-
Notifications
You must be signed in to change notification settings - Fork 0
/
iptables-parsing
126 lines (99 loc) · 5.45 KB
/
iptables-parsing
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
### GENERATE NECESSARY FILES
-create a new dir on the Bastion SSH Server.
-generate one file per server with the rules formatted like this : [source-SRV source-IP dest-SRV dest-IP PORT]
[sysadmin@bastion ~]# cat rules
Server1 XX.XX.XXX.XXX Server2 10.XX.XX.XX 3000, 3333-3339
Server1 XX.XX.XXX.XXX Server2 10.XX.XX.XX 3000, 3333-3339
Server3 10.XXX.XX.XXX Server2 10.XX.XX.XX 22
Server4 10.XX.XX.XX Server2 10.XXX.XX.XX 22
...
[sysadmin@bastion ~]# cat list
Server1
Server2
Server3
Server4
...
### CLEAN SERVER FILES :
remove space between ports :
[sysadmin@bastion ~]# sed -i 's/\,\ /\,/g' *
check and remove space in names if needed :
[sysadmin@bastion ~]# sed -i 's/BigIP Ext Mrs/BigiP/g' *
check and modify “-” to “:” for ranges to work :
[sysadmin@bastion ~]# sed -i 's/3333\-3339/3333\:3339/g' *
remove empty lines :
[sysadmin@bastion ~]# sed -i '/^$/d' *
### PARSE AND CREATE RULES
[sysadmin@bastion ~]# cat parser.sh
#!/bin/bash
while read LINES; do
case "$LINES" in
${F_FILE}*)
if echo $LINES|grep -q udp; then
if echo $LINES|awk '{print $2}'|grep -q '-'; then
echo $LINES |grep ','|awk -F" " '{print "-A PROD_OUT -j ACCEPT -p udp -m iprange --src-range "$2" -d "$4" -m multiport --dports "$NF}'
echo $LINES |grep -v ','|awk -F" " '{print "-A PROD_OUT -j ACCEPT -p udp -m iprange --src-range "$2" -d "$4" --dport "$NF}'
elif echo $LINES|awk '{print $4}'|grep -q '-'; then
echo $LINES |grep ','|awk -F" " '{print "-A PROD_OUT -j ACCEPT -p udp -s "$2" -m iprange –dst-range "$4" -m multiport --dports "$NF}'
echo $LINES |grep -v ','|awk -F" " '{print "-A PROD_OUT -j ACCEPT -p udp -s "$2" -m iprange –dst-range "$4" --dport "$NF}'
else
echo $LINES |grep ','|awk -F" " '{print "-A PROD_OUT -j ACCEPT -p udp -s "$2" -d "$4" -m multiport --dports "$NF}'
echo $LINES |grep -v ','|awk -F" " '{print "-A PROD_OUT -j ACCEPT -p udp -s "$2" -d "$4" --dport "$NF}'
fi
else
if echo $LINES|awk '{print $2}'|grep -q '-'; then
echo $LINES |grep ','|awk -F" " '{print "-A PROD_OUT -j ACCEPT -p tcp -m iprange --src-range "$2" -d "$4" -m multiport --dports "$NF}'
echo $LINES |grep -v ','|awk -F" " '{print "-A PROD_OUT -j ACCEPT -p tcp -m iprange --src-range "$2" -d "$4" --dport "$NF}'
elif echo $LINES|awk '{print $4}'|grep -q '-'; then
echo $LINES |grep ','|awk -F" " '{print "-A PROD_OUT -j ACCEPT -p tcp -s "$2" -m iprange –dst-range "$4" -m multiport --dports "$NF}'
echo $LINES |grep -v ','|awk -F" " '{print "-A PROD_OUT -j ACCEPT -p tcp -s "$2" -m iprange –dst-range "$4" --dport "$NF}'
else
echo $LINES |grep ','|awk -F" " '{print "-A PROD_OUT -j ACCEPT -p tcp -s "$2" -d "$4" -m multiport --dports "$NF}'
echo $LINES |grep -v ','|awk -F" " '{print "-A PROD_OUT -j ACCEPT -p tcp -s "$2" -d "$4" --dport "$NF}'
fi
fi
;;
*)
if echo $LINES|grep -q udp; then
if echo $LINES|awk '{print $2}'|grep -q '-'; then
echo $LINES |grep ','|awk -F" " '{print "-A PROD_IN -j ACCEPT -p udp -m iprange --src-range "$2" -d "$4" -m multiport --dports "$NF}'
echo $LINES |grep -v ','|awk -F" " '{print "-A PROD_IN -j ACCEPT -p udp -m iprange --src-range "$2" -d "$4" --dport "$NF}'
elif echo $LINES|awk '{print $4}'|grep -q '-'; then
echo $LINES |grep ','|awk -F" " '{print "-A PROD_IN -j ACCEPT -p udp -s "$2" -m iprange –dst-range "$4" -m multiport --dports "$NF}'
echo $LINES |grep -v ','|awk -F" " '{print "-A PROD_IN -j ACCEPT -p udp -s "$2" -m iprange –dst-range "$4" --dport "$NF}'
else
echo $LINES |grep ','|awk -F" " '{print "-A PROD_IN -j ACCEPT -p udp -s "$2" -d "$4" -m multiport --dports "$NF}'
echo $LINES |grep -v ','|awk -F" " '{print "-A PROD_IN -j ACCEPT -p udp -s "$2" -d "$4" --dport "$NF}'
fi
else
if echo $LINES|awk '{print $2}'|grep -q '-'; then
echo $LINES |grep ','|awk -F" " '{print "-A PROD_IN -j ACCEPT -p tcp -m iprange --src-range "$2" -d "$4" -m multiport --dports "$NF}'
echo $LINES |grep -v ','|awk -F" " '{print "-A PROD_IN -j ACCEPT -p tcp -m iprange --src-range "$2" -d "$4" --dport "$NF}'
elif echo $LINES|awk '{print $4}'|grep -q '-'; then
echo $LINES |grep ','|awk -F" " '{print "-A PROD_IN -j ACCEPT -p tcp -s "$2" -m iprange –dst-range "$4" -m multiport --dports "$NF}'
echo $LINES |grep -v ','|awk -F" " '{print "-A PROD_IN -j ACCEPT -p tcp -s "$2" -m iprange –dst-range "$4" --dport "$NF}'
else
echo $LINES |grep ','|awk -F" " '{print "-A PROD_IN -j ACCEPT -p tcp -s "$2" -d "$4" -m multiport --dports "$NF}'
echo $LINES |grep -v ','|awk -F" " '{print "-A PROD_IN -j ACCEPT -p tcp -s "$2" -d "$4" --dport "$NF}'
fi
fi
;;
esac
done < $F_FILE
Launch parser.sh to generate “server.rules” files :
[sysadmin@bastion ~]# for i in $(cat list); do export F_FILE="$i" && ./parser.sh > ${i}.rules ; done
Show the parsed rules for each server :
[sysadmin@bastion ~]# for i in $(cat list); do echo "######## IpTables script for $i #######" && cat ${i}.rules && echo; done
### CREATE A SCRIPT FOR EACH SERVER TO CHECK INSTALLED RULES
[sysadmin@bastion ~]# cat gen-checker.sh
for i in $(cat list); do
cat > ${i}.sh <<EOF
cat > /tmp/iptchkrules <<EOF
EOF
cat ${i}.rules >> ${i}.sh
echo 'EOF' >> ${i}.sh
cat >> ${i}.sh <<EOF
echo "### Test installed rules :"
while read _RULE; do iptables -nvL \$(echo \$_RULE |awk '{print \$2}') | grep \$(echo \$_RULE |awk -F'-s ' '{print \$2}'|awk '{print \$1}') | grep \$(echo \$_RULE |awk -F'-d ' '{print \$2}'|awk '{print \$1}') | grep \$(echo \$_RULE |awk '{print \$NF}') || echo "RULE: \"\$_RULE\" ### NOT FOUND ###" ; echo; done < "/tmp/iptchkrules"
rm -f /tmp/iptchkrules
EOF
done