I'm new to bash script and I need to make a script that runs the following commands:
service apache2 start
airmon-ng start wlan0
airbase-ng -e FREEINTERNET -c 1 -P wlan0mon
ifconfig at0 192.168.1.129 netmask 255.255.255.128
route add -net 192.168.1.128 netmask 255.255.255.128 gw 192.168.1.129
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface wlan1 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.4:80
iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 80
iptables -t nat -A POSTROUTING -j MASQUERADE
dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid at0
service isc-dhcp-server start
My big doubt is how to make the script open the airbase-ng -e FREEINTERNET -c 1 -P wlan0mon command in a different terminal and keep executing both airbase and the remaining commands. I’m using Kali 64-bit with GNOME.
You can run something in the background by suffixing it with &. If you want to run something in a new GNOME Terminal window, you can do so with gnome-terminal -e. Putting those together, to run your airbase-ng command in a new GNOME Terminal window while letting the rest of your script continue to run:
# …
airmon-ng start wlan0
gnome-terminal -e 'airbase-ng -e FREEINTERNET -c 1 -P wlan0mon' &
ifconfig at0 192.168.1.129 netmask 255.255.255.128
# …
Related
We are using Suse Linux Enterprise Server 12. We need to block concurrent IP Addresses which is hitting our web server for more thatn 50 times per second and block that ip address for 10 minutes. Also it should distinguish attacker and genuine traffic and block attacker's IP forever. We have currently blocked using iptables , below is the rule.
iptables -I INPUT -p tcp --dport 443 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 443 -i eth0 -m state --state NEW -m recent --update --seconds 1 --hitcount 50 -j DROP
It will just block the IPAddress which exceeds 50 connections but wont blacklist the IPAddress. Please let us know if we have a script that will match all the scenarios which is metioned above. Please Help.
I tested this and it works really nice. If the behavior is detected, the IP is put into hold-down for 10 minutes and logged. You can verify it's operation by watching these files. /proc/net/xt_recent/NICE, /proc/net/xt_recent/NAUGHTY. You need to build a script to parse the log for bad IP's and commit them to a file that is loaded into iptables on startup if you want to blacklist permanently. That concept is already clear so no need for me to include it.
#flush and clear
iptables -F -t nat
iptables -F
iptables -X
#this is where naughty kids go
iptables -N GETCAUGHT
#you got added to the naughty list
iptables -A GETCAUGHT -m recent --name NAUGHTY --set #everyone here is bad
iptables -A GETCAUGHT -j LOG --log-prefix "iwasbad: " --log-level 4 #and it goes on your permanent record
#if you are on the NAUGHTY list you get a lump of coal
iptables -A INPUT -i eth0 -m recent --name NAUGHTY --rcheck --seconds 600 -j DROP #check everyone at the door
#though everyone starts out on the NICE list
iptables -A INPUT -i eth0 -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --name NICE --set #you seem nice
#but if you GETCAUGHT doing this you are naughty
iptables -A INPUT -i eth0 -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --name NICE --seconds 1 --hitcount 50 --update -j GETCAUGHT #that wasn't nice
I used Amazon Lightsail to deploy a wordpress site and it worked like a charm. Now I have the need to restrict the IP addresses that can access on port 80 to the ones associated to the Firewall from SiteLock, and I am looking for the best and cleanest solution.
It looks like in Lightsail simplified version of the world, I can only open a port for public access, or close it.
My only idea now is logging in via SSH and use iptables, but I wanted to understand if that's the only way I can do this, or there is something "smarter".
This is what I came out with, that actually works, but uses iptables which I am not sure is the best option, so the question is still open to get a better solution.
Since SiteLock website says these IP ranges are to be allowed in:
SiteLock Firewall IP Ranges
199.83.128.0/21
198.143.32.0/19
149.126.72.0/21
103.28.248.0/22
45.64.64.0/22
185.11.124.0/22
192.230.64.0/18
107.154.0.0/16
2a02:e980::/29
I created a script to allow them all, and then close all the rest with an explicit DROP rule
sudo iptables -A INPUT -p tcp -s 199.83.128.0/21 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 198.143.32.0/19 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 149.126.72.0/21 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 103.28.248.0/22 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 45.64.64.0/22 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 185.11.124.0/22 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 192.230.64.0/18 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 107.154.0.0/16 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 2a02:e980::/29 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 80 -j DROP
now, IPs can be whitelisted from AWS console itself. Go to your Lightsail instance in console, then networking. there you can choose ports to open, and to whitelist IP, check Restrict to IP. then enter whielisted IP or range and save.
reference: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-editing-firewall-rules
Network Environment
No internet DNS available
Corporate squid proxy allowing HTTP and HTTPS traffic on port 3128
Docker Environment
Docker is running on an Ubuntu 15.04 guest inside VirtualBox on OS X.
A container docker-forgetproxy (https://github.com/k-labs/docker-forgetproxy) which is running redsocks on top of the host's network infrastructure, run with:
$ docker run -it --rm --net=host --privileged \
-e http_proxy=$http_proxy \
-e https_proxy=$https_proxy \
klabs/docker-forgetproxy
This modifies the host's iptables rules by issuing the following commands where $1 is set to A:
iptables -t nat -$1 PREROUTING -i docker0 -d 127.0.0.0/8 -j RETURN
iptables -t nat -$1 PREROUTING -i docker0 -d 169.254.0.0/16 -j RETURN
iptables -t nat -$1 PREROUTING -i docker0 -d 172.16.0.0/12 -j RETURN
iptables -t nat -$1 PREROUTING -i docker0 -d 192.168.0.0/16 -j RETURN
iptables -t nat -$1 PREROUTING -i docker0 -d 224.0.0.0/4 -j RETURN
iptables -t nat -$1 PREROUTING -i docker0 -d 240.0.0.0/4 -j RETURN
iptables -t nat -$1 PREROUTING -p tcp --dport 80 -i docker0 -j REDIRECT --to 12345 2>/dev/null
iptables -t nat -$1 PREROUTING -p tcp --dport 8080 -i docker0 -j REDIRECT --to 12345 2>/dev/null
iptables -t nat -$1 PREROUTING -p tcp --dport 53 -i docker0 -j REDIRECT --to 5300
iptables -t nat -$1 PREROUTING -p tcp -i docker0 -j REDIRECT --to 12346
and launches redsocks is launched with the
base {
log_debug = off;
log_info = on;
log = "stderr";
daemon = off;
user = redsocks;
group = redsocks;
redirector = iptables;
}
redsocks {
type = http-relay;
ip = http://my-proxy;
port = 3128;
local_ip = 0.0.0.0;
local_port = 12345;
}
redsocks {
type = http-connect;
ip = http://my-proxy;
port = 3128;
local_ip = 0.0.0.0;
local_port = 12346;
}
dnstc {
local_ip = 127.0.0.1;
local_port = 5300;
}
Problem
When I launch a new docker container with docker run -it --rm ubuntu apt-get update it seems the container's requests aren't getting rerouted to the redsocks container.
Watching the packets on wireshark it appears the DNS resolution for archive.ubuntu.com from the apt-get container tries to go to my domain DNS server (which can't perform internet look ups) if I set the DNS server to that of the docker0 iface it seems it gets captured by the 172.16.0.0/12 iptables rule since today it was 172.17.42.1
This applies to a Ubuntu Xenial host.
On your host, under Connection Information, get your current DNS addresses; in my case, 172.21.17.212 and 172.21.17.210.
Under /etc/default/docker, add the DNS addresses on DOCKER_OPTS:
DOCKER_OPTS="--dns 172.21.17.212 --dns 172.21.17.210"
Create /etc/systemd/system/docker.service.d/ubuntu.conf, with the following:
[Service]
EnvironmentFile=/etc/default/docker
ExecStart=
ExecStart=/usr/bin/docker daemon -H fd:// $DOCKER_OPTS
Then:
sudo systemctl daemon-reload
sudo systemctl restart docker
I would want the bash scripting to run the following command
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
if there is no output of it found using
iptables -t nat --list
How can I use the If-Else to look for the output. Can i use 'cat' ?
Use $() to capture the output of a command and -z to determine if it is empty:
output=$(iptables -t nat --list)
if [ -z $output ] # returns true if the length of $output is 0
then
output=$(iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000)
fi
You could use grep with the iptables list, depending on how you're trying to match it.
if iptables -t nat --list PREROUTING | grep -- '--destintation-port 80' | grep -q -- '--to-port 10000'
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000
fi
This will look if there is a PREROUTING entry that concerns both --destination-port 80 and --to-port 10000. If the output string is more predictable you could use a single grep for it, but I don't know iptables well enough to offer that as part of the solution
This is the question about command-line iptables syntax.
I have the following chains in /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Fri May 22 07:51:03 2015
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
but I need them to write to bash CSFPRE.SH for CSF firewall, so they should be in a command-line like
iptables -t nat -I POSTROUTING -s 192.168.254.0/24 -o br0 -j SNAT --to-source 69.64.56.847
or
iptables -A FORWARD -s 192.168.254.0/24 -m state --state NEW -j ACCEPT
But with the lines above I have a stumbling block.
I already tried something like
iptables :PREROUTING ACCEPT [0:0]
iptables -t nat -I :PREROUTING ACCEPT [0:0]
but no success.
iptables -P PREROUTING ACCEPT
says
iptables: Bad built-in chain name.
So still not a solution. Thanks in advance for any hint else to try
After some tests my solution was
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT