Insert line in iptables's file - bash

I work with bash file and I want to insert and get line in iptables's file
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
{My Line Here}
-A INPUT -m state --state NEW -m udp -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
replace {My line here} to
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
Then I want to find and get firewall open ports an display them

sed 's/-A INPUT -i lo -j ACCEPT/-A INPUT -i lo -j ACCEPT\n-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT/g' <filename> > temp ; mv temp <filename>
Replace the <filename> by the actual file. This works only if the preceding line is -A INPUT -i lo -j ACCEPT

Related

iptables rules is this correct? [duplicate]

This question already has answers here:
Are shell scripts sensitive to encoding and line endings?
(14 answers)
Closed 2 years ago.
I input this from a bash script
#!/bin/bash
#
# iptables example configuration script
# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# Flush all chains
/sbin/iptables --flush
# Allow unlimited traffic on the loopback interface
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# Set default policies
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT DROP
/sbin/iptables --policy FORWARD DROP
# Previously initiated and accepted exchanges bypass rule checking
# Allow unlimited outbound traffic
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 69 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
/sbin/iptables -A INPUT -p tcp --dport 69 -m state --state NEW -m recent --set
/sbin/iptables -A INPUT -p tcp --dport 69 -m state --state NEW -j ACCEPT
# Allow certain ports to be accessible from the outside
/sbin/iptables -A INPUT -p tcp --dport 25565 -m state --state NEW -j ACCEPT #Minecraft
/sbin/iptables -A INPUT -p tcp --dport 1688 -m state --state NEW -j ACCEPT #Dynmap plugin
# Other rules for future use if needed. Uncomment to activate
/sbin/iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT # http
/sbin/iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT # https
# UDP packet rule. This is just a random udp packet rule as an example only
# /sbin/iptables -A INPUT -p udp --dport 5021 -m state --state NEW -j ACCEPT
# Allow pinging of your server
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Drop all other traffic
/sbin/iptables -A INPUT -j DROP
# print the activated rules to the console when script is completed
/sbin/iptables -nL
and get output of this
firewall.sh: line 38: DROP: command not found
firewall.sh: line 39: tcp: command not found
firewall.sh: line 43: -p: command not found
firewall.sh: line 46: --dport: command not found
its weird im migrating servers and on the old one this script ran fine is something wrong with the script that im not seeing? What i am hosting on is a pi4 8gb with raspibian x64 is it possible that is giving me the issue with iptables currently? Or is it the code?
The error pointed by you is most likely caused by window-style line ending present in your file. you can try to use cat -A <filename> to debug and use the following command to convert your file with Linux style line endings.
dos2unix <file>

tproxy configure with connbytes

I have a transparent proxy.
I want to redirect a rdp connection to local process, but from 3rd packet. that means I want to pass first and second packet and from 3rd packet until end redirect packets to local process.
I use code below to configure my tproxy.
But it does not work and no packets pass and no packets go to local process(50082).
Could you please help me? I don't know my mistake.
${ip} rule add fwmark 1 lookup 100
${ip} route add local 0.0.0.0/0 dev lo table 100
${iptables} -t mangle -N DIVERT
${iptables} -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
${iptables} -t mangle -A DIVERT -j MARK --set-mark 1
${iptables} -t mangle -A DIVERT -j ACCEPT
${iptables} -t mangle -A PREROUTING -p tcp --dport 3389 -m connbytes --connbytes 3: --connbytes-dir both --connbytes-mode packets -j TPROXY --tproxy-mark 0x1/0x1 --on-port 50082
${iptables} -t mangle -A PREROUTING -p tcp --dport 3389 -m connbytes --connbytes 1:3 --connbytes-dir both --connbytes-mode packets -j ACCEPT

add firewall rules using sed in bash

I have to add some firewall rules in my script. The rules must be written in /etc/sysconfig/iptables
I try to use sed for this operation but it doesn't work:
sudo sed -i '/:OS_FIREWALL_ALLOW - [0:0]/a \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 53248 -j ACCEPT \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 50825 -j ACCEPT \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 20048 -j ACCEPT \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT' /etc/sysconfig/iptables
I try to add the rules after the line :OS_FIREWALL_ALLOW - [0:0] which is in the /etc/sysconfig/iptables
There is happening anything. The iptables-file has the same content as before. The new lines aren't added.
What am I doing wrong?
Content of iptables (before and after the executing sed-command)
...
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:OS_FIREWALL_ALLOW - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
...
Expected output:
...
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:OS_FIREWALL_ALLOW - [0:0]
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 53248 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 53248 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 53248 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 53248 -j ACCEPT
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
...
You have to change this line,
/:OS_FIREWALL_ALLOW - [0:0]/a
to
/:OS_FIREWALL_ALLOW - \[0:0\]/a
In a regular expression, square brackets are used to indicate character classes, which matches any of the characters in the character set.
Valid command is:
sudo sed -i '/:OS_FIREWALL_ALLOW - \[0:0\]/a \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 53248 -j ACCEPT \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 50825 -j ACCEPT \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 20048 -j ACCEPT \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT \
-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT' /etc/sysconfig/iptables
EDIT 2:
If your sed supports r command (read from filename), you can save the iptables rules to add_rules.txt. Then you can add it to existing rules.
sed -i '/:OS_FIREWALL_ALLOW - \[0:0\]/r add_rules.txt' /etc/sysconfig/iptables

how to combine bash cycle for with different variables

I have two networks:
FORWARDS="10.0.0.0/8 192.168.0.0/16"
In cycle I'm allowing tcp udp icmp from same network to same
for ipo in $FORWARDS;do
iptables -A FORWARD -p tcp -s $ipo -d $ipo -j ACCEPT
iptables -A FORWARD -p udp -s $ipo -d $ipo -j ACCEPT
iptables -A FORWARD -p icmp -s $ipo -d $ipo -j ACCEPT
done
But I need to allow same networks from one to eachother, howto add iptables rules below in cycle to reduce number of lines:
iptables -A FORWARD -p tcp -s 10.0.0.0/8 -d 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 10.0.0.0/8 -j ACCEPT
iptables -A FORWARD -p udp -s 10.0.0.0/8 -d 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -p udp -s 192.168.0.0/16 -d 10.0.0.0/8 -j ACCEPT
iptables -A FORWARD -p icmp -s 10.0.0.0/8 -d 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -p icmp -s 192.168.0.0/16 -d 10.0.0.0/8 -j ACCEPT
Use nested loops:
for ipo1 in $FORWARDS; do
for ip2 in $FORWARD; do
iptables -A FORWARD -p tcp -s $ipo1 -d $ipo2 -j ACCEPT
iptables -A FORWARD -p udp -s $ipo1 -d $ipo2 -j ACCEPT
iptables -A FORWARD -p icmp -s $ipo1 -d $ipo2 -j ACCEPT
done
done

Gitlab pushing via https doesnt succed because of iptables

I installed the Gitlab-Omnibus bundle and opened iptables for port 80, 443, 9418 and temp. even for 22. Why doesn't pushing via https work? When I put iptables in default open for everything it works.
Here are my rules for 80, 443, 22 and 9418
# 1. Allow incoming HTTP
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 80 -j ACCEPT
# 2. Allow outgoing HTTP
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT
# Allow incoming HTTPS
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 443 -j ACCEPT
# 10. Allow outgoing HTTPS
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT
# allow git
$IPTABLES -A OUTPUT -p tcp --dport 9418 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 9418 -j ACCEPT
#SSH: Client --> Server
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 22 -j ACCEPT
The Result is:
Pushing to https://TLD/USER/REPO.git
POST git-receive-pack (448 bytes)
And then it just freezes. What do I need to open else?
I tried logging dropped packages but there is nothing with my ip?
I hope someone can help me..
Ok here are the rules for my logging:
#Logging
$IPTABLES -N LOGGING
$IPTABLES -A INPUT -j LOGGING
$IPTABLES -A OUTPUT -j LOGGING
$IPTABLES -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPTABLES -A LOGGING -j DROP
And here is the output:
# Generated by iptables-save v1.4.21 on Thu Nov 13 18:43:13 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:LOGGING - [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A INPUT -s 10.20.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 37655 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 9418 -j ACCEPT
-A INPUT -j LOGGING
-A OUTPUT -p icmp -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -d 10.20.0.0/16 -p tcp -m tcp --sport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 37655 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9418 -j ACCEPT
-A OUTPUT -j LOGGING
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP
COMMIT
#Devices
DEV0=eth0
#internal network
INT_NET=xxx.xxx.0.0/16
INT_NET_SECURE=xxx.xxx.xxx.0/24
#external network
EXT_NET=xxx.xxx.xxx.0/24
#path iptables
IPTABLES=/sbin/iptables
#path modprobe
MODPROBE=/sbin/modprobe
case $1 in
start)
$0 stop
echo "start ip-package-filter"
# iptables-Modul
$MODPROBE ip_tables
# Connection-Tracking-Module
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp
$MODPROBE iptable_nat
#Standard-Policy - Deny everything except what we want
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#slows down icmp for too much packages
echo "5" >/proc/sys/net/ipv4/icmp_ratelimit
#Kills packages with source route option
echo "0">/proc/sys/net/ipv4/conf/$DEV0/accept_source_route
#Kills icmp forwarding
echo "0">/proc/sys/net/ipv4/conf/$DEV0/accept_redirects
#Kills spoofed packages
echo "1" > /proc/sys/net/ipv4/conf/$DEV0/rp_filter
#Kills packages from 0.X.X.X
echo "0" > /proc/sys/net/ipv4/conf/eth0/bootp_relay
# TCP-FIN-Timeout (DoS-Attack)
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
#TCP-SYN max 3 answers
echo 3 > /proc/sys/net/ipv4/tcp_retries1
#TCP-Package max 15x repetitions
echo 15 > /proc/sys/net/ipv4/tcp_retries2
#Loopback-Communication
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
#ICMP: Client <--> Server
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT
#DNS: Server --> DNS-Server
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
# Allow incoming HTTP
$IPTABLES -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
# Allow incoming HTTPS
$IPTABLES -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
#SSH: Client --> Server (internal)
$IPTABLES -A INPUT -s $INT_NET -p tcp --dport 22 -m state --state NEW -j ACCEPT
#SSH: Client --> Server
#$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp --sport 22 -j ACCEPT
#Update (apt)
$IPTABLES -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
#TeamDrive
$IPTABLES -A INPUT -p tcp --dport 37655 -m state --state NEW -j ACCEPT
#Git
$IPTABLES -A INPUT -p tcp --dport 9418 -m state --state NEW -j ACCEPT
#Connection-Tracking for INPUT and OUTPUT CHAIN
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Logging
$IPTABLES -N LOGGING
$IPTABLES -A INPUT -j LOGGING
$IPTABLES -A OUTPUT -j LOGGING
$IPTABLES -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
$IPTABLES -A LOGGING -j DROP
echo "Firewall activated"
;;
stop)
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
;;
restart)
$0 start
;;
*)
echo "Usage: $0 {startwd|stop|restart}"
;;
esac

Resources