Toolbox
  • Printable version
 
Toolbox
LANGUAGES
Language
Personal tools
Wikipedia Affiliate Button
 

Linux networking scripts

From BrightByte

Jump to: navigation, search

Below is a collection of shell scripts that aim to make configuration and management of networking easier, while still given full control. They are basically simple wrappers around standard programs like ifconfig, route and iptables. The scripts support the concept of profiles or presets, to allow different configurations for different locations or situations to be activated easily. An overview:

lan

The lan script (pretty, install, disclaimer) is a convenience interface for configuring network interfaces (like ethernet or wlan cards). It uses ifconfig, iwconfig, wpa_supplicant, route, and dhclinet internally, as well as the firewall script. It can be invoked in several different ways:

lan
shows status information on DNS, routing, firewall, and all active (up) interfaces
lan (start|stop)
starts or stops networking
lan load <profile>
loads the named profile for all interfaces; the general profile configuration will be applied, as well as all interface-specific configuration files for this profile (if they exist).
lan firewall <firewall-profile>
loads the named firewall profile (see firewall)
lan <interface>
shows status information for the given interface
lan <interface> up <options>
activates the given interface with the supplied options.
lan <interface> down
shuts down the given interface
lan <interface> load <profile>
loads the named profile for the given interface; the general profile configuration will be applied, as well as the interface-specific configuration files for this profile and interface (if it exists).
Per-interface options are:
ip <address>
set the ip address for the interface
gw <gateway-address>
set default gateway
mask <network-mask>
set subnet mask
dhcp
use DHCP to configure (ip, gw, and mask should not be supplied together with dhcp)
essid <essid>
set ESSID for a WLAN interface (wireless card; Not with WPA)
wapkey <hex-key>
set WAP key for a WLAN interface (wireless card; Not with WPA)
wpaconf <hex-key>
set WPA config file for a WLAN interface (wireless card);
Some examples:
lan eth0 up ip 129.168.5.3 gw 129.168.5.1      # activates eth0 with fixed IP and default gateway
lan eth1 up dhcp essid MYWLAN key A4C725EE1D   # activates wlan interface eth1 with WAP encryption and configure it using DHCP
lan eth1 up dhcp wpaconf /etc/mywap.conf       # activates wlan interface eth1 with WPA configure it using DHCP
lan stop                                       # disables networking
lan load home                                  # activates profile "home" for all interfaces
Profiles are defined by files in the /etc directory: Profile XXX corresponds to the file general configuration file /etc/lan-XXX.conf, and/or the interface-specific configuration files /etc/lan-XXX-interface.conf. Each line in a profile configuration file represents the argument list for a call to the lan script. Empty lines and lines starting # are ignored.

For example, if you have this in /etc/lan-test.conf 

 firewall paranoid

and you have this in /etc/lan-test-eth1.conf 

 eth1 up dhcp

then the call 

 lan load test

would be equivalent to 

 lan firewall paranoid
 lan eth1 up dhcp

serve

The serve script (pretty, install, disclaimer) is a convenience wrapper around iptables, that allows you to poke holes into your firewall (and remove those holes again). Note that the serve script assumes that the INPUT chain does not allow packages through per default (i.e. it has its policy set to REJECT or DROP).

This only works with very basic iptables configurations; especially, keep in mind that new rules are simpyl appended to the INPUT chain. See the default firewall profile suggested below for a decent configuration to start with.

The serve script can be used to allow or deny access to a port on your computer:

serve
shows a summary of services listening on TCP and UDP sockets, and of firewall rules for incomming connections.
serve [+]<port|service> [tcp|udp]
allows connections to the given port (may also be given as a service name). You can specify the protocol this applies to (TCP or UDP), TCP is assumed per default.
serve -<port|service> [tcp|udp]
disallows connections to the given port (may also be given as a service name). You can specify the protocol this applies to (TCP or UDP), TCP is assumed per default.Note that this does not insert a REJECT or DROP rule into iptables, but removes an ACCEPT rule.

A few examples: 

 serve 80          # allow access to local HTTP server
 serve +ssh        # allow SSH access
 serve -80         # revoke access to local HTTP server

If you want to be able to re-use a firewall configuration you made this way, you can use iptables-save to do this (note that iptables-save comes from Debian and may not be available on all distributions): 

 iptables-save > /etc/iptables/myprofile

You can later load it using one of the following: 

 iptables-restore /etc/iptables/myprofile
 firewall myprofile
 lan firewall myprofile

firewall

The firewall script (pretty, install, disclaimer) is simple init.d glue for the iptables-restore: it loads an iptables configuration stored with iptables-save on boot by hooking into the wp:http://en.wikipedia.org/wiki/Init#SysV-style SysV init process. Note that iptables-save and iptables-restore are come from Debian and may not be available on all Linux distributions.

firewall status
show current firewall rules
firewall start
activate firewall (load the profile called "start")
firewall stop
deactvate firewall (load the profile called "stop")
firewall restart
deactivate, then activate firewall
firewall reset
resets the firewall, allowing all access. Can be used as a last resort when "stop" profile is broken.
firewall <profile>
load the given profile from /etc/iptables/profile

The firewall script loads configurations from /etc/iptables/profile. There should be at least three files there, called kernel (for configuring kernel options - this is always applied), start (for applying firewall rules) and stop (for disabling the firewall, allowing all traffic). The start and stop files my actually be symbolic links to profile files, for example restrictive and open, respectively.

The /etc/iptables/kernel file could look something like this: 

#!/bin/bash
 
# This enables SYN flood protection.
# The SYN cookies activation allows your system to accept an unlimited
# number of TCP connections while still trying to give reasonable
# service during a denial of service attack.
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
 
# This enables source validation by reversed path according to RFC1812.
# In other words, did the response packet originate from the same interface
# through which the source packet was sent?  Its recommended for single-homed
# systems and routers on stub networks.
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
 
# This kernel parameter instructs the kernel to ignore all ICMP
# echo requests sent to the broadcast address.  This prevents
# a number of smurfs and similar DoS nasty attacks.
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 
# This option can be used to accept or refuse source routed
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
 
# This option can disable ICMP redirects.  ICMP redirects
# are generally considered a security risk
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
 
# This option logs packets from impossible addresses.
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
The profile files in /etc/iptables should be generated using iptables-save > /etc/iptables/profile (you can use the serve script sescribed above to reach the configuration you want, or change iptables rules manually). The profile in /etc/iptables/stop should look something like this:
# Generated by iptables-save v1.3.5 on Tue Dec 26 21:26:37 2006
*filter
:INPUT ACCEPT [5163:5835839]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4704:383339]
COMMIT
# Completed on Tue Dec 26 21:26:37 2006

This allows all traffic (i.e. disabled the Firewall).

The profile in /etc/iptables/start could look something like this:
# Generated by iptables-save v1.3.5 on Tue Dec 26 22:12:13 2006
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
COMMIT
# Completed on Tue Dec 26 22:12:13 2006

This allows all outgoing traffic while denying most incoming packets. However, it allows packets that are part of a response to an explicit request (ESTABLISHED connection or RELATED package), it allows all traffic on the loop-back interface (127.0.0.1), and accepts ICMP, DNS and DHCP. This is a conservative but not paranoid configuration for use on a local network. You may want to allow incoming SSH connections (port 22) too. This configuration is also a good basis to start with when using the serve script to open ports (perhaps in order to later store a more relaxed configuration using iptables-save).

To automatically run firewall script on boot, copy it into your /etc/init.d directory, and then create symlinks called S20firewall to it in the directories /etc/rc2.d, /etc/rc3.d, /etc/rc4.d, and /etc/rc5.d; then create symlinks called K99firewall to it in the directories /etc/rc1.d and /etc/rc6.d. You can also use a tool like update-rc.d or KSysV to make these links.

(no comments yet)

add comment
Retrieved from "http://www.brightbyte.de/page/Linux_networking_scripts"