Last active
August 29, 2015 14:21
-
-
Save felmoltor/63bee5cc49c3f7c21c3d to your computer and use it in GitHub Desktop.
Open Dev environment to SSH authenticated user
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Close the remaining firewall rules opened for users that no longer are connected by SSH | |
# It deletes the iptables rules execpt the ssh (port 22) and all the local connections | |
# Save this script and execute it as root with a crontab every 5 minutes. | |
# Example output of iptables -L -n: | |
# ACCEPT tcp -- 11.22.33.44 0.0.0.0/0 tcp dpt:80 | |
# ACCEPT tcp -- 11.22.33.44 0.0.0.0/0 tcp dpt:443 | |
OFS=$IFS | |
IFS=$'\n' | |
for line in $(iptables -L -n | grep -E "^ACCEPT" | grep -vE "127.0.0.1|22.33.44.55" | grep -v "dpt:22") | |
do | |
proto=$(echo $line | awk '{print $2}') | |
srcip=$(echo $line | awk '{print $4}') | |
dst=$(echo $line | awk '{print $5}') | |
dstport=$(echo $line | awk '{print $7}' | sed 's/dpt://g') | |
# Check if this ip is still connected thugh ssh | |
n=$(who --ips | grep $srcip | wc -l) | |
if [[ $n == 0 ]];then | |
echo "Deleting iptables rule accepting connections from $srcip => $dst:$dstport/$proto" | |
iptables -D INPUT -p $proto --src $srcip --dst $dst --dport $dstport -j ACCEPT | |
#else | |
# echo "The user from $srcip is still connected. Not deleting the firewall rule" | |
fi | |
done | |
IFS=$OFS |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Be sure that the default policy of your iptables is denying or dropping all connections to make this script useful | |
# This script has to be placed in /etc/profile.d/ to be executed when the user logs in | |
# Aso, all the users using this script needs to be added to /etc/sudoers to allow them execute iptables withoug password: | |
# For example, the /etc/sudoers file should contain lines like this: | |
# | |
# Cmnd_Alias IPTABLES = /sbin/iptables,/usr/share/iptables | |
# <username> ALL=(root:root) NOPASSWD: IPTABLES | |
# | |
# Get the current IP of the ssh connection | |
ports=(80 443) | |
tty=$(echo $SSH_TTY | sed 's/\/dev\///g') | |
sshclient=$(echo $SSH_CLIENT | cut -f1 -d' ' ) | |
if [[ $tty != "" ]];then | |
ip=$(who --ips | grep "$tty" | awk '{print $5}' | head -n1 ) | |
conn=$(who --ips | grep "$tty" | awk '{print $1":"$5}' | head -n1 ) | |
echo "[$(date +%Y/%m/%d_%H:%M:%S)]: Connection from $conn" >> ~/.ssh-connections.log 2>&1 | |
for port in ${ports[@]} | |
do | |
n=$(sudo iptables -L -n | grep -E "^ACCEPT" | grep "$ip" | grep "dpt:$port" | wc -l) | |
if [[ n == 0 ]];then | |
echo "Opening port $port for ip $ip" | |
sudo iptables -A INPUT -p tcp --dport $port --src $ip -j ACCEPT | |
else | |
echo "Port $port already opened to $ip" | |
fi | |
done | |
else | |
echo "Error opening port opening portss: Cannot find a TTY terminal linked to this session" | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment