PC World Komputer 2010 April

home *** CD-ROM | disk | FTP | other *** search

/ PC World Komputer 2010 April / PCWorld0410.iso / hity wydania / Ubuntu 9.10 PL / karmelkowy-koliberek-desktop-9.10-i386-PL.iso / casper / filesystem.squashfs / usr / sbin / iptables-apply < prev next >

Wrap

Text File | 2009-06-16 | 3KB | 175 lines

#!/bin/bash # # iptables-apply -- a safer way to update iptables remotely # # Copyright ┬⌐ Martin F. Krafft <madduck@madduck.net> # Released under the terms of the Artistic Licence 2.0 # set -eu PROGNAME="${0##*/}"; VERSION=1.0 TIMEOUT=10 DEFAULT_FILE=/etc/network/iptables function blurb() { cat <<-_eof $PROGNAME $VERSION -- a safer way to update iptables remotely _eof } function copyright() { cat <<-_eof $PROGNAME is C Martin F. Krafft <madduck@madduck.net>. The program has been published under the terms of the Artistic Licence 2.0 _eof } function about() { blurb echo copyright } function usage() { cat <<-_eof Usage: $PROGNAME [options] ruleset The script will try to apply a new ruleset (as output by iptables-save/read by iptables-restore) to iptables, then prompt the user whether the changes are okay. If the new ruleset cut the existing connection, the user will not be able to answer affirmatively. In this case, the script rolls back to the previous ruleset. The following options may be specified, using standard conventions: -t | --timeout Specify the timeout in seconds (default: $TIMEOUT) -V | --version Display version information -h | --help Display this help text _eof } SHORTOPTS="t:Vh"; LONGOPTS="timeout:,version,help"; OPTS=$(getopt -s bash -o "$SHORTOPTS" -l "$LONGOPTS" -n "$PROGNAME" -- "$@") || exit $? for opt in $OPTS; do case "$opt" in (-*) unset OPT_STATE;; (*) case "${OPT_STATE:-}" in (SET_TIMEOUT) eval TIMEOUT=$opt case "$TIMEOUT" in ([0-9]*) :;; (*) echo "E: non-numeric timeout value." >&2 exit 1 ;; esac ;; esac ;; esac case "$opt" in (-h|--help) usage >&2; exit 0;; (-V|--version) about >&2; exit 0;; (-t|--timeout) OPT_STATE=SET_TIMEOUT;; (--) break;; esac shift done FILE="${1:-$DEFAULT_FILE}"; if [[ -z "$FILE" ]]; then echo "E: missing file argument." >&2 exit 1 fi if [[ ! -r "$FILE" ]]; then echo "E: cannot read $FILE" >&2 exit 2 fi case "${0##*/}" in (*6*) SAVE=ip6tables-save RESTORE=ip6tables-restore ;; (*) SAVE=iptables-save RESTORE=iptables-restore ;; esac COMMANDS=(tempfile "$SAVE" "$RESTORE") for cmd in "${COMMANDS[@]}"; do if ! command -v $cmd >/dev/null; then echo "E: command not found: $cmd" >&2 exit 127 fi done umask 0700 TMPFILE=$(tempfile -p iptap) trap "rm -f $TMPFILE" EXIT 1 2 3 4 5 6 7 8 10 11 12 13 14 15 if ! "$SAVE" >"$TMPFILE"; then if ! grep -q ipt /proc/modules 2>/dev/null; then echo "E: iptables support lacking from the kernel." >&2 exit 3 else echo "E: unknown error saving current iptables ruleset." >&2 exit 4 fi fi [ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban stop echo -n "Applying new ruleset... " if ! "$RESTORE" <"$FILE"; then echo "failed." echo "E: unknown error applying new iptables ruleset." >&2 exit 5 else echo done. fi echo -n "Can you establish NEW connections to the machine? (y/N) " read -n1 -t "${TIMEOUT:-15}" ret 2>&1 || : case "${ret:-}" in (y*|Y*) echo echo ... then my job is done. See you next time. ;; (*) if [[ -z "${ret:-}" ]]; then echo "apparently not..." else echo fi echo "Timeout. Something happened (or did not). Better play it safe..." echo -n "Reverting to old ruleset... " "$RESTORE" <"$TMPFILE"; echo done. exit 255 ;; esac [ -x /etc/init.d/fail2ban ] && /etc/init.d/fail2ban start exit 0 # vim:noet:sw=8