Hi
> I'm not sure I understand you correctly, but how about this:
>
> ## 0 == LOG
> ## 1 == DROP
> ## 2 == LOG & DROP
> LOGTCP=2;
> if [ $LOGTCP -eq 0 ]; then
> #Log forbidden TCP datagrams
> iptables -A TCP --protocol tcp -m limit --limit 1/minute \
> --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '
> elif [ $LOGTCP -eq 1 ]; then
> # Disallow NEW and INVALID incoming from the external interface
> iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP
> # Drop all TCP
> iptables -A TCP -j DROP
> elif [ $LOGTCP -eq 2 ]; then
> #Log forbidden TCP datagrams
> iptables -A TCP --protocol tcp -m limit --limit 1/minute \
> --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '
> iptables -A TCP --protocol tcp -m -j DROP
> fi
if the question is the above then IMHO is better to use the "case" statement
case "$LOGTCP" in
0) #Log forbidden TCP datagrams
iptables -A TCP --protocol tcp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix
'Denied TCP: ';
;;
1) # Disallow NEW and INVALID incoming from the external interface
iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j
DROP;
# Drop all TCP
iptables -A TCP -j DROP;
;;
2) #Log forbidden TCP datagrams
iptables -A TCP --protocol tcp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix
'Denied TCP: ';
iptables -A TCP --protocol tcp -m -j DROP;
;;
esac
---
;---+---;
bye |
bye |hor
>
> - James
>
> -----Original Message-----
> From: Stefan Srdic [mailto:[EMAIL PROTECTED]
> Sent: Friday, September 07, 2001 8:55 AM
> To: debian-security@lists.debian.org
> Subject: Bash scripting info needed.
>
>
> Hi,
>
> Once again I've re-written my firewall script. Only this time I've
> attempted to make use of a few loops and if statements to make my script
> prettier. I have no formal education in programming at all!! Please be
> patient with me :-D For reference I have been using some of the well
> written init scripts that come packaged with Debian.
>
> What I am attempting to do is have a variable that determines whether
> IPtables LOGs or DROPs datagrams or does both functions. So far I'm half
> way there.
>
> This is what I've come up with using the Linux Network Administrators
> Guide and the internet as a reference:
>
> #!/bin/sh
>
> # Define our path
> PATH=/sbin:/bin:/usr/sbin:/usr/bin
> export PATH
>
> #LOGTCP=1
>
> # Load IPTables module (s)
>
> depmod -a
> modprobe ip_tables || exit 1
>
> # Set the default policies on the filter table.
> for p in INPUT FORWARD OUTPUT; do
> iptables -t filter -P $p ACCEPT
> done
>
> # flush all rules and erase all user defined chains on all tables
> for t in filter nat mangle; do
> iptables -t $t -F
> iptables -t $t -X
> done
>
> # TCP filters
> # create a new chain for TCP communications
> iptables -N TCP 2>/dev/null
>
> # divert all TCP datagrams on all interfaces into the TCP chain
> iptables -A INPUT --protocol tcp -j TCP
> iptables -A OUTPUT --protocol tcp -j TCP
>
> # Allow full access on our localhost
> iptables -A TCP -i $LOOPBACK -j ACCEPT
> iptables -A TCP -o $LOOPBACK -j ACCEPT
>
> # Allow full access between our LAN and our host
> iptables -A TCP -i $LANIFACE -s $LAN -j ACCEPT
> iptables -A TCP -o $LANIFACE -d $LAN -j ACCEPT
>
> # Allow established and related connections
> iptables -A TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> # Allow new connections on external interface
> iptables -A TCP -m state --state NEW -i ! $EXTIFACE -j ACCEPT
>
> if [ "$LOGTCP" ]; then
> #Log forbidden TCP datagrams
> iptables -A TCP --protocol tcp -m limit --limit 1/minute \
> --limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '
> else
> # Disallow NEW and INVALID incoming from the external interface
> iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP
> # Drop all TCP
> iptables -A TCP -j DROP
> fi
>
> I've found (through trial and error) that if I uncomment $LOGTCP things
> are logged as they should be. However, I'm trying to figure out a way I
> could declare whether my script logs, drops, or does both actions
> according to the value of $LOGTCP.
>
> Is this possible > ?
>
> I would appreciate it if any of you could offer me some advice or even
> some insight on the basics of these statements.
>
> Thanks,
>
> Stef
>
>
>
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
> [EMAIL PROTECTED]
>
>
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
