[colug-432] Pausing
Steve VanSlyck
s.vanslyck at postpro.net
Fri May 15 21:35:01 EDT 2015
...and with Rick's help in pointing out what should've been obvious, my
script is working up to the exit point.
Here's what I've got so far. And I promise not to post this whole thing
again until its substantially complete.
You're not of course seeing the correct tabbing.
You guys are the best.
p.s. I'm not ignoring the advice on iptables. Just haven't got
there yet.
================================
#!/bin/bash
# This above line is not a comment. Well, actually it is. But it's
# supposed to be. The first two characters (#!) are a shebang. They
# identify the command interpreter to be used.
# ===== ===== ===== HOMEWORK ASSIGNMENT ===== ===== =====
# BEFORE EXECUTING THIS SCRIPT YOU MUST HAVE ALREADY CREATED AN SSH KEY
# PAIR. YOU WILL NEED TO INSERT THE PUBLIC KEY OR "LOCK" PORTION OF THE
# PAIR INTO THIS SCRIPT. YOU WILL ALSO NEED TO KNOW THE IP ADDRESS FROM
# WHICH YOU WILL BE ACCESSING THE SERVER. THE SERVER WILL BE LOCKED DOWN
# TO THAT ADDRESS WHILE THE SCRIPT IS PROCESSING.
# ===== ===== ===== END HOMEWORK ASSIGNMENT ===== ===== =====
# Install the dialog utility
echo "Invisible Island's dialog utility will be installed. See
http://invisible-island.net/dialog ." sleep 2s yum -y install dialog
# Begin the script
DIALOG=${DIALOG=dialog}
$DIALOG --title "Server Setup Script" \ --clear \ --yesno \ "Open the
polices and flush rules,\n \ Accept connections to the loopback
interface (localhost),\n \ Accept connections from the loopback
interface (localhost),\n \ Allow outgoing connections,\n \ Drop all
pings,\n \ Accept requested inbound traffic,\n \ Accept new and
established ssh from specified IP,\n \ Allow established ssh to
specified IP,\n \ Drop all other ssh attempts,\n \ Allow outbound http
traffic,\n \ Allow outbound https traffic,\n \ Allow inbound http
traffic,\n \ Allow inbound https traffic, and\n \ Set default policy to
drop all other connections?\n" 20 75
case $? in ) iptables -P INPUT ACCEPT -m comment --comment "Reset policy
so flushing rules doesn't flush ME." iptables -P OUTPUT ACCEPT -m
comment --comment "Reset policy so flushing rules doesn't flush ME."
iptables -F -m comment --comment "Flush current rules" iptables -A INPUT
-i lo -j ACCEPT -m comment --comment "Accept connections to the loopback
interface (localhost)" iptables -A OUTPUT -o lo -j ACCEPT -m comment
--comment "Accept connections from the loopback interface (localhost)"
iptables -A OUTPUT -j ACCEPT -m comment --comment "Allow outgoing
connections" iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
-m comment --comment "Drop all pings" iptables -A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept requested
inbound traffic" iptables -A INPUT -p tcp -s 107.132.57.128 --dport ssh
-m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept
new and established ssh from specified IP. Not sure if the ssh can be
replaced by 22." iptables -A INPUT -p tcp -s 24.123.57.42 --dport ssh -m
state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept new
and established ssh from specified IP. Not sure if the ssh can be
replaced by 22." iptables -A OUTPUT -p tcp -d 107.132.57.128 --sport 22
-m state --state ESTABLISHED -j ACCEPT -m comment --comment "Allow
established ssh to specified IP. Not sure if the 22 can be replaced by
ssh." iptables -A OUTPUT -p tcp -d 24.123.57.42 --sport 22 -m state
--state ESTABLISHED -j ACCEPT -m comment --comment "Allow established
ssh to specified IP. Not sure if the 22 can be replaced by ssh."
iptables -A INPUT -p tcp --dport ssh -j DROP -m comment --comment "Drop
all other ssh attempts" iptables -A OUTPUT -p tcp -m tcp --dport 80 -j
ACCEPT -m comment --comment "Allow outbound http traffic" iptables -A
OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "Allow
outbound https traffic" iptables -A INPUT -p tcp -m tcp --dport 80 -j
ACCEPT -m comment --comment "Allow inbound http traffic" iptables -A
INPUT -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "Allow
inbound https traffic" iptables -P FORWARD DROP -m comment --comment
"Set policy: Drop forwarding connections" iptables -P INPUT DROP -m
comment --comment "Set policy: Drop other incoming connections" iptables
-P OUTPUT DROP -m comment --comment "Set policy: Drop outgoing
connections" clear echo \n && echo \n && echo \n echo "Temporary
firewall rules enabled. You have chosen wisely. Or at least bravely."
echo \n && echo \n && echo \n ;;
1)clear echo \n && echo \n && echo \n echo "Those who press NO are
honest cowards." echo \n && echo \n && echo \n ;; 255) clear echo \n
&& echo \n && echo \n echo "Those who press ESC are dishonest
(passive-aggressive) cowards." echo \n && echo \n && echo \n ;; esac
exit 1; #STOP THE SCRIPT HERE! untested stuff.......
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20150515/d5248992/attachment.html
More information about the colug-432
mailing list