Dynamic Frirewall ======================= Public domain ******************************************************************************** ******************************************************************************** ## Firewall Bash Script ******************************************************************************** #!/bin/bash #Refrence : https://wiki.archlinux.org/index.php/simple_stateful_firewall#Example_iptables.rules_file DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd | sed -e "s/\/[^\/]*$//" )" ipsFileAddress=$DIR"/modules/users/server/ipFilter/ips.txt" firewallFileAddress=$DIR"/modules/users/server/ipFilter/firewall.txt" SHELL=/bin/sh PATH=/bin:/sbin:/usr/bin:/usr/sbin function valid_ip() { local ip=$1 local stat=1 if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then OIFS=$IFS IFS='.' ip=($ip) IFS=$OIFS [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \ && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]] stat=$? fi if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/[1-9]{2}$ ]]; then OIFS=$IFS IFS='/' subnet=($ip) IFS='.' ip=(${subnet[0]}) IFS=$OIFS [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \ && ${ip[2]} -le 255 && ${ip[3]} -le 255 && ${subnet[1]} -le 32 ]] stat=$? fi return $stat } start() { if [ -f "$ipsFileAddress" ] then stop echo "$ipsFileAddress" iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -N TCP iptables -N UDP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT #allow to connect from ssh to this compueter from every where iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --sport 22 -j ACCEPT while IFS= read ip do if valid_ip $ip;then stat='opend in firewall'; iptables -A INPUT -p tcp -s $ip --dport 80 -j ACCEPT else stat='bad ip format'; fi printf "%-20s: %s\n" "$ip" "$stat" done <"$ipsFileAddress" #Allow to view all website from this computer iptables -A INPUT -p tcp --sport 80 -j ACCEPT iptables -A INPUT -p tcp --sport 443 -j ACCEPT iptables -A INPUT -p udp --sport 53 -j ACCEPT #echo "===============================================" #echo "after firewall ran, the state of firewall is : " #iptables -nvL --line-numbers fi } stop() { echo "clear and stop all firewall rules"; iptables -t filter -F iptables -t filter -X iptables -t filter -Z iptables -t filter -P INPUT ACCEPT iptables -t filter -P OUTPUT ACCEPT iptables -t filter -P FORWARD ACCEPT } watch() { if [ -f "$firewallFileAddress" ] then start rm $firewallFileAddress fi } case "$1" in start) start ;; watch) watch ;; stop) stop ;; *) echo $"Usage: sinic_firewall {start|watch|stop}" exit 1 esac ******************************************************************************** ## SystemD or upStart Installation Guide Script ******************************************************************************** #!/usr/bin/env bash DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" OS="$(cat /etc/issue)" OSVERSION="$(cat /etc/os-release | grep VERSION_ID | sed 's/VERSION_ID="//g' | sed 's/"//g')" echo "Welcome to Installer, Your OS is : " $OS echo "Warning : If you are using ubuntu please pay attention to that version, if your version is lower than 15.04 your system use UpStart else it uses SystemD" echo $OSVERSION echo -n "Enter your startup system [upstart|systemd] :" read STARTUPSYSTEM read -d '' SYSTEMD <<- EOF *********************************************************************************** ********************************* crontab section ********************************* *********************************************************************************** Please write below line to root's crontab * * * * * $DIR/sinic_firewall.sh watch *********************************************************************************** ***************************** start up script section ***************************** *********************************************************************************** Please write below lines in /etc/systemd/system/sinicFirewall.service and then please enter this command in root console: systemctl start sinicFirewall.service systemctl enable sinicFirewall.service ************************************************************************************ ***************************** this is the file content ***************************** ************************************************************************************ [Unit] Description=Sinic Firewall service After=network.target [Service] User=root Group=root ExecStart=$DIR/sinic_firewall.sh start [Install] WantedBy=multi-user.target EOF read -d '' UPSTART <<- EOF *********************************************************************************** ********************************* crontab section ********************************* *********************************************************************************** Please write below line to root's crontab * * * * * $DIR/sinic_firewall.sh watch *********************************************************************************** ***************************** start up script section ***************************** *********************************************************************************** Please write below lines in /etc/init/sinicFirewall.conf and then please enter this command in root console: service testjob start sinicFirewall ************************************************************************************ ***************************** this is the file content ***************************** ************************************************************************************ description "Sinic Firewall service" author "Farid Ahmadian" start on filesystem or runlevel [2345] stop on shutdown script export HOME="/srv" exec $DIR/sinic_firewall.sh start end script pre-start script echo "$ (date) Sinic Firewall Starting" >> /var/log/sinic_firewall.log end script pre-stop script echo "$ (date) Sinic Firewall Starting" >> /var/log/sinic_firewall.log end script EOF if [ $STARTUPSYSTEM == "systemd" ] then echo "$SYSTEMD" else echo "$UPSTART" fi ******************************************************************************** _BY: Farid Ahmadian_ _TAG: firewall, iptables, bash-script, ubuntu, bash, upstart, systemd_ _DATE: 2016-07-11 21:40:51_