What do you guys think of this script I wrote that handles IPtable rules? Any critisism, ideas, suggestions are more than welcomed :)

It is the very first script I wrote that deals with iptables. I am in the process of learning as much as I can about IPTables. It basically enters into a file the IPs that are trying to do a root ssh connection. Those IPs in turned get under a DROP rule.

#!/bin/bash #The script captures data from /var/log/secure. #It creates a ban list of IPs where a root and only root SSH connection has been attempted. IPT=/sbin/iptables #Flush all iptable rules. $IPT -F #This is the file that stores the IP addresses and then does a comparison of IPs with the master file #Any duplicate IPs are not entered in the master file. Only new IPs >ips_1 #Checks to see if the master IP file is empty. If it is, it populates it. #The master IP file is empty when the script has been run for the first time. #Or if somebody has tampered with it. An email needs to be sent if the file is empty. #If the master file is not empty then the ips_1 file is compared with the master IP file #and only new IPs are enntered in the master ip file. if [ \! -s master_banned_ip_list ] then grep 'root' /var/log/secure | awk '{print $11}' | egrep ^[0-9] | sort -u >> master_banned_ip_list; else grep 'root' /var/log/secure | awk '{print $11}' | egrep ^[0-9] | sort -u >> ips_1; grep -v -x -f master_banned_ip_list ips_1 >> master_banned_ip_list fi #UMBRELLA RULES #ALWAYS PUT THESE RULES ON. THEY ARE A "DENY BY DEFAULT" #HOWEVER, THE SECOND RULE WILL ALLOW OUTGOING TRAFFIC. $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT $IPT -P FORWARD DROP #For loop that will build the new IP table rules with all the IPs. for list_of_ips in `cat master_banned_ip_list`; do $IPT -A INPUT -p tcp -s $list_of_ips --in-interface eth0 -j DROP done; #SSH RELATED - From what IPs SSH is allowed. #-From Home external IP $IPT -A INPUT -p tcp -s xx.xx.xx.xx --in-interface eth0 --dport 22 -j ACCEPT #-From Work external IP $IPT -A INPUT -p tcp -s xx.xx.xx.xx --in-interface eth0 --dport 22 -j ACCEPT #------------------------------------ 

#ALLOW ICPM RESPONSES

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -P INPUT DROP