Calling the mighty Gods Of Centos :) Bash Scripting Firewalld automation project

ally_uk · March 2015

Hi Guys I recently have made the transition to Centos 7 and have been playing with firewalld I wanted to create a basic bash script
to automate the configuration process and would gradually like to add more and more advanced concepts to it with the input of you guys.
I am a noob when it comes to scripting and figured this project could benefit a few people and speed up the config process. I wish to
document the process so that others can add and gain knowledge.

The initial layout / process of the script I have in mind is the following please feel free to add / input and aid me on my quest

Since this forum is full of Linux Gods on a different level of knowledge to myself.If you have some free time please feel free input my goal is to document everything so others can gain something from this project.

(Rough layout of Firewalld Configuration Script Version 1.0 )

1) Script loads and checks if user is running as root if not script exits:
2) User is presented with a menu with the following options: - Start firewalld, Stop, Status, disable iptables,
add service - user presented with a menu of popular services to allow through firewall i.e ssh, http, samba ( all services are added permanent )
remove service does the same as above but removes services.
add ports, remove ports ( user specifies a port range and wheter it's UDP / TCP options are made permanent)

menu options for the following? : List rules, get services, reload firewall, enable at boot?

3) Advanced configuration options - takes user to another menu with the following options:

: get default zone information
: get active zones
: get zones - show all available zones
: set default zone to : home, public,
:assign ip address to a zone:

restart: system

So that is the kind of script I want to initially start building the order above will need some input and tweaking. Please feel free to comment and to input /
aid me final script will be available for anyone to use

networker050184 · March 2015

I'd suggest going with something like Python for this rather than bash. Maybe it's just my own preference and lack of bash skills, but bash seems like it would start to get overly complex.

Good luck though! I've been getting a lot more involved in automation lately so definitely interested to see what you come up with.

ally_uk · March 2015

I am going to start with BASH initially. Just am having difficulty getting my head around how you go about creating the menu, and getting user input then executing commands depending on input..

networker050184 · March 2015

Same part I was thinking would be the most difficult with bash. It's a simple process with most programming languages though. Maybe some simple menus driven by Python raw input or Ruby gets that kicks off your bash scripts.

ally_uk · March 2015

So I did some digging and managed to track down a script designed for iptables, I am going to modify it for firewalld I have posted a section of the script below as I am not understanding two parts. Was hoping a Bash god could aid me

###############################IPTABLE SERVICES PROGRAM BEGINS HERE###############################
checkstatus()
{
opt_checkstatus=1
while [ $opt_checkstatus != 7 ]
do
clear
#echo -e "\nChoose the Option Bellow!!!\n
echo -e "\n\t*****Note: Save your Iptables before stop/Restart the iptables Services*****\n"
echo -e " 1. Save the iptables\n
2. Status of Iptables\n
3. Start iptables Services\n
4. Stop iptables Services\n
5. Restart iptable Services\n
6. Flush iptables (**Use Carefully_it will remove all the rules from iptables**)\n
7. Go back to Main Menu"
read opt_checkstatus
case $opt_checkstatus in

The top section I know is a function but what exactly is the opt_checkstatus !=7 doing? saving as a variable?

Also the [$opt_checkstatus !=7] I don't really understand the rest is pretty straight forward.

UnixGuy · March 2015

Good way to learn things, I recommend reading this book as I found it's one of the best resources out there for iptables!
http://www.amazon.com/Hardening-Linux-James-Turnbull/dp/1590594444/ref=pd_sim_b_3?ie=UTF8&refRID=03F5DX512265R0ED8XQN

For firewall configuration, not that I'm an expert or anything (far from it really), but think about using a configuration management tool (puppet, cfengine,..), that's the modern way of doing it, and it's really neat. Just tell it how the file should look like, and what the service status should be.

ally_uk · March 2015

I am using firewalld not iptables.

Secondly all I really wanted to know was what this part of the script I posted does. I know it is a function is it testing something?

checkstatus()
{
opt_checkstatus=1
while [ $opt_checkstatus != 7 ]
do

UnixGuy · March 2015

Sorry, still trying to wake up (Monday yay).

Yes it's a function that reads user input.

So the $opt_checkstatus is basically the user input (selection from the menu...)

so keep looping and displaying the menu items until the user select "7" which is "Go back to main menu"

I hope this is your question

Deathmage · March 2015

ally_uk wrote: »

Hi Guys I recently have made the transition to Centos 7 and have been playing with firewalld I wanted to create a basic bash script
to automate the configuration process and would gradually like to add more and more advanced concepts to it with the input of you guys.
I am a noob when it comes to scripting and figured this project could benefit a few people and speed up the config process. I wish to
document the process so that others can add and gain knowledge.

The initial layout / process of the script I have in mind is the following please feel free to add / input and aid me on my quest

Since this forum is full of Linux Gods on a different level of knowledge to myself.If you have some free time please feel free input my goal is to document everything so others can gain something from this project.

(Rough layout of Firewalld Configuration Script Version 1.0 )

1) Script loads and checks if user is running as root if not script exits:
2) User is presented with a menu with the following options: - Start firewalld, Stop, Status, disable iptables,
add service - user presented with a menu of popular services to allow through firewall i.e ssh, http, samba ( all services are added permanent )
remove service does the same as above but removes services.
add ports, remove ports ( user specifies a port range and wheter it's UDP / TCP options are made permanent)

menu options for the following? : List rules, get services, reload firewall, enable at boot?

3) Advanced configuration options - takes user to another menu with the following options:

: get default zone information
: get active zones
: get zones - show all available zones
: set default zone to : home, public,
:assign ip address to a zone:

restart: system

So that is the kind of script I want to initially start building the order above will need some input and tweaking. Please feel free to comment and to input /
aid me final script will be available for anyone to use

I got really good with BASH at my last job, but that was for Windows. If I knew CentOS more and knew what hooks to use I'm sure I could write you something in a few hours.

But look at the code from the other people's suggestions I honestly don't know Cent OS to effectively write it. I'm sure I could do something in a few days if I look over the syntex of CentOS. it's one of those things on my bucket-list.

Some of my BASH work here: http://g15it.com/?page_id=135

YFZblu · March 2015

networker050184 wrote: »

I'd suggest going with something like Python for this rather than bash. Maybe it's just my own preference and lack of bash skills, but bash seems like it would start to get overly complex.

Any time you find yourself executing Bash commands via Python, for the core functionality of your script, it's time to re-evaluate the project. One of the first determinations you must make when automating tasks is if you are using the best tool for the job. Of course if Python is the one language you're comfortable with, some hacky automation is better than none. I would just take it as an opportunity to expand the scripting toolkit to include other languages down the road.

The nice thing is once you're familiar with a fully-featured scripting language like Python, coding in other high-level languages comes a lot more naturally.

YFZblu · March 2015

ally_uk wrote: »

I am using firewalld not iptables.

Secondly all I really wanted to know was what this part of the script I posted does. I know it is a function is it testing something?

opt_checkstatus=1 // Sets the variable "opt_checkstatus" to the value 1

while [ $opt_checkstatus != 7 ] // Using "[ ]" means you are evaluating the expression inside of the brackets. In computing, the result of an evaluation is either 'True' or 'False'. In this case, the evaluation is checking to see if the variable "opt_checkstatus" is equal to the number 7. If not, the code below is executed.

Run the command "man test" to read more on the evaluation utility in Bash

ally_uk · March 2015

sweet thanks for the response I will post up version 1 of the script when it's done. Obviously it will be basic I want people on here to add input and functionality so it can be a learning experience for people

I will will post version 1 soon

DoubleNNs · March 2015

I know nothing about firewalld, but I'd be interested in helping work thru this script. I have my LXO-101 exam scheduled for tomorrow morning, so I'm doing some last min cramming and going to sleep early. However, I should be free to help out after my exam.

It'd be a great opportunity for me to get some exposure to firewalld and practice my shell scripting, since I haven't written anything new in weeks/months.

Send me a PM if you want.

ally_uk · March 2015

Awesome could do with your help

we can build it together can do with your expertise I will create like the alpha version it will be lacking as I am a bash scripting noob but the purpose of this project is to gradually build it and add parts to it and improve with the help of the input of this forum.

I then want to document the whole process and create a kind of bash scripting tutorial to help fellow noobs

ally_uk · April 2015

Well I have got the basic menu layout in place, I need to populate with further options for the basic firewalld configuration. I then need to figure out how to call further sub menus. Anyways the menu code is below Script doesn't do anything yet it's just the framework, Feel free to improve

#####################################################################################################

#!/usr/bin/env bash

# clear the screen
tput clear

# Move cursor to screen location X,Y (top left is 0,0)
tput cup 3 15

# Set a foreground colour using ANSI escape
tput setaf 5
echo "-- Firewall Configuration --"
tput sgr0

tput cup 5 17
# Set reverse video mode
tput rev
echo "M A I N - M E N U"
tput sgr0

tput cup 7 15
echo "1. Display I.P Details"

tput cup 8 15
echo "2. Run Specific Test"

tput cup 9 15
echo "Q. Quit Menu"

# Set bold mode
tput bold
tput cup 12 15
read -p "Enter your choice [1-4] " choice

tput clear
tput sgr0
tput rc

case $choice in
1) ifconfig;;
2) echo "Run specific Test";;
q|Q) echo "Exiting Menu.";exit 0;;
*) echo "Invalid option";;

esac

Calling the mighty Gods Of Centos :) Bash Scripting Firewalld automation project

Comments