I write scripts all the time, but here are some that I've decided to share with the world:
- http://www.phantomcode.com/bashiptableportknocking/ - bash shell port knocking
- http://www.phantomcode.com/software/reloadmysite.bash.zip - bash script designed to make it easy to synchronize your development site and your production site. (This is a companion script for http://www.phantomcode.com/software/uploadsite.pl.zip )
On this page:
- An example IP Tables firewall for OpenVPN with Squid and a wireless connection
- Very fast way check network addresses and find out which are live
- Network connection and VPN management script
!!!Openvpn and firewall script: This works with three ethernet cards, one to the Internet, one to the wireless router's WAN interface and a third on the LAN side of the router. It is designed to allow VPN traffic to do pretty much anything, allow DNS resolution anytime and redirect all incoming, non-VPN traffic on port 80 to the squid proxy.
echo 0 > /proc/sys/net/ipv4/ip_forward
#Start out with no forwarding, lest a hacker notice the moment I've got no firewall.
eWAN=eth0
eLAN=eth1
eWR=eth2
ipWR=192.168.0.1
ipLAN=10.0.3.34
tVPN="tun+"
iT=/sbin/iptables
ifconfig $eLAN $ipLAN >/dev/null
ifconfig $eWR $ipWR >/dev.null
if [ -n "$debug" ];then ifconfig |grep -E 'inet|HWa';fi
sleep 1
if [ -n "$debug" ];then echo "clean up existing rules to ensure a clean slate.";fi
if [ -n "$debug" ];then echo "flush existing rules";fi
${iT} -t filter -F
${iT} -t nat -F
${iT} -t mangle -F
if [ -n "$debug" ];then echo "delete custom chains.";fi
${iT} -X
if [ -n "$debug" ];then echo "set default policies.";fi
${iT} -P INPUT ACCEPT
${iT} -P FORWARD ACCEPT
${iT} -P OUTPUT ACCEPT
if [ -n "$debug" ];then echo "INPUT rules.";fi
if [ -n "$debug" ];then echo "accept all icmp packets";fi
${iT} -A INPUT -p icmp -j ACCEPT
#This probably isn't essential, see:
#http://www.sns.ias.edu/~jns/wp/2006/02/09/confusing-rules-in-the-default-iptables-configuration-
under-fedora-and-redhat-enterprise-linux/
${iT} -A INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
if [ -n "$debug" ];then echo "accept all input from the loopback device.";fi
${iT} -A INPUT -i lo -j ACCEPT
if [ -n "$debug" ];then echo "accept all input from the VPN device";fi
${iT} -A INPUT -i $tVPN -j ACCEPT
${iT} -A FORWARD -i $tVPN -j ACCEPT
${iT} -A FORWARD -o $tVPN -j ACCEPT
if [ -n "$debug" ];then echo "allow all ssh access";fi
${iT} -A INPUT -p tcp --dport 22 -j LOG --log-prefix "IPT:IN:Allowssh"
${iT} -A INPUT -p tcp --dport 22 -j ACCEPT
${iT} -A FORWARD -p tcp --dport 22 -j LOG --log-prefix "IPT:FW:Allowssh"
${iT} -A FORWARD -p tcp --dport 22 -j ACCEPT
if [ -n "$debug" ];then echo "allow all VPN port activity";fi
${iT} -A INPUT -p tcp --sport 1194 -j ACCEPT
${iT} -A INPUT -p udp --sport 1194 -j ACCEPT
${iT} -A INPUT -p tcp --dport 1194 -j ACCEPT
${iT} -A INPUT -p udp --dport 1194 -j ACCEPT
if [ -n "$debug" ];then echo "allow related and established to continue";fi
${iT} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
if [ -n "$debug" ];then echo "enable ip masquerade on Internet interface.";fi
if [ -n "$debug" ];then echo ${iT} -t nat -A POSTROUTING -o $eWAN -j MASQUERADE;fi
${iT} -t nat -A POSTROUTING -o $eWAN -j MASQUERADE
#http://www.openpages.info/iptables/
#http://utcc.utoronto.ca/~cks/space/blog/linux/IptablesRedirection
#iptables -A INPUT -m multiport -p udp --sports 53,67,68 -j LOG --log-prefix "IPNR:FW:sDNS::"
iptables -A INPUT -m multiport -p udp --sports 53,67,68 -j ACCEPT
#iptables -A INPUT -m multiport -p udp --dports 53,67,68 -j LOG --log-prefix "IPNR:FW:dDNS::"
iptables -A INPUT -m multiport -p udp --dports 53,67,68 -j ACCEPT
#iptables -A FORWARD -m multiport -p udp --sports 53,67,68 -j LOG --log-prefix "IPNR:FW:sDNS::"
iptables -A FORWARD -m multiport -p udp --sports 53,67,68 -j ACCEPT
#iptables -A FORWARD -m multiport -p udp --dports 53,67,68 -j LOG --log-prefix "IPNR:FW:dDNS::"
iptables -A FORWARD -m multiport -p udp --dports 53,67,68 -j ACCEPT
iptables -A FORWARD -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i $eLAN -d 0/0 -p tcp --dport 3128 -j ACCEPT
iptables -t nat -A PREROUTING -i $eLAN -p tcp --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A PREROUTING -p tcp --dport 7777 -j REDIRECT --to-port 80
iptables -A INPUT -m multiport -i $eLAN -d 0/0 -p tcp --dport 443,8080,110 -j ACCEPT
#iptables -A INPUT -m multiport -i $tVPN -d 0/0 -p tcp --dport 25,53,80,110,143,443,631 -j ACCEPT
#iptables -A INPUT -m multiport -i $tVPN -d 0/0 -p tcp --dport 953,993,995,3128,7000,8080,10000 -
j ACCEPT
#And catch all the packets falling through.
#${iT} -A FORWARD -j LOG --log-prefix "IPT:FW:DROPPED:UNDF:: "
${iT} -A FORWARD -j DROP
#${iT} -A INPUT -j LOG --log-prefix "IPT:IN:DROPPED:UNDF:: "
${iT} -A INPUT -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
A fast way to see what machines are pingable
#!/bin/bash
oct1=10
oct2=0
oct3=0
oct4=1
while [ $oct3 -lt 3 ]
do
while [ $oct4 -lt 255 ]
do
if [ -n "`ping -c1 $oct1.$oct2.$oct3.$oct4 2>&1|grep '1 rec'`" ];then echo "Live: $oct1.$oct2.$oct3.$oct4";fi &
let oct4=`expr $oct4 + 1`
done
oct4=1
let oct3=`expr $oct3 + 1`
echo "Checking oct3=$oct3"
done
Monitoring and resetting my Network and OpenVPN connection automatically.
Sometimes my network connection will die, either from electro-magnetic interference, power interruptions or just from something sucking. This will restore it automatically. The user ancientt has a keychain (no password) ssh login and on the router there is a script which will reset the router if it finds .routerreset in ancientt's home directory. It actually puts it there then gives ancientt a couple minutes to remove it before checking for it.
#!/bin/bash
if [ "`whoami`" != "root" ];then echo "Needs to run as root";fi
h1='10.0.3.34'
h2='192.168.0.1'
function confirmvpn()
{
inetok=""
if [ -z "`ping -c2 google.com 2>&1|grep '0 received'`" ]
then
inetok="okay"
elif [ -z "`ping -c2 phantomcode.com 2>&1|grep '0 received'`" ]
then
inetok="okay"
fi
if [ -z "$inetok" ]
then
/etc/init.d/openvpn restart >/dev/null 2>&1
sleep 10
echo "failed"
else
echo "okay"
fi
}
function choosehost()
{
host=""
if [ -z "`ping -c2 $h1 2>&1|grep '0 received'`" ]
then
host=$h1
elif [ -z "`ping -c2 $h2 2>&1|grep '0 received'`" ]
then
host=$h2
fi
echo "$host"
}
function confirmlocal()
{
host=$(choosehost)
if [ -z "$host" ]
then
dhclient ra0 >/dev/null 2>&1
sleep 10
echo "failed"
else
echo "okay"
fi
}
while true
do
if [ -n "$(echo $(confirmvpn)|grep "okay")" ]
then
echo "[`date`] VPN is up"
host=$h1
elif [ -n "$(echo $(confirmlocal)|grep "okay")" ]
then
echo "[`date`] VPN was down, local was up"
else
echo "[`date`] Neither was up"
continue #start testing again
fi
host=$(choosehost)
if [ -n "$host" ]
then
cmd="if [ -f \".routerreset\" ];then rm -vf .routerreset;else echo -n \"`date` nofile\";fi"
echo "[`date`] On host:$host, Running cmd: $cmd"
su - ancientt -c "ssh ancientt@$host \"$cmd\""
sleep 30
else
echo "[`date`] lost host"
fi
done
And one to find active IP info:
function main
{
quittingtime=`date +%s -d+5days+14hours`
while [ `date +%s` -lt $quittingtime ]
do
if [ -f NonLiveIPs.current.txt ]
then
mv NonLiveIPs.current.txt NonLiveIPs.old.txt
fi
touch NonLiveIPs.current.txt
touch LiveIPs.txt
firstpart='192.168.0.'
lastpart=1
while [ $lastpart -lt 255 ]
do
(
# # %03s - three characters, padded with zeros
strlastpart=$(echo $lastpart|(awk '{printf "%03s", $1}'))
thiscommand="ping -c3 -q ${firstpart}${lastpart} 2>/dev/null|grep '100% packet loss'"
cmdresult=$(eval "$thiscommand")
echo "DEBUG: thiscommand: $thiscommand"
echo "DEBUG: cmdresult: $cmdresult"|cut -b1-80
if [ -n "$cmdresult" ]
then
echo "DEBUG: noresponse processing"
thiscommand="grep ${firstpart}{strlastpart} LiveIPs.txt"
cmdresult=$(eval "$thiscommand")
echo "DEBUG: cmdresult: $cmdresult"|cut -b1-80
if [ -z "$cmdresult" ]
then
echo "DEBUG: noresponseX2 processing"
echo "No Response: ${firstpart}${lastpart}" | tee -a NonLiveIPs.current.txt
else
echo "No Response: ${firstpart}${lastpart} - Temporarily down?"
fi
else
echo "DEBUG: responded, processing"
arpresult="$(arping2 -c1 ${firstpart}${lastpart}|grep 'index')"
echo "DEBUG: arpresult: $arpresult"
macaddr="$(echo $arpresult|awk '{print $4}')"
echo "DEBUG: macaddr: $macaddr"
if [ -z "$macaddr" ];then macaddr="00:00:00:00:00:00";fi
datestamp=$(date +%s.%d%b%Y_%H.%M.%S)
echo "DEBUG: datestamp: $datestamp"
dnsname="$(nslookup ${firstpart}${lastpart}|grep 'name'|awk -F= '{print $2}')"
echo "DEBUG: dnsname: $dnsname"
if [ -z "$dnsname" ];then dnsname=" unknown.dtfcu.com";fi
echo "${firstpart}${strlastpart} $macaddr $datestamp $dnsname" |tee -a LiveIPs.tmp
fi
) &
let lastpart++
if [ $(expr $lastpart % 5) -eq 0 ];then sleep 1;fi
done
echo "DEBUG: pausing for a minute to ensure all processing finished"
sleep 60 #Make sure the delay stays here so everything finishes first
cleanlist
echo "Pausing for five minutes"
sleep 300
date
done
}
function cleanlist
{
sort LiveIPs.tmp|uniq >LiveIPs.txt #Must follow delay
rm -f LiveIPs.tmp;touch LiveIPs.tmp
for i in `awk '{print $1"_"$2}'<LiveIPs.txt|sort|uniq`
do
echo "i: $i"
searchstr=$(echo "$i"|sed 's/_/ /g')
LastUniqContact=$(grep -F "$searchstr" LiveIPs.txt|tail -n1)
echo "$LastUniqContact"|tee -a LiveIPs.tmp
done
mv -f LiveIPs.tmp LiveIPs.txt
}
cleanlist
echo "List cleaned";sleep 1;date;
main
SMTP by hand
Sometimes you need to test an SMTP server to see what is happening. You can use netcat or telnet, and type in command by command, or you can pipe in the content from a file.
An example of the file might look like:
helo localhost MAIL FROM: <netadmin@dallastelco.org> RCPT TO: netadmin@dallastelco.org DATA This is a test message. Sent to and from netadmin. . QUIT
To send it to a local sendmail connection, use sendmail -t, like:
- shell> sendmail -t < myTestEmailFile.txt
Or send the same into a netcat connection:
- shell> nc mail.example.com 25 < myTestEmailFile.txt