Lazy SCripter v0.02 Carlo Contavalli Mon Mar 7 03:02:26 CET 2000 This file documents lsc v0.02, a dumb perl script I wrote to help me out in writing firewalling rules with ipchains, iptables, ip or any other tools. This manual, the mentioned script and all the provided files are copyright © Carlo Contavalli 2000-2002. Please read the fol- lowing sections for more details. Note that this is free software and authors hold no responsability for any damage or loss, direct or indi- rect, caused by using this software. Use it only on your OWN risk and AFTER carefully reading this documentation. The latest version of this document can be found at . ______________________________________________________________________ Table of Contents 1. License, copyright and... 2. About this script... 3. Installation 4. Usage 4.1 Parameters 4.2 Input file format 5. Known bugs/problems... 6. Future... ______________________________________________________________________ 1. License, copyright and... This document and lsc were written by Carlo Contavalli and are thus Copyright © Carlo Contavalli 2001-2002. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts and no Back-Cover Texts. Any example of program code available in this document should be considered protected by the terms of the GNU General Public License. lsc is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. lsc is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. Trademarks are owned by their respective owners. 2. About this script... LSC is quite a dumb script I wrote when I was just a perl beginner since I got tired of continuously writing ipchains or iptables in my firewalling scripts (never liked ipchains-save&Co.). It is quite dumb since it just reads the input from a file and then pipes the ``produced'' commands to a shell. The advantage of using lsc is that it accepts a nested format that allows you to write each ``prefix'' just once, without having to rewrite everything every time and avoiding such boring and hard to track problems due to the cut&paste philosophy (never happened of cutting and pasting firewalling rules and forgetting to change the chain name?). Here is an example input: ______________________________________________________________________ ##!/bin/bash lan=eth0 dmz=eth1 iptables { -P { OUTPUT ACCEPT FORWARD DROP INPUT DROP } -N { lan-dmz dmz-lan } -A FORWARD { -i $lan -o $dmz -j lan-dmz -i $dmz -o $lan -j dmz-lan } [ . . . ] } ______________________________________________________________________ That would pass to the shell something like: lan=eth0 dmz=eth1 iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -P INPUT DROP iptables -N lan-dmz iptables -N dmz-lan iptables -A FORWARD -i $lan -o $dmz -j lan-dmz iptables -A FORWARD -i $dmz -o $lan -j dmz-lan [. . .] As you can see, lsc is quite dumb. However, it has some big advantages... for example, as you can see in the example, you can use any shell facility since lsc is just a dumb filter, not an interpreter. You can find the latest version of this document and the mentioned software at http://www.commedia.it/ccontavalli/. If you have troubles/suggestions/corrections feel free to mail me at . 3. Installation I suggest you do three things to install lsc: 1. Unpack the provided tarball somewhere in your hard drive $ tar -xvzf ./lsc.tar.gz 2. Copy ``lsc'' in some useful location with the right ownership and permissions set, for example: # cp -a ./lsc /usr/bin/ # chown root:root /usr/bin/lsc # chmod 0755 /usr/bin/lsc 3. Check the perl path. The script assumes the perl binary is /usr/bin/perl and this is true for the most part of the systems. To check this out, type ``which perl'' to have the location of the perl executable. If it is somewhere else, just edit lsc and change the first line to point to the right place. 4. Usage As I told you, lsc is quite a dumb script. It reads a valid input file to produce a series of commands for the specified shell. For example, a file like this would be a valid input: ______________________________________________________________________ echo { hello { world foo bar } ' for a in eth0 eth1 eth2 ' do ' echo $a ' done how { are { you doing? they doing? } is { he doing? she doing? Carlo doing? } } } ______________________________________________________________________ in order to execute commands like ______________________________________________________________________ echo hello world echo hello foo echo hello bar for a in eth0 eth1 eth2 do echo $a done echo how are they doing? echo how are you doing? echo how is he doing? echo how is she doing? echo how is Carlo doing? ______________________________________________________________________ Ok, so how do I use it? 4.1. Parameters lsc wants the file to process as its last argument and has very few command line parameters. · -n Tells lsc ``don't do what you are told to -- just print those commands on the screen'' · -i Tells lsc ``to print useful info to debug the input file'' (the first column would be the command number, the second column the line it was found in the input file, while the third column the command that would be executed -- -i must be used in combination with -n) So, using a unixism, the syntax would be: lsc [-n[i]] inputfile 4.2. Input file format A input file must obey the following rules: · The # character indicates the beginning of a comment. It can be put anywhere on a line. · The { indicates the beginning of a block. Before each block there should be a string. Each command inside a block is preceded by all the previous strings and then executed by the specified shell. · The } indicates the end of a block. · The ##! followed by the name of a shell indicates the shell that should be used to execute the generated commands. It can be specified anywhere in the file and affects only the commands following this statement. · The ' at the beginning of a line indicates that the line must be passed to the shell ``as is'', without any change. · To escape characters, you MUST use the % character. For example, %{ is not interpreted by lsc and is passed to the shell as {. I decided not to use the \ character to avoid having to write commands like: grep \\\\.\\\\* just to write grep \.\*. To write a %, you must use %%. Escaping any character beside ', {, }, #, % doesn't make any sense, but works. Anything that follows the indicated rules is processed by lsc and passed to the shell. This means that if you want to, you can use any bashism (or perlism, depending on the ##! shell specified) inside the input file and still get the expected output. This is quite useful if you want to maintain some kind of independence. For example, you could write something like: ___________________________________________________________________ ##!/bin/bash . /usr/lib/fwlib fwall policy { of $input is $accept; of $output is $drop; } fwall drop $input { from localhost; } ___________________________________________________________________ Given that /usr/lib/fwlib provides the right functions and variables.. Some dumb examples are provided in the lsc tarball. 5. Known bugs/problems... 1. I wrote this dumb script for my own use in an afternoon, so, don't expect anything good looking at the source code, I was just a perl beginner when I wrote this. 2. I didn't even want to put this script on a web site. I don't want to waste too much time on it. I'm not going to work on it any longer. 3. I know it has some troubles sometimes escaping characters. 4. I know it has some troubles deciding the order of the commands when you use '. For example, this file with lsc ___________________________________________________________________ echo { hello ' echo world } ___________________________________________________________________ could have an output of ``world hello'' instead of the correct hello world. 6. Future... I'm not going to do anything to lsc. It does exactly what I wanted it to do. If anybody is interested in it and wants to maintain/improve/correct some bugs, please contact me by email...