Linux Training

Linux training for private, public & voluntary sector.

0793 572 8612
Home | Contact | Linux Support | Shell scripts

Search



Linux / UNIX services

Sample scripts.

City Linux Training Seal

I am based just outside Nottingham in the East Midlands and can readily provide on-site Linux training courses in Nottingham, Beeston, Castle Donnington, Chesterfield, Derby, East Leak, Grantham, Leicester, Lincoln, Loughborough, Mansfield, Market Harborough, Newark, Sheffield, Stoke on Trent and Sutton Ashfield. Off site training and public linux classes can be arranged in Nottingham and elsewhere in the East Midlands.
    Valid XHTML 1.0!   Valid CSS!

City LinUX sample scripts - chkfw

NAME

chkfw - check (and correct) running iptables firewall configurations on a remote host.

SYNOPSIS

chkfw [[ -C ] [ -cc <email_address> ] [ -d ] [ -l ] [ -m <#max_wait> ] [ -n ] [ -p <#,#...> ] [ -l ] [ -T ] [ -u | -U ] [ -v ]] | <hostname> | -V

AVAILABILITY

chkfw is a Bourne shell script which should work equally well on all versions of UNIX, Linux and Mac OS X.

DESCRIPTION

chkfw checks running firewalls against a known template on the administration server. If the running firewall's configuration has deviated from the known configuration, chkfw will attempt to restore the firewall to the approved configuration, provided that the local firewall configuration and boot files are identical to those on the administration box and that the plesk configured firewall (if any) has not been activated.

Urgent alerts are sent by email and optionally by SMS text message (see -T option below).

Additionally ports which are expected to be open may be checked if enumerated on the command line.

OPTIONS

-C    Check and report on status of firewall and enumerated ports only. Do not change running configuration.

-cc <email_address>
Send copies of warnings and alerts to email_address

-d    Start in debug mode. chkfw. A message will also be emailed to the address set as email_rcpt with copies to email_address if set with the -cc option.

--force-restore This option should only be used with extreme caution. The firewall will be restarted with the configuration on the remote host as found in /etc/sysconfig/iptables and /etc/sysconfig/iptables-config, even if these differ from the canonical files stored on the administration server.

-l    Use the syslog facility to log the check and any alerts generated.

-m # <maxi_wait> Set the maximum time (in minutes) to wait for the ports to become available.

-p # [, # [, # ]....] Enumerated ports to be scanned with nmap.

-T    When raising alerts additionally send text messages to the recipient specified with the variable $txt. The mechanism employed is an email to SMS gateway so $txt is a suitable email address.

-u    Update the firewall tables and firewall configuration file to synchronise the administration server with the target host only. chkfw will compare the output of "iptables -nL" with a template kept on the administration server and if they differ will archive the existing template and update the template with a copy of the output from the target host. The firewall configuration file will similarly be updated. This is to facilitate making changes on the target host and then synchronising the records on the administration server. NB The source file for reconfiguring the target host iptables is not at present changed by using -u    option.

-U    With the -U    option the source firewall boot file will be updated from the remote firewall boot file ( /etc/sysconfig/iptables by default) in addition to the template and configuration file as with the -u    option above. It is an error to combine -u    and -U    on the command line.

-v    Set verbose mode. Ordinarily chkfw operates silently unless problems are detected. In verbose mode chkfw reports on each significant action.

-V    Print version details and exit.

EXAMPLES

chkfw -m 30 -p 21,22 -v hostname

Check the running iptables firewall on hostname. Use nmap to ensure that the ports 21 and 22 are open. Run in verbose mode.

FILES

<hostname>:/etc/sysconfig/iptables, <hostname>:/etc/sysconfig/iptables-config, /usr/local/etc/<hostname>.d/fw.

BUGS

The script is quite crude having been developed to address problems experienced by City Linux clients running on CentOS servers at 1and1. It does depend on very specific file and remote access permissions. Particularly it expects that where root permission is required sudo will be used. With judicious use of the debug and verbose modes, permission and configuration problems should be relatively easy to resolve.

The check on ftp transfer rates has been recently removed.

SEE ALSO

chkdf, chkftpd, chkmail, chkup, clean, secscan.

AUTHOR

Clifford W Fulford, City Linux. Contact fulford@fulford.net or +44 (0)709 229 5385. $Id: chkfw.man,v 1.60 2016/11/12 09:37:19 fulford Exp fulford $

Trainer

Picture of Clifford W Fulford - IT consultant
Clifford W Fulford BA(Hons), PGDip (Computing), PGCE. DES/DFE No. 7773034.

I started my career in computing in the days of CPM and C/CPM, building network operating systems and correcting bespoke software written to manage community transport booking and accounting systems.

I fist came across UNIX when called upon to migrate database systems from Mercator BBS to Thoroughbred Basic. Excited by the power and flexibility of UNIX in 1989/90 I studied the OS at City University night classes while developing my practical skills in a SCO Xenix environment during the working day.

In 1994 I was introduced to Linux by students in the School of Mathematics and Computing at North London University. Although initially sceptical of the ability of the fledgling OS to meet the requirements of large scale mission critical systems, I rapidly became a convert to Linux in a corporate environment.

I have now worked professionally as a systems manager and systems administrator with Xenix, AIX, HPUX, SunOS, Solaris and Linux in the City, Antwerp, McLean Virginia, Cairo, Birmingham and Nottingham for over 25 years

Copyright © 2003-2017 Clifford W Fulford.
Fulford Consulting Ltd. Regd. Co. 4250037 in England & Wales. Regd. office 162, Edward Rd. Nottingham NG2 5GF, England, UK.

Related web sites: City Linux | Flare Support | West Bridgford | Fulford Portal | Joan Mary Fulford (Nottingham Writer) | Fulford Gallery | Amharic Interpreter | Arabic Interpreter | Tigrinya Interpreter

The layout and associated style sheets for this page are taken from the World Wide Web Consortium and used here under the W3C software licence.