0

I'm writing a script that will check/open ports/protocols in the event any are blocked. What I have so far is below. The port/protocol names look strange to me. I would have expected IP addresses, but I've never done this before. Would the host be IP address of the DSLAM? Also, can I run nc without specifying host if it's the current machine? Otherwise, does this script do what is needed?

#!/bin/bash

PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin

echo -e "############################nnnPresent ports opened on this machine are

$(iptables -nL INPUT | grep ACCEPT | grep dpt)

nCompleted listing...nnn#########################"

#these look funny to me
PORTS=( 123 161 69 "UDP" 80 443 22 8443 8080 23 25 3307 "TCP" "HTTPS" "SNMP" "SFTP" "TFTP")
#modified ip's for public sharing
HOSTS=( "10.x.x.x" "10.x.x.x" "10.x.x.x" "10.x.x.x" "10.x.x.x")

for HOST in "${HOSTS[@]}"
  do
    for PORT in "${PORTS[@]}"
      do
        #see which ones need opening...0 is pass (open), 1 fail, 5 timeout; need host still
        #alternatively try nmap
        nc -z -v -w5 ${HOST} ${PORT}
        #if it's not open, then open it
        if [ "$?" ne 0 ]; then #shellcheck err this line: Couldn't parse this test expression.
          iptables -A INPUT -m tcp -p tcp --dport "$PORT" -j ACCEPT && 
          { service iptables save;
          service iptables restart; 
          echo -e "Ports opened through iptables are n$(iptables -nL INPUT | grep ACCEPT | grep dpt)"; }
        else
          echo "Port $PORT already open"
        fi
    done
done

I've been referring to test if port is open, and also open port.

Michele
  • 3,617
  • 12
  • 47
  • 81
  • 1
    I'm pretty sure I see a few syntax errors. Cut/Paste your code into http://shellcheck.net, correct any errors it finds and then update your Q. Good luck. – shellter Oct 04 '17 at 14:40
  • Thanks! I didn't know that site existed. It's still complaining about parsing the if line, but I'm not sure why. I updated the if line with spaces it needed. – Michele Oct 04 '17 at 14:58
  • 1
    I think you want `-ne` inside of `[ ...]` . And I'm surprized that shellcheck missed that. When I run just that line of code on the command line, I get `-ksh: [: ne: unknown operator`, but that is `ksh`. Don't have a current `bash` to test with. Good luck. – shellter Oct 04 '17 at 15:17
  • It seems happy now. The only thing it's cautioning about is "tips depend on target shell, add shebang". I'm not sure what it's referring to. Wouldn't that be the #!/bin/bash line that I already have? Also, do you think this overall script fulfills the requirement in general? I'm not used to this type of scripting/server work. – Michele Oct 04 '17 at 15:22
  • 1
    the `#!/bin/bash` needs to appear on line 1 (for both shellcheck.net AND inside your bash script). – shellter Oct 04 '17 at 15:36
  • 1
    I have limited experience dealing with ports and don't want to give bad advice. For instance, I would have go check wikipedia to know what a DSLAM is ;-). Generally, if you can show thru testing that a open/closed ports are flagged correctly, I would assume you have a working script. Ouch, that `{...}` block after the `&&` is completely invisible. You should be able to move it below and make the code more readable. Depending on your need, there are many and more efficient tools that can test ports. For example, load `fing` on your android phone. Good luck. – shellter Oct 04 '17 at 15:41
  • It had blank lines in shellcheck but not my script. That fixed the shbang comment. Thanks @shellter! – Michele Oct 04 '17 at 16:51
  • I moved the {} below. It's still not completely showing though! Long line. Thanks for the help. Hopefully this will be what they are looking for once we can get access to the server and test it. I'm not sure how the IP's will stack up for accessing with VM's/DSLAM once things are up and running. – Michele Oct 04 '17 at 16:55
  • 1
    you can break `{ ... }` blocked code on `;` chars. But at least know readers know that code exists ;-) . Also, check out `nmap` utils (widely available, but will required rethinking your problem/solution). Good luck. – shellter Oct 04 '17 at 16:58
  • " ... - I added the error message to the line in the question now" ... You're missing the `-` in front of `-ne` again ;-8 ! Good luck. – shellter Oct 06 '17 at 16:27

1 Answers1

2

  1. These lines seem odd, OP edit #6 adds an outer for loop which assigns the same value to $HOST on each go-round:

    HOSTS=( "10.x.x.x" "10.x.x.x" "10.x.x.x" "10.x.x.x" "10.x.x.x")

for HOST in "${HOSTS[@]}"
do
    < stuff ... >
done

    Assuming running < stuff ... > four times is not necessary, then the seven lines above, as written, would be equivalent to: 

    HOST="10.x.x.x"
< stuff ... >

  2. (Fixed.) Remove the commas from this line:

    PORTS=( 123, 161, 69, UDP, 80, 443, 22, 8443, 8080, 23, 25, 
        3307, TCP, HTTPS, SNMP, SFTP, TFTP)

    bash does not use commas to define arrays, and if commas are used they become chars in the the array data. Example, given the array exactly as it is above:

    echo ${PORTS[0]}

    Outputs:

    123,
agc
  • 7,973
  • 2
  • 29
  • 50
  • Thank you so much! I hadn't realized that. I updated the code accordingly. I also added the host array. Hopefully I can nest my for loops that way. When I tried using shellcheck to check it, it's complaining about "couldn't parse this test expression" on the if line. – Michele Oct 05 '17 at 12:45
  • 1
    @Michele : I would convert the `iptables` output into a var that you use inside the `echo` statement. i.e. `count=$(iptables -nL INPUT | grep ACCEPT | grep dpt); echo -e "stuff $count"` .Else update your Q with current code and highlight the line generating the shellcheck error. Good luck. – shellter Oct 05 '17 at 14:29
  • @shellter - I added the error message to the line in the question now – Michele Oct 06 '17 at 14:37