0

I´m trying to understand a Linux Bash Script. The aim of the script is to limit the access to server services only for some dyndns users (by use of ufw rules). Part of the script:

ALLOWEDUSERS="client1.dyndns.org client2.dyndns.org"

for host in $ALLOWEDUSERS ; do
    ip=`host $host | cut -d ' ' -f 4`
    if [ $? -eq 0 ]; then
       ufw allow proto tcp from $ip to any
    fi
done

okay 

for host in $ALLOWEDUSERS ; do

is clear, it loops through ALLOWEDUSERS,

as far as I understand

if [ $? -eq 0 ]; then

checks if the command executed before is true (if so the ufw rule is added)

but how does the rest of the snippet 

ip=`host $host | cut -d ' ' -f 4`

checks if the client ip is the one from the allowed dyndns account?

thanks a lot for your help,

tony

Improve this question
14
  • This script is badly written and probably broken. Why waste time with it? Commented Nov 11, 2013 at 21:30
  • Hi Barmar "Why waste time with it?" - For learning purpose. Commented Nov 11, 2013 at 21:33
  • 2
    The programmer apparently thought he was checking the exit status of the host command, which is 0 if the hostname lookup is successful. But it's actually checking the exit status of cut, because the status of a pipeline is the status of the last command. So it doesn't work as intended. Commented Nov 11, 2013 at 21:33
  • @tBook I didn't write that. Commented Nov 11, 2013 at 21:33
  • @tBook Then learn from other better written scripts. This thing is a bug nest. cut will always return true in this case, hence ufw will always run. Oh dear. Commented Nov 11, 2013 at 21:34

2 Answers 2

Reset to default
1

It doesn't realy check anything.

The output from host $host is anything like $host has address xxx.xxx.xxx.xxx.

For example:

$ host localhost
localhost has address 127.0.0.1

Afterwards cut -d ' ' -f 4 isolates the fourth part, which is the ip address. This is used as the ip address for the ufw command.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The script is essentially equivalent to:

ALLOWEDUSERS="client1.dyndns.org client2.dyndns.org"

for host in $ALLOWEDUSERS ; do
    ip=`host $host | cut -d ' ' -f 4`
    ufw allow proto tcp from $ip to any
done

The if in the original script was checking the result of cut, not host, and it was always successful, so it served no useful purpose.

When the DynDNS hostname is valid, a rule will be added to the firewall to allow it.

When the hostname isn't found, the host command prints:

Host clientN.dyndns.org not found: 3(NXDOMAIN)

so $ip will be found:. This will try to do:

ufw allow proto tcp from found: to any

Since that's not a valid firewall rule, I expect it will be ignored and an error message issued.

If you want to do what the script was apparently trying to do, it should be:

ALLOWEDUSERS="client1.dyndns.org client2.dyndns.org"

for host in $ALLOWEDUSERS ; do
    hostresult=`host $host`
    if [ $? -eq 0 ]; then
        ip=`echo "$hostresult" | cut -d ' ' -f 4`
        ufw allow proto tcp from $ip to any
    fi
done
Improve this answer

1 Comment

thanks for this extensive helpful answer! thumbs up.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.