felmoltor/close.firewall.sh

## close.firewall.sh
#!/bin/bash

# Close the remaining firewall rules opened for users that no longer are connected by SSH
# It deletes the iptables rules execpt the ssh (port 22) and all the local connections
# Save this script and execute it as root with a crontab every 5 minutes.

# Example output of iptables -L -n:
# ACCEPT     tcp  --  11.22.33.44          0.0.0.0/0            tcp dpt:80
# ACCEPT     tcp  --  11.22.33.44          0.0.0.0/0            tcp dpt:443

OFS=$IFS
IFS=$'\n'
for line in $(iptables  -L -n | grep -E "^ACCEPT" | grep -vE "127.0.0.1|22.33.44.55" | grep -v "dpt:22")
do
        proto=$(echo $line | awk '{print $2}')
        srcip=$(echo $line | awk '{print $4}')
        dst=$(echo $line | awk '{print $5}')
        dstport=$(echo $line | awk '{print $7}' | sed 's/dpt://g')
        # Check if this ip is still connected thugh ssh
        n=$(who --ips | grep $srcip | wc -l)
        if [[ $n == 0 ]];then
                echo "Deleting iptables rule accepting connections from $srcip => $dst:$dstport/$proto"
                iptables -D INPUT -p $proto --src $srcip --dst $dst --dport $dstport -j ACCEPT
        #else
        #       echo "The user from $srcip is still connected. Not deleting the firewall rule"
        fi
done
IFS=$OFS

## logandopenports.sh
# Be sure that the default policy of your iptables is denying or dropping all connections to make this script useful
# This script has to be placed in /etc/profile.d/ to be executed when the user logs in
# Aso, all the users using this script needs to be added to /etc/sudoers to allow them execute iptables withoug password:
# For example, the /etc/sudoers file should contain lines like this:
#
# Cmnd_Alias IPTABLES = /sbin/iptables,/usr/share/iptables
# <username> ALL=(root:root) NOPASSWD: IPTABLES
#

# Get the current IP of the ssh connection
ports=(80 443)
tty=$(echo $SSH_TTY | sed 's/\/dev\///g')
sshclient=$(echo $SSH_CLIENT | cut -f1 -d' ' )

if [[ $tty != "" ]];then
    ip=$(who --ips | grep "$tty" | awk '{print $5}' | head -n1 )
    conn=$(who --ips | grep "$tty" | awk '{print $1":"$5}' | head -n1 )
    echo "[$(date +%Y/%m/%d_%H:%M:%S)]: Connection from $conn" >> ~/.ssh-connections.log 2>&1
    for port in ${ports[@]}
    do
        n=$(sudo iptables -L -n | grep -E "^ACCEPT" | grep "$ip" | grep "dpt:$port" | wc -l)
        if [[ n == 0 ]];then
            echo "Opening port $port for ip $ip"
            sudo iptables -A INPUT -p tcp --dport $port --src $ip -j ACCEPT
        else
            echo "Port $port already opened to $ip"
        fi
    done
else
    echo "Error opening port opening portss: Cannot find a TTY terminal linked to this session"
fi
	#!/bin/bash

	# Close the remaining firewall rules opened for users that no longer are connected by SSH
	# It deletes the iptables rules execpt the ssh (port 22) and all the local connections
	# Save this script and execute it as root with a crontab every 5 minutes.

	# Example output of iptables -L -n:
	# ACCEPT tcp -- 11.22.33.44 0.0.0.0/0 tcp dpt:80
	# ACCEPT tcp -- 11.22.33.44 0.0.0.0/0 tcp dpt:443

	OFS=$IFS
	IFS=$'\n'
	for line in $(iptables -L -n \| grep -E "^ACCEPT" \| grep -vE "127.0.0.1\|22.33.44.55" \| grep -v "dpt:22")
	do
	proto=$(echo $line \| awk '{print $2}')
	srcip=$(echo $line \| awk '{print $4}')
	dst=$(echo $line \| awk '{print $5}')
	dstport=$(echo $line \| awk '{print $7}' \| sed 's/dpt://g')
	# Check if this ip is still connected thugh ssh
	n=$(who --ips \| grep $srcip \| wc -l)
	if [[ $n == 0 ]];then
	echo "Deleting iptables rule accepting connections from $srcip => $dst:$dstport/$proto"
	iptables -D INPUT -p $proto --src $srcip --dst $dst --dport $dstport -j ACCEPT
	#else
	# echo "The user from $srcip is still connected. Not deleting the firewall rule"
	fi
	done
	IFS=$OFS
	# Be sure that the default policy of your iptables is denying or dropping all connections to make this script useful
	# This script has to be placed in /etc/profile.d/ to be executed when the user logs in
	# Aso, all the users using this script needs to be added to /etc/sudoers to allow them execute iptables withoug password:
	# For example, the /etc/sudoers file should contain lines like this:
	#
	# Cmnd_Alias IPTABLES = /sbin/iptables,/usr/share/iptables
	# <username> ALL=(root:root) NOPASSWD: IPTABLES
	#

	# Get the current IP of the ssh connection
	ports=(80 443)
	tty=$(echo $SSH_TTY \| sed 's/\/dev\///g')
	sshclient=$(echo $SSH_CLIENT \| cut -f1 -d' ' )

	if [[ $tty != "" ]];then
	ip=$(who --ips \| grep "$tty" \| awk '{print $5}' \| head -n1 )
	conn=$(who --ips \| grep "$tty" \| awk '{print $1":"$5}' \| head -n1 )
	echo "[$(date +%Y/%m/%d_%H:%M:%S)]: Connection from $conn" >> ~/.ssh-connections.log 2>&1
	for port in ${ports[@]}
	do
	n=$(sudo iptables -L -n \| grep -E "^ACCEPT" \| grep "$ip" \| grep "dpt:$port" \| wc -l)
	if [[ n == 0 ]];then
	echo "Opening port $port for ip $ip"
	sudo iptables -A INPUT -p tcp --dport $port --src $ip -j ACCEPT
	else
	echo "Port $port already opened to $ip"
	fi
	done
	else
	echo "Error opening port opening portss: Cannot find a TTY terminal linked to this session"
	fi