncomment to activate
/sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT # http
/sbin/iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT # https
# UDP packet rule. This is just a random udp packet rule as an example only
# /sbin/iptables -A INPUT -p udp --dport 5021 -m state --state NEW -j ACCEPT
# Allow pinging of your server
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Drop all other traffic
/sbin/iptables -A INPUT -j DROP
# print the activated rules to the console when script is completed
/sbin/iptables -nL
and get output of this
firewall.sh: line 38: DROP: command not found
firewall.sh: line 39: tcp: command not found
firewall.sh: line 43: -p: command not found
firewall.sh: line 46: --dport: command not found
its weird im migrating servers and on the old one this script ran fine is something wrong with the script that im not seeing? What i am hosting on is a pi4 8gb with raspibian x64 is it possible that is giving me the issue with iptables currently? Or is it the code?
The error pointed by you is most likely caused by window-style line ending present in your file. you can try to use cat -A <filename> to debug and use the following command to convert your file with Linux style line endings.
dos2unix <file>
We are using Suse Linux Enterprise Server 12. We need to block concurrent IP Addresses which is hitting our web server for more thatn 50 times per second and block that ip address for 10 minutes. Also it should distinguish attacker and genuine traffic and block attacker's IP forever. We have currently blocked using iptables , below is the rule.
iptables -I INPUT -p tcp --dport 443 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 443 -i eth0 -m state --state NEW -m recent --update --seconds 1 --hitcount 50 -j DROP
It will just block the IPAddress which exceeds 50 connections but wont blacklist the IPAddress. Please let us know if we have a script that will match all the scenarios which is metioned above. Please Help.
I tested this and it works really nice. If the behavior is detected, the IP is put into hold-down for 10 minutes and logged. You can verify it's operation by watching these files. /proc/net/xt_recent/NICE, /proc/net/xt_recent/NAUGHTY. You need to build a script to parse the log for bad IP's and commit them to a file that is loaded into iptables on startup if you want to blacklist permanently. That concept is already clear so no need for me to include it.
#flush and clear
iptables -F -t nat
iptables -F
iptables -X
#this is where naughty kids go
iptables -N GETCAUGHT
#you got added to the naughty list
iptables -A GETCAUGHT -m recent --name NAUGHTY --set #everyone here is bad
iptables -A GETCAUGHT -j LOG --log-prefix "iwasbad: " --log-level 4 #and it goes on your permanent record
#if you are on the NAUGHTY list you get a lump of coal
iptables -A INPUT -i eth0 -m recent --name NAUGHTY --rcheck --seconds 600 -j DROP #check everyone at the door
#though everyone starts out on the NICE list
iptables -A INPUT -i eth0 -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --name NICE --set #you seem nice
#but if you GETCAUGHT doing this you are naughty
iptables -A INPUT -i eth0 -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --name NICE --seconds 1 --hitcount 50 --update -j GETCAUGHT #that wasn't nice
I'm new to bash script and I need to make a script that runs the following commands:
service apache2 start
airmon-ng start wlan0
airbase-ng -e FREEINTERNET -c 1 -P wlan0mon
ifconfig at0 192.168.1.129 netmask 255.255.255.128
route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface wlan1 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.4:80
iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 80
iptables -t nat -A POSTROUTING -j MASQUERADE
dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
service isc-dhcp-server start
My big doubt is how to make the script open the airbase-ng -e FREEINTERNET -c 1 -P wlan0mon command in a different terminal and keep executing both airbase and the remaining commands. I’m using Kali 64-bit with GNOME.
You can run something in the background by suffixing it with &. If you want to run something in a new GNOME Terminal window, you can do so with gnome-terminal -e. Putting those together, to run your airbase-ng command in a new GNOME Terminal window while letting the rest of your script continue to run:
# …
airmon-ng start wlan0
gnome-terminal -e 'airbase-ng -e FREEINTERNET -c 1 -P wlan0mon' &
ifconfig at0 192.168.1.129 netmask 255.255.255.128
# …
This is the question about command-line iptables syntax.
I have the following chains in /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Fri May 22 07:51:03 2015
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
but I need them to write to bash CSFPRE.SH for CSF firewall, so they should be in a command-line like
iptables -t nat -I POSTROUTING -s 192.168.254.0/24 -o br0 -j SNAT --to-source 69.64.56.847
or
iptables -A FORWARD -s 192.168.254.0/24 -m state --state NEW -j ACCEPT
But with the lines above I have a stumbling block.
I already tried something like
iptables :PREROUTING ACCEPT [0:0]
iptables -t nat -I :PREROUTING ACCEPT [0:0]
but no success.
iptables -P PREROUTING ACCEPT
says
iptables: Bad built-in chain name.
So still not a solution. Thanks in advance for any hint else to try
After some tests my solution was
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
I have a trouble. Can`t access to my ethernet-connected MFP from Windows 7 clients, but by Ubuntu (and router/server) machine it can get access to it.
MFP = Epson Stylus Color 730
network:
MFP (192.168.0.100) + win7clients (192.168.0.101-200) ---> Ubuntu server/router (192.168.0.1) ---> Internet
MFP get right IP and settings form DHCP server. On Windows machines disabled all firewalls and so on.
From Ubuntu I can do with MFP what I want, but why I can`t even ping it form Windows?
Thanks
Edit:
Content of /etc/sysctl.conf :
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
Edit 2:
After some fixes - all, except of me in local net can use MFP.
So, new puzzle:
My local network:
http://prntscr.com/kvk5g
"Hakuhonoo" can`t see MFP, but other do.
Content of /etc/iptables.conf:
# Generated by iptables-save v1.4.12 on Fri Nov 9 01:51:58 2012
*filter
:INPUT ACCEPT [23:1420]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [20:18904]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -d 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -s 224.0.0.0/4 -i eth0 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80:85 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1985 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 25565 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 60000:65000 -j ACCEPT
-A INPUT -i eth0 -j DROP
-A FORWARD -i eth0 -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i br0 -o eth0 -j ACCEPT
-A FORWARD -d 224.0.0.0/4 -j ACCEPT
-A FORWARD -s 224.0.0.0/4 -j ACCEPT
-A FORWARD -i eth0 -p tcp --dport 81:85 -j ACCEPT
-A FORWARD -i eth0 -j DROP
COMMIT
# Completed on Fri Nov 9 01:51:58 2012
# Generated by iptables-save v1.4.12 on Fri Nov 9 01:51:58 2012
*nat
:PREROUTING ACCEPT [377:31747]
:INPUT ACCEPT [39:3558]
:OUTPUT ACCEPT [11:872]
:POSTROUTING ACCEPT [7:570]
-A PREROUTING -i eth0 -p tcp --dport 81:85 -j DNAT --to 192.168.0.101
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Nov 9 01:51:58 2012
# Generated by iptables-save v1.4.12 on Fri Nov 9 01:51:58 2012
*mangle
:PREROUTING ACCEPT [1425:140833]
:INPUT ACCEPT [762:69219]
:FORWARD ACCEPT [495:56655]
:OUTPUT ACCEPT [643:122295]
:POSTROUTING ACCEPT [1152:179096]
-A PREROUTING -d 224.0.0.0/4 -p udp -j TTL --ttl-inc 1
COMMIT
# Completed on Fri Nov 9 01:51:58 2012
Did you set your Ubuntu to forward packets?
Enable routing: (taken from here)
Configure the gateway for routing between two interfaces by enabling IP forwarding:
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
Edit /etc/sysctl.conf, and (up to 10.04) add these lines:
net.ipv4.conf.default.forwarding=1
net.ipv4.conf.all.forwarding=1
From 10.10 onwards, it suffices to edit /etc/sysctl.conf and uncomment:
net.ipv4.ip_forward=1