How to pass argument to command from pipe? - linux

I use the tail command on apache2 access_log, then by piping that output to cut I can get the ip address in real time, but then I need to process each line in real time with iptables.
I try to do that this way:
tail -f access_log | cut -d' ' -f 1 | xargs iptables -A INPUT -j DROP -s
But it does not work.
How to call iptables for each line in real time?

Related

How can i extract only the destination ports from a TCPDUMP file

i currently have a script in bash that extract the destination IPs and ports only from the Host IP ( me )
I need to sort the destination Ports in a separate File.
the command i use now for making the capture:
tcpdump -G 15 -W 1 -w myscript15s -i enp0s3 -nnvvS src 10.0.2.15 and dst portrange '1-65535'
Does anyone what command can i use to put in a separate document only the destination ports?
I found you can only sort IPs but maybe i didn't search throughly enough :(
Packet capture script
Packet capture output
// Script for making the capture
#!/bin/bash
clear
echo "Select your capture option: "
read capture
echo "You selected $catpure"
echo
if [ $capture == "Option1" ];
then
echo
tcpdump -G 15 -W 1 -w myscript15s -i enp0s3 -nnvvS src 10.0.2.15 and dst portrange '1-65535'
tcpdump -ttttnnr myscript15s
cp myscript15s captura
elif [ $capture == "Option2" ]
then
echo
tcpdump -G 600 -W 1 -w myscript600s -i enp0s3 -nnvvS src 10.0.2.15 and dst portrange '1-65535'
else
echo "Incorect option .."
fi
echo
echo "The end"
echo
/// output - placed only first 2 lines to get the ideea
2018-06-26 15:42:21.261263 IP 10.0.2.15.54178 > 10.18.0.22.53:19272 [1au] A? detectportal.firefox.com.(53)
2018-06-26 15:42:21.261418 IP 10.0.2.15.51118 > 10.18.0.22.53:31437+ [1au] AAAA? detectportal.firefox.com.(53)
One way that could achieve this would be using tshark to read the capture while applying display filters, sorting as needed then writing the output to a file:
tshark -r your_capture_file.pcap -T fields -e udp.dstport -e tcp.dstport | sort | uniq > results.txt
If you wish to also include the protocol name in your results you can add it in the filter as well:
tshark -r your_capture_file.pcap -T fields -e _ws.col.Protocol -e udp.dstport -e tcp.dstport | sort | uniq > results.txt
Note that using the above method will take care of everything in a single command however the output resulted will contain blank UDP port columns for TCP traffic and blank TCP port columns for UDP traffic which may pose an issue.
In order to avoid this, you can simply run the command twice, once per protocol:
TCP
tshark -r your_capture_file.pcap -T fields -e tcp.dstport | sort | uniq > results.txt
UDP
tshark -r your_capture_file.pcap -T fields -e udp.dstport | sort | uniq >> results.txt
Take note that the second run should use the >> operator instead of the > one to append data to the results file.

Block list of ip addresses linux

I'm running Kali on a computer that has port forwarding so I can access it while away from my desk. Upon looking at /var/log/auth.log I find a number of IP addresses that have been trying to log in which I don't recognise. I've managed to extract all the IPs and put them in a file, and want to run a script to block them using iptables. So far, I've come up with this, but it's not working:
#!/bin/bash
NUMBEROFIPS=cat "ipaddresses.txt" | wc -l
for i in `seq 0 $NUMBEROFIPS`;
do
IP=awk 'NR==$i' ipaddresses.txt
iptables -A INPUT -s $IP -j DROP
done
What am I doing wrong?
I suggest:
#!/bin/bash
while IFS= read -r ip; do
iptables -A INPUT -s "$ip" -j DROP
done < ipaddresses.txt
or
xargs -I {} iptables -A INPUT -s {} -j DROP < ipaddresses.txt

Iptables remove specific rules by comment

I need to delete some rules with same comment.
For example I have rules with comment = "test it", so i can get list of them like this:
sudo iptables -t nat -L | grep 'test it'
But how can i delete all PREROUTING rules with comment 'test it'?
UPD:
As #hek2mgl said, i can do something like this:
sudo bash -c "iptables-save > iptables.backup"
sed -i '/PREROUTING.*--comment.* "test it"/d' iptables.backup
sudo iptables-restore < iptables.backup
sudo rm iptables.backup
But between save and restore could be changes in iptables, so after restore there will be problems =/
You can use the following command:
iptables-save | sed -r '/PREROUTING.*comment.*test it/s/-A/iptables -D/e'
iptables-save will return iptables commands that can be executed to return the current state of the firewall after a reboot or whatever.
Meaning it will contain lines like:
...
-A PREROUTING -p tcp -m tcp --dport 25 -j ACCEPT -m comment --comment "test it"
...
The sed command searches for lines containing PREROUTING.*comment.*test it (should be good enough) and prepends the term iptablesplus replaces -A by -D since -D deletes a rule. The result of the replacement operation get's then executed using the e command. The e command is a GNU extension to sed.
Note: If you want to print the command in addition to simply executing it you can use s/-A/iptables -D/pe.
Yet another way to Remove by comment:
NOWRULES=$(iptables --line-number -nL INPUT | grep comment_here | awk '{print $1}' | tac)
for rul in $NOWRULES; do /sbin/iptables -D INPUT $rul; sleep 0.1; done
The best way to remove comment-based rules from iptables is:
iptables-save | grep -v COMMENT | iptables-restore
it cleans all rules with matching comment. As for me, I use this method to add ruleset that needs to be completely removed later.
If you neeed only PREROUTING chain to be touched, add some prefix or suffix to your comment like preroute_COMMENT upon rule creation to make difference inside COMMENT identified ruleset

How to get processid and processname for a specific port

I want to write a shell-script such that it should ask for a port number then show the process-id and process-name running on that port number. So how can I do this in Linux?
You can use lsof to do so, with the -i option to filter the port you want. The first column is the command name and the second one is its pid.
lsof -i :$port | tail -n +2 | awk '{ print $1" "$2 }'
I'm using tail to remove the header from the output of lsof. Note that there is a simpler solution to get the pid alone, using the -t option:
lsof -t -i :$port

Bash - Command call ported to variable with another variable inside

I believe this is a simple syntax issue on my part but I have been unable to find another example similar to what i'm trying to do. I have a variable taking in a specific disk location and I need to use that location in an hdparm /grep command to pull out the max LBA
targetDrive=$1 #/dev/sdb
maxLBA=$(hdparm -I /dev/sdb |grep LBA48 |grep -P -o '(?<=:\s)[^\s]*') #this works perfect
maxLBA=$(hdparm -I $1 |grep LBA48 |grep -P -o '(?<=:\s)[^\s]*') #this fails
I have also tried
maxLBA=$(hdparm -I 1 |grep LBA48 |grep -P -o '(?<=:\s)[^\s]*')
maxLBA=$(hdparm -I "$1" |grep LBA48 |grep -P -o '(?<=:\s)[^\s]*')
Thanks for the help
So I think here is the solution to your problem. I did basically the same as you but changed the way I pipe the results into one another.
grep with regular expression to find the line containing LBA48
cut to retrieve the second field when the resulting string is divided by the column ":"
then trim all the leasding spaces from the result
Here is my resulting bash script.
#!/bin/bash
target_drive=$1
max_lba=$(sudo hdparm -I "$target_drive" | grep -P -o ".+LBA48.+:.+(\d+)" | cut -d: -f2 | tr -d ' ')
echo "Drive: $target_drive MAX LBA48: $max_lba"

Resources