-
Notifications
You must be signed in to change notification settings - Fork 0
/
creator.sh
executable file
·96 lines (74 loc) · 2.37 KB
/
creator.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/bin/bash
knockd_conf='knockd.conf'
bash_script='DACL.sh'
ipset_path='/usr/sbin/ipset'
knock_path='/usr/sbin/knockd'
iptables_path='/usr/sbin/iptables'
j=0
# overwriting files.
echo ''> $knockd_conf
echo "#!/bin/bash" > $bash_script
create_str () {
i=1
str=$port_number
while [[ $i != $repeat_number ]]; do
str=${str}','${port_number}
((i++))
done
}
check_is_number() {
case $1 in
''|*[!0-9]*) echo "error: $1 - not a number, exit" >&2; exit 1 ;;
esac
}
check_max() {
if (( $1 > 2147483 )); then
echo "error: timeout more than 2147483, exit" >&2; exit 1
fi
}
check_port_number() {
if (( $1 > 65535 )); then
echo "error: port number more than 65535, exit" >&2; exit 1
fi
}
# creating rules for ipset and iptables.
create_bash_script () {
echo "# Rules for port $port_number." >> $bash_script
echo "$iptables_path -A INPUT -p tcp -m tcp --dport $port_number -j DROP &&" >> $bash_script
echo "$ipset_path create whitelist_$j hash:ip timeout 10 &&" >> $bash_script
echo "$iptables_path -I INPUT 1 -p tcp --dport $port_number -m set --match-set whitelist_$j src -j ACCEPT &&" >> $bash_script
echo "" >> $bash_script
}
# creating rule for knockd.
create_knockd_conf() {
echo "["$task_name"]" >> $knockd_conf
echo " sequence = $str" >> $knockd_conf
echo " seq_timeout = $timeout_1" >> $knockd_conf
echo " command = $ipset_path -q add whitelist_$j %IP% timeout $timeout_2" >> $knockd_conf
echo " tcpflags = syn" >> $knockd_conf
((j++))
}
while true; do
read -p "Enter rule name (for knockd): " task_name
read -p "Enter port number (max 65535): " port_number
read -p "Enter the number of times the port repeats (for knockd): " repeat_number
read -p "Enter the connection timeout in seconds (for knockd): " timeout_1
read -p "Enter the connection timeout in seconds (for ipset, 2147483 max): " timeout_2
# Check that the values consist only of digits.
check_is_number $port_number
check_is_number $repeat_number
check_is_number $timeout_1
check_is_number $timeout_2
# Check maximum value.
check_max $timeout_2
check_port_number $port_number
create_str
create_bash_script
create_knockd_conf
read -p "Add another rule? (yes/no): " answer
if [[ $answer != "yes" ]]; then
echo "$knock_path&" >> $bash_script
echo "exit"
break
fi
done