I'm not sure I understand you correctly, but how about this:
## 0 == LOG
## 1 == DROP
## 2 == LOG & DROP
LOGTCP=2;
if [ $LOGTCP -eq 0 ]; then
#Log forbidden TCP datagrams
iptables -A TCP --protocol tcp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '
elif [ $LOGTCP -eq 1 ]; then
# Disallow NEW and INVALID incoming from the external interface
iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP
# Drop all TCP
iptables -A TCP -j DROP
elif [ $LOGTCP -eq 2 ]; then
#Log forbidden TCP datagrams
iptables -A TCP --protocol tcp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '
iptables -A TCP --protocol tcp -m -j DROP
fi
- James
-----Original Message-----
From: Stefan Srdic [mailto:[EMAIL PROTECTED]
Sent: Friday, September 07, 2001 8:55 AM
To: debian-security@lists.debian.org
Subject: Bash scripting info needed.
Hi,
Once again I've re-written my firewall script. Only this time I've
attempted to make use of a few loops and if statements to make my script
prettier. I have no formal education in programming at all!! Please be
patient with me :-D For reference I have been using some of the well
written init scripts that come packaged with Debian.
What I am attempting to do is have a variable that determines whether
IPtables LOGs or DROPs datagrams or does both functions. So far I'm half
way there.
This is what I've come up with using the Linux Network Administrators
Guide and the internet as a reference:
#!/bin/sh
# Define our path
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH
#LOGTCP=1
# Load IPTables module (s)
depmod -a
modprobe ip_tables || exit 1
# Set the default policies on the filter table.
for p in INPUT FORWARD OUTPUT; do
iptables -t filter -P $p ACCEPT
done
# flush all rules and erase all user defined chains on all tables
for t in filter nat mangle; do
iptables -t $t -F
iptables -t $t -X
done
# TCP filters
# create a new chain for TCP communications
iptables -N TCP 2>/dev/null
# divert all TCP datagrams on all interfaces into the TCP chain
iptables -A INPUT --protocol tcp -j TCP
iptables -A OUTPUT --protocol tcp -j TCP
# Allow full access on our localhost
iptables -A TCP -i $LOOPBACK -j ACCEPT
iptables -A TCP -o $LOOPBACK -j ACCEPT
# Allow full access between our LAN and our host
iptables -A TCP -i $LANIFACE -s $LAN -j ACCEPT
iptables -A TCP -o $LANIFACE -d $LAN -j ACCEPT
# Allow established and related connections
iptables -A TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow new connections on external interface
iptables -A TCP -m state --state NEW -i ! $EXTIFACE -j ACCEPT
if [ "$LOGTCP" ]; then
#Log forbidden TCP datagrams
iptables -A TCP --protocol tcp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '
else
# Disallow NEW and INVALID incoming from the external interface
iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP
# Drop all TCP
iptables -A TCP -j DROP
fi
I've found (through trial and error) that if I uncomment $LOGTCP things
are logged as they should be. However, I'm trying to figure out a way I
could declare whether my script logs, drops, or does both actions
according to the value of $LOGTCP.
Is this possible > ?
I would appreciate it if any of you could offer me some advice or even
some insight on the basics of these statements.
Thanks,
Stef
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
