The Bash Script To Configure The Firewall Using IPTABLES

About the Script:

This script is about to build a firewall in Linux OS by using iptables, the user only needs to follow and answer the simple and easy steps and the script will generate the user specified iptables rule in its original form.

I HAVE TESTED THE SCRIPT ON PCLINUXOS, FEDORA-9, DREAM_LINUX, UBUNTU-8.

This is my iptables Version 1.0 (USMAN AKRAM - Lucky)

About iptables:

Network security is a primary consideration in any decision to host a website as the threats are becoming more widespread and persistent every day. One means of providing additional protection is to invest in a firewall. Though prices are always falling, in some cases you may be able to create a comparable unit using the Linux iptables package on an existing server for little or no additional expenditure.

Originally, the most popular firewall/NAT package running on Linux was ipchains, but it had a number of shortcomings. To rectify this, the Netfilter organization decided to create a product called iptables.

:-) !!!The Script is Totally User Friendly!!! :-)

 

Starting of the Script

A Menu will appear like this:

*****Main Menu*****
1. Check Iptables Package
2. Iptables Services
3. Build Your Firewall with Iptables
4. Exit

 

1. Check Iptables Package

Now let the user select the option 1. Check iptable Package from the menu by pressing "1" from the keyboard.

Now the script confirms that the user must be Root, and we know that the UID of Root is zero ( 0 ). So first I have to compare the UID of the current user with zero ( 0 ), if the UID doesn't match with the UID of root then it will display the following message:

****You must be the root user to run this script!****

and if the UID matches with root's UID then it displays the following message and runs the script:

***Identity Verified_You are the Root***

We can check the UID of the current user by typing the following command in the terminal:

echo $UID

If the identity of the user is verified as root, then the script will check the iptables package in the Linux OS by using the following command.

rpm -q iptables

*****Main Menu*****
1. Check Iptables Package
2. Iptables Services
3. Build Your Firewall with Iptables
4. Exit

Now if the user selects the option 2. Iptables Services then the checkstatus function will be called. In this function there are some options for the user:

*****Note: Save your Iptables before stop/Restart the iptables Services*****
1. Save the iptables
2. Status of Iptables
3. Start iptables Services
4. Stop iptables Services
5. Restart iptable Services
6. Flush iptables (**Use Carefully_it will remove all the rules from iptables**)
7. Go back to Main Menu

If the user selects 1. Save the iptables the iptables rules will be saved in the Linux OS by using the following command:

/etc/init.d/iptables save

If the user selects 2. Status of iptables the current status of iptables will be displayed, using the following command:

/etc/init.d/iptables status

Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- 192.168.1.45 172.16.4.8 reject-with icmp-port-unreachable
ACCEPT tcp -- 192.168.1.1 192.168.1.25
LOG icmp -- anywhere anywhere LOG level warning

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP udp -- 192.168.6.3 10.6.3.7

If the user selects 3. Start iptables Services then iptables will be started, using the following command:

/etc/init.d/iptables start

If the user selects 4. Stop iptables Services then iptables will be stopped, using the following command:

/etc/init.d/iptables stop

If the user selects 5. Restart iptable Services then iptables will be restarted, using the following command, it will load the saved iptables rules:

/etc/init.d/iptables restart

If the user selects 6. Flush iptables then iptables will be flushed, (**use Carefully_it will remove all the rules from iptables**), using the following command, it will flush the saved iptables rules:

iptables -F

To go back to the Main Menu the user must select option 7. Go back to Main Menu.

*****Main Menu*****
1. Check Iptables Package
2. Iptables Services
3. Build Your Firewall with Iptables
4. Exit

Option 3. Build your Firewall with Iptables is the heart of this script, by using this option users can create the firewall with iptables using simple steps, when a user selects the option 3. Build your Firewall with Iptables then the script will ask the user to create the firewall.

Using Which Chain of Filter Table?
1. INPUT
2. OUTPUT
3. Forward"

The above menu will ask the user to select the chain where he/she wants to put the rule.

Now the script will ask the user to get the IP information from the Source side...

1. Firewall using Single Source IP
2. Firewall using Source Subnet
3. Firewall using for All Source Networks

Then the above menu ask the user the above three question, if the user selects the option 1. Firewall using Single Source IP then the script will ask the user to enter the IP address.

If the user selects option 2. Firewall using Source Subnet then the script will ask the user to enter the subnet in the form of "192.168.1.0/24".

If the user selects option 3. Firewall using for All Source Networks then the script will put 0/0 in the variable named "ip_source" in the script.

Now the script will ask the user to get the IP information from the Destination side...

1. Firewall using Single Destination IP
2. Firewall using Destination Subnet
3. Firewall using for All Destination Networks

Then the above menu asks the user the above three questions, if the user selects option 1. Firewall using Single Destination IP then the script will ask the user to enter the IP address.

If the user selects option 2. Firewall using Destination Subnet then the script will ask the user to enter the subnet in the form of "192.168.1.0/24"

If the user selects option 3. Firewall using for All Destination Networks then the script will put 0/0 in the variable named "ip_dest" in the script.

Now the script asks the user to select the PROTOCOL:

1. Block All Traffic of TCP
2. Block Specific TCP Service
3. Block Specific Port
4. Using no Protocol

Now from the above displayed menu if the user selects 1. Block All Traffic of TCP then the script will block all the TCP Traffic.

If the user selects 2. Block Specific TCP Service, now the script will ask the user to enter the TCP Service of his/her choice (e.g ICMP).

Note: the TCP Service name should be in CAPITAL LETTERS!!!

If the user selects 3. Block Specific Port the script will ask the user to enter the PORT number.

Now the script prompts the user What to do with the Above Created Rule?

What to do with Rule?
1. Accept the Packet
2. Reject the Packet
3. Drop the Packet
4. Create Log

If the user selects 1. Accept the Packet then the packet will be accepted.

If the user selects 2. Reject the Packet then the packet will be rejected.

If the user selects 3. Drop the Packet then the packet will be dropped.

If the user selects 4. Create Log then only the log will be created.

Now the following message will be shown to the user:

Press Enter key to Generate the Complete Rule!!!

When the user presses the Enter key then the script generates the original rule with the correct syntax and displays it to the user, in my case:

The Generated Rule is
iptables -A INPUT -s 192.168.0.0/24 -d 172.16.0.0/16 -p TCP -j ACCEPT

Now the script shows the following message to the user:

Do you want to Enter the Above rule to the IPTABLES? Yes=1 , No=2

If the above rule is correct then the user presses 1 for Yes and adds the rule to iptables
otherwise 2 for No and the script will return to let the user edit the rule.

Here is the whole script:

#!/bin/bash
##############USMAN AKRAM "FA05-BTN-005" (~*Lucky*~) BTN-6########
######COMSATS INSTITUTE OF INFORMATION TECHNOLOGY - ABBOTTABAD####
echo -e "****************Welcome*************"
###############################IPTABLE SERVICES PROGRAM BEGINS HERE###############################
checkstatus()
 {
  opt_checkstatus=1
 while [ $opt_checkstatus != 7 ]
      do
       clear
  #echo -e "\nChoose the Option Bellow!!!\n
  echo -e "\n\t*****Note: Save your Iptables before stop/Restart the iptables Services*****\n"
  echo -e "   1. Save the iptables\n
   2. Status of Iptables\n
   3. Start iptables Services\n
   4. Stop iptables Services\n
   5. Restart iptable Services\n
   6. Flush iptables (**Use Carefully_it will remove all the rules from iptables**)\n
   7. Go back to Main Menu"
  read opt_checkstatus
  case $opt_checkstatus in
   1) echo -e "*******************************************************\n" 
               /etc/init.d/iptables save 
      echo -e "\n*******************************************************\n"
    echo -e "Press Enter key to Continue..."
    read temp;;
   2) echo -e "*******************************************************\n"
               /etc/init.d/iptables status 
      echo -e "*******************************************************"
                                echo -e "Press Enter key to Continue..."
                                     read temp;;
   3) echo -e "*******************************************************\n"  
               /etc/init.d/iptables start 
      echo -e "*******************************************************\n"
                                 echo -e "Press Enter key to Continue..."
                                       read temp;;
   
   4) echo -e "*******************************************************\n"
               /etc/init.d/iptables stop
      echo -e "*******************************************************\n"
                                echo -e "Press Enter key to Continue..."
                                     read temp;;
     
             5) echo -e "*******************************************************\n"
                      /etc/init.d/iptables restart 
      echo -e "*******************************************************\n"
                                echo -e "Press Enter key to Continue..."
                                     read temp;;
   6) iptables -F 
   echo -e "*******************************************************"
   echo -e "All the Rules from the Iptables are Flushed!!!"
   echo -e "*******************************************************\n"
                                echo -e "Press Enter key to Continue..."
                                 read temp;;
   7) main;;
   *) echo -e "Wrong Option Selected!!!"
  esac
 done
 }
###############################BUILD FIREWALL PROGRAM BEGINS FROM HERE############################### 
buildfirewall()
 {
  ###############Getting the Chain############
  echo -e "Using Which Chain of Filter Table?\n
  1. INPUT
  2. OUTPUT
  3. Forward"
  read opt_ch
  case $opt_ch in
   1) chain="INPUT" ;;
   2) chain="OUTPUT" ;;
   3) chain="FORWARD" ;;
   *) echo -e "Wrong Option Selected!!!"
  esac
 
  #########Getting Source IP Address##########
  #Label
   
  echo -e "
  1. Firewall using Single Source IP\n
  2. Firewall using Source Subnet\n
  3. Firewall using for All Source Networks\n"
  read opt_ip
   
  case $opt_ip in
   1) echo -e "\nPlease Enter the IP Address of the Source"
   read ip_source ;;
   2) echo -e "\nPlease Enter the Source Subnet (e.g 192.168.10.0/24)"
   read ip_source ;;
   3) ip_source="0/0" ;;
   #4) ip_source = "NULL" ;;
   *) echo -e "Wrong Option Selected"
  esac
  #########Getting Destination IP Address##########
   echo -e "
  1. Firewall using Single Destination IP\n
                2. Firewall using Destination Subnet\n
         3. Firewall using for All Destination Networks\n"
  
     read opt_ip
              case $opt_ip in
        1) echo -e "\nPlease Enter the IP Address of the Destination"
                     read ip_dest ;;
               2) echo -e "\nPlease Enter the Destination Subnet (e.g 192.168.10.0/24)"
                     read ip_dest ;;
               3) ip_dest="0/0" ;;
        #4) ip_dest = "NULL" ;;
               *) echo -e "Wrong Option Selected"
       esac
       ###############Getting the Protocol#############
       echo -e "
       1. Block All Traffic of TCP
       2. Block Specific TCP Service
       3. Block Specific Port
       4. Using no Protocol"
       read proto_ch
       case $proto_ch in
        1) proto=TCP ;;
        2) echo -e "Enter the TCP Service Name: (CAPITAL LETTERS!!!)"
       read proto ;;
        3) echo -e "Enter the Port Name: (CAPITAL LETTERS!!!)" 
       read proto ;;
        4) proto="NULL" ;;
        *) echo -e "Wrong option Selected!!!"
       esac
 
       #############What to do With Rule############# 
       echo -e "What to do with Rule?
       1. Accept the Packet
       2. Reject the Packet
       3. Drop the Packet
       4. Create Log"
       read rule_ch
       case $rule_ch in 
        1) rule="ACCEPT" ;;
        2) rule="REJECT" ;;
        3) rule="DROP" ;;
        4) rule="LOG" ;;
       esac
###################Generating the Rule####################
echo -e "\n\tPress Enter key to Generate the Complete Rule!!!"
read temp
echo -e "The Generated Rule is \n"
if [ $proto == "NULL" ]; then
 echo -e "\niptables -A $chain -s $ip_source -d $ip_dest -j $rule\n"
 gen=1
else
 echo -e "\niptables -A $chain -s $ip_source -d $ip_dest -p $proto -j $rule\n"
 gen=2
fi 
echo -e "\n\tDo you want to Enter the Above rule to the IPTABLES? Yes=1 , No=2"
read yesno
if [ $yesno == 1 ] && [ $gen == 1 ]; then
 iptables -A $chain -s $ip_source -d $ip_dest -j $rule
else if [ $yesno == 1 ] && [ $gen == 2 ]; then
 iptables -A $chain -s $ip_source -d $ip_dest -p $proto -j $rule         
   
else if [ $yesno == 2 ]; then
 
 main
fi
fi
fi
}
      
main()
{
 ROOT_UID=0
 if [ $UID == $ROOT_UID ];
 then
 clear
 opt_main=1
 while [ $opt_main != 4 ]
 do
echo -e "/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\n" 
#############Check Whether the iptables installed or not############ 
 echo -e "\t*****Main Menu*****\n
 1. Check Iptables Package\n
 2. Iptables Services\n
 3. Build Your Firewall with Iptables\n
 4. Exit"
 read opt_main
 case $opt_main in
  1) echo -e "******************************"
    rpm -q iptables 
     echo -e "******************************" ;;
  2) checkstatus ;;
  3) buildfirewall ;;
  4) exit 0 ;;
  *) echo -e "Wrong option Selected!!!"
 esac
done
else
 echo -e "You Must be the ROOT to Perfom this Task!!!"
fi
}
main
exit 0

All the above contents are copyrighted by USMAN AKRAM _ FA05-BTN-005 (~*Lucky*~) COMSATS IIT ABBOTTABAD