How to iterate through multiple interface values in a variable ?

[Denna]

To reduce the length of the firewall script, I'm trying to create one iptables rule that applies to multiple interfaces.

For example ...

Ext_INTF="eth0 usb0 tun0 tun1"

iptables -A FORWARD -i $Ext_INTF -j DROP

Instead of writing this rule three times with each interface, what is the most efficient way to iterate through the different interfaces ?

If the above rule is used, doesn't that mean the rule is run for each value in the Ext_INTF variable ?

Is there an ipset equivalent method of efficiently referencing multiple variable values ?​

 

[thelonelycoder]

Use a for loop to iterate trough them.

 

[Denna]

Use a for loop to iterate trough them.

@thelonelycoder,

Like this ?

Ext_INTF="eth0,usb0,tun0,tun1"

for i in $Ext_INTF;
do
iptables -A FORWARD -i $i -j DROP
done

 

[thelonelycoder]

Yes, like this, but a space will do instead of the comma.

 

[Denna]

@thelonelycoder,

You meant the variable values, correct ?

Ext_INTF="eth0 usb0 tun0 tun1"

Is there any functional difference between the loop method and the single line rule ? Or is it a matter of cosmetics ?​

 

[thelonelycoder]

@thelonelycoder,

You meant the variable values, correct ?

Ext_INTF="eth0 usb0 tun0 tun1"

Is there any functional difference between the loop method and the single line rule ? Or is it a matter of cosmetics ?​

The for loop is a loop, iterating through the space separated array in the $Ext_INTF variable.

Your one liner is no loop, it would try to the set the array in the variable in the single line rule.
This likely will not work.

 

[thelonelycoder]

And this is correct, the comma list will not work:
Ext_INTF="eth0 usb0 tun0 tun1"

 

[Denna]

@thelonelycoder,

Thank you. That works !​

 

[Denna]

@thelonelycoder,

Should the following i be in quotes ?

iptables -A FORWARD -i "$i" -j DROP​

 

[thelonelycoder]

@thelonelycoder,

Should the following i be in quotes ?

iptables -A FORWARD -i "$i" -j DROP​

No need to, it just fills in the interface name.

 

[Denna]

@thelonelycoder,

I asked because I came across this post.

Security implications of forgetting to quote a variable in bash/POSIX shells
https://unix.stackexchange.com/ques...a-variable-in-bash-posix-shells/171347#171347​

 

[thelonelycoder]

@thelonelycoder,

Should the following i be in quotes ?

iptables -A FORWARD -i "$i" -j DROP​

Should the following i be in quotes ?
Not necessarily.

Is is safer to put $i in quotes?
That depends how the attacker would approach and change the variable.
In your case, it's a DROP rule. Not much harm can be done in my opinion for an attacker to gain much.
In any case, if the attacker got as far as this, much more harm can be done by the use of standard terminal commands.

 

[Denna]

@thelonelycoder,

Thanks for the help.​

 

[thelonelycoder]

I'm sure one of the boards security experts could weigh in on that link you provided.
But in most cases this is more the problem in a web based environment.

Here, we have a shell script, run by the admin/root account.
All the scripts are run with the root user privilege on the router. We would have a dangerous attack vector on the router if it were a general problem.
AB-Solution likely would be the first and most attacked script.
As far as I can tell, AB has the highest number of script installations on Merlin routers and is by far the most complex shell script used (I'm not bragging here, just want to put your security concerns in relation to whether it is likely to happen).

This is one of the (or THE) reasons the SSH command input option was removed in the router WebUI.