<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body><div>...and with Rick's help in pointing out what should've been obvious, my script is working up to the exit point.<br></div>
<div> </div>
<div>Here's what I've got so far. And I promise not to post this whole thing again until its substantially complete.<br></div>
<div> </div>
<div>You're not of course seeing the correct tabbing.</div>
<div> </div>
<div>You guys are the best.<br></div>
<div> </div>
<div>p.s. I'm not ignoring the advice on iptables. Just haven't got there yet.</div>
<div> </div>
<div> </div>
<div>================================</div>
<div> </div>
<div>#!/bin/bash<br></div>
<div># This above line is not a comment. Well, actually it is. But it's supposed to be.<br></div>
<div># The first two characters (#!) are a shebang. They identify the command interpreter to be used.<br></div>
<div> </div>
<div># ===== ===== ===== HOMEWORK ASSIGNMENT ===== ===== =====<br></div>
<div># BEFORE EXECUTING THIS SCRIPT YOU MUST HAVE ALREADY CREATED AN SSH KEY PAIR.<br></div>
<div># YOU WILL NEED TO INSERT THE PUBLIC KEY OR "LOCK" PORTION OF THE PAIR INTO THIS SCRIPT.<br></div>
<div># YOU WILL ALSO NEED TO KNOW THE IP ADDRESS FROM WHICH YOU WILL BE ACCESSING THE SERVER.<br></div>
<div># THE SERVER WILL BE LOCKED DOWN TO THAT ADDRESS WHILE THE SCRIPT IS PROCESSING.<br></div>
<div># ===== ===== ===== END HOMEWORK ASSIGNMENT ===== ===== =====<br></div>
<div> </div>
<div># Install the dialog utility<br></div>
<div>echo "Invisible Island's dialog utility will be installed. See <a href="http://invisible-island.net/dialog">http://invisible-island.net/dialog</a> ."<br></div>
<div>sleep 2s<br></div>
<div>yum -y install dialog<br></div>
<div> </div>
<div># Begin the script<br></div>
<div>DIALOG=${DIALOG=dialog}<br></div>
<div> </div>
<div>$DIALOG --title "Server Setup Script" \<br></div>
<div>--clear \<br></div>
<div> --yesno \<br></div>
<div>"Open the polices and flush rules,\n \<br></div>
<div>Accept connections to the loopback interface (localhost),\n \<br></div>
<div>Accept connections from the loopback interface (localhost),\n \<br></div>
<div>Allow outgoing connections,\n \<br></div>
<div>Drop all pings,\n \<br></div>
<div>Accept requested inbound traffic,\n \<br></div>
<div>Accept new and established ssh from specified IP,\n \<br></div>
<div>Allow established ssh to specified IP,\n \<br></div>
<div>Drop all other ssh attempts,\n \<br></div>
<div>Allow outbound http traffic,\n \<br></div>
<div>Allow outbound https traffic,\n \<br></div>
<div>Allow inbound http traffic,\n \<br></div>
<div>Allow inbound https traffic, and\n \<br></div>
<div>Set default policy to drop all other connections?\n" 20 75<br></div>
<div> </div>
<div>case $? in<br></div>
<div>0)<br></div>
<div>iptables -P INPUT ACCEPT -m comment --comment "Reset policy so flushing rules doesn't flush ME."<br></div>
<div>iptables -P OUTPUT ACCEPT -m comment --comment "Reset policy so flushing rules doesn't flush ME."<br></div>
<div>iptables -F -m comment --comment "Flush current rules"<br></div>
<div>iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Accept connections to the loopback interface (localhost)"<br></div>
<div>iptables -A OUTPUT -o lo -j ACCEPT -m comment --comment "Accept connections from the loopback interface (localhost)"<br></div>
<div>iptables -A OUTPUT -j ACCEPT -m comment --comment "Allow outgoing connections"<br></div>
<div>iptables -A INPUT -p icmp --icmp-type echo-request -j DROP -m comment --comment "Drop all pings"<br></div>
<div>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Accept requested inbound traffic"<br></div>
<div>iptables -A INPUT -p tcp -s 107.132.57.128 --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept new and established ssh from specified IP. Not sure if the ssh can be replaced by 22."<br></div>
<div>iptables -A INPUT -p tcp -s 24.123.57.42 --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Accept new and established ssh from specified IP. Not sure if the ssh can be replaced by 22."<br></div>
<div>iptables -A OUTPUT -p tcp -d 107.132.57.128 --sport 22 -m state --state ESTABLISHED -j ACCEPT -m comment --comment "Allow established ssh to specified IP. Not sure if the 22 can be replaced by ssh."<br></div>
<div>iptables -A OUTPUT -p tcp -d 24.123.57.42 --sport 22 -m state --state ESTABLISHED -j ACCEPT -m comment --comment "Allow established ssh to specified IP. Not sure if the 22 can be replaced by ssh."<br></div>
<div>iptables -A INPUT -p tcp --dport ssh -j DROP -m comment --comment "Drop all other ssh attempts"<br></div>
<div>iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "Allow outbound http traffic"<br></div>
<div>iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "Allow outbound https traffic"<br></div>
<div>iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -m comment --comment "Allow inbound http traffic"<br></div>
<div>iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -m comment --comment "Allow inbound https traffic"<br></div>
<div>iptables -P FORWARD DROP -m comment --comment "Set policy: Drop forwarding connections"<br></div>
<div>iptables -P INPUT DROP -m comment --comment "Set policy: Drop other incoming connections"<br></div>
<div>iptables -P OUTPUT DROP -m comment --comment "Set policy: Drop outgoing connections"<br></div>
<div>clear<br></div>
<div>echo \n && echo \n && echo \n<br></div>
<div>echo "Temporary firewall rules enabled. You have chosen wisely. Or at least bravely."<br></div>
<div>echo \n && echo \n && echo \n<br></div>
<div>;;<br></div>
<div>1)<br></div>
<div>clear<br></div>
<div>echo \n && echo \n && echo \n<br></div>
<div>echo "Those who press NO are honest cowards."<br></div>
<div>echo \n && echo \n && echo \n<br></div>
<div>;;<br></div>
<div> 255)<br></div>
<div>clear<br></div>
<div>echo \n && echo \n && echo \n<br></div>
<div>echo "Those who press ESC are dishonest (passive-aggressive) cowards."<br></div>
<div>echo \n && echo \n && echo \n<br></div>
<div>;;<br></div>
<div>esac<br></div>
<div>exit 1; #STOP THE SCRIPT HERE!<br></div>
<div>untested stuff.......</div>
</body>
</html>