From: mivirl <> Date: Wed, 22 May 2024 14:33:55 +0000 (-0500) Subject: Make backups and allow skipping backups X-Git-Url: http://mivirl.dev/git/?a=commitdiff_plain;h=b613ea11dcb27caea11c9907a487c79df516c6cc;p=firewall-scripts.git Make backups and allow skipping backups --- diff --git a/README.md b/README.md index f183cf9..3e5a2fe 100644 --- a/README.md +++ b/README.md @@ -4,10 +4,10 @@ A script for quickly set up firewall rules on linux for either an iptables or nf Tested on Debian 12, CentOS 9, Rocky 8/9 -All testing has been done with distributions using nftables, so there could be issues with the iptables backend +All testing has been done with distributions using nftables, so there potentially could be issues with the iptables backend ``` -Usage: ./firewall.sh [-p] [-d policy] [-f firewall] [-r port,action,direction[,ip[,protocol]]] [-s] [-S ip] [-n] [-N ip] [-i] [-y] +Usage: ./firewall.sh [-p] [-d policy] [-f firewall] [-r port,action,direction[,ip[,protocol]]] [-s] [-S ip] [-n] [-N ip] [-i] [-y] [-b] -r Rule to set, with the actions: "accept" or "drop", the directions: "in" or "out", and the protocols: "tcp", "udp". If the port is "_", then the rule applies to all ports -p Save rules persistently (restore after reboot) @@ -19,6 +19,7 @@ Usage: ./firewall.sh [-p] [-d policy] [-f firewall] [-r port,action,direction[,i -n Allow dns to any ip -i Allow icmp pings -y Don't confirm connectivity + -b Don't back up previous rules Examples: ./firewall.sh -f iptables -r 80,accept,in -r 443,accept,in -r 22,drop,out diff --git a/firewall.sh b/firewall.sh index 5a28790..ddefdcb 100755 --- a/firewall.sh +++ b/firewall.sh @@ -14,6 +14,8 @@ PERSIST=0 SKIP_CONNECTIVITY_CHECK=0 +SKIP_BACKUP=0 + BACKUP_FILE=firewall-backup @@ -22,7 +24,7 @@ COLOR_GREEN="\033[0;92m" COLOR_NONE="\033[0m" help() { - printf "Usage: %s [-p] [-d policy] [-f firewall] [-r port,action,direction[,ip[,protocol]]] [-s] [-S ip] [-n] [-N ip] [-i] [-y]\n" "$0" + printf "Usage: %s [-p] [-d policy] [-f firewall] [-r port,action,direction[,ip[,protocol]]] [-s] [-S ip] [-n] [-N ip] [-i] [-y] [-b]\n" "$0" printf " -r\tRule to set, with the actions: \"accept\" or \"drop\", the directions: \"in\" or \"out\", and the protocols: \"tcp\", \"udp\".\n \tIf the port is \"_\", then the rule applies to all ports\n" printf " -p\tSave rules persistently (restore after reboot)\n" printf " -d\tSet default firewall policy to actions: \"accept\" or \"drop\"\n" @@ -33,6 +35,7 @@ help() { printf " -n\tAllow dns to any ip\n" printf " -i\tAllow icmp pings\n" printf " -y\tDon't confirm connectivity\n" + printf " -b\tDon't back up previous rules\n" printf "\n" printf "Examples:\n" printf " %s -f iptables -r 80,accept,in -r 443,accept,in -r 22,drop,out\n" "$0" @@ -275,7 +278,7 @@ if [ $# -eq 0 ]; then exit 1 fi -while getopts f:d:N:r:S:hinpsy ARG +while getopts f:d:N:r:S:bhinpsy ARG do case "$ARG" in f) @@ -318,6 +321,9 @@ do y) SKIP_CONNECTIVITY_CHECK=1 ;; + b) + SKIP_BACKUP=1 + ;; *) help exit 1 @@ -367,11 +373,11 @@ printf "%b" "$COLOR_NONE" # Restore original rules if user got kicked out if [ $SKIP_CONNECTIVITY_CHECK -eq 0 ]; then - printf "\n%bTo confirm you can still access this machine, log in using another terminal and run \"touch /tmp/fw-confirm\"%b\nRestoring old rules in 20 seconds\n" "$COLOR_RED" "$COLOR_NONE" + printf "\n%bTo confirm you can still access this machine, log in using a new terminal and run \"touch /tmp/fw-confirm\"%b\nRestoring old rules in 30 seconds\n" "$COLOR_RED" "$COLOR_NONE" - original_date=$(ls -cl /tmp/fw-confirm 2>/dev/null | cut -d' ' -f 6-) - sleep 20 - current_date=$(ls -cl /tmp/fw-confirm 2>/dev/null | cut -d' ' -f 6-) + original_date=$(stat /tmp/fw-confirm 2>/dev/null) + sleep 30 + current_date=$(stat /tmp/fw-confirm 2>/dev/null) if [ "$original_date" = "$current_date" ]; then printf "%bOriginal rules restored%b\n" "$COLOR_GREEN" "$COLOR_NONE" @@ -386,6 +392,15 @@ if [ $SKIP_CONNECTIVITY_CHECK -eq 0 ]; then fi fi +if [ $SKIP_BACKUP -eq 1 ]; then + if [ -e "${BACKUP_FILE}-nft.txt" ]; then + rm -f "${BACKUP_FILE}-nft.txt" + elif [ -e "${BACKUP_FILE}-ip.txt" ]; then + rm -f "${BACKUP_FILE}-ip.txt" + rm -f "${BACKUP_FILE}-ip6.txt" + fi +fi + printf "%bKeeping new rules%b\n" "$COLOR_GREEN" "$COLOR_NONE" if [ $PERSIST -eq 1 ]; then persist_rules