My bash script to configure DNS and IPTables for my final exam

DNS_Final.sh

#!/bin/bash

# Set the internal field separator
IFS=$'\n'

pkill ncat

####################

# regex pattern for IP addresses
grep_ip="[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"

# Get the interface used for the internet (probably also used for LAN)
# does not open any connection out, it just shows the route needed to get to Google's DNS.
my_interface=$(ip route get 8.8.8.8 | awk '/dev/ {f=NR} f&&NR-1==f' RS=" ")

# Then use that to get our assigned IP address on the network
my_ip=$(ip addr show "$my_interface" | grep -oP "inet $grep_ip" | cut -d " " -f 2)
echo "$my_ip"

####################

# Reset the host name on your linux machine to your_first_name.your_last_name.com 
hostname jimmy.mccann.com

####################

# Make sure the packages we need for DNS are installed
yum makecache fast
yum install bind bind-utils

####################

# Make a copy of the named.empty zone file
cp /var/named/named.empty /var/named/mccann.com

# But we are pretty much just going to overwrite the whole thing any ways
my_zonefile="/var/named/mccann.com"
echo '$TTL 3H' > $my_zonefile
echo "@       IN SOA  @ nameserver01.mccann.com. (
                                        $(date +%s)     ; serial
                                        1D             ; refresh
                                        1H             ; retry
                                        1W             ; expire
                                        3H )           ; minimum
@                 IN      NS      nameserver01
nameserver01      IN      A       $my_ip
jimmy             IN      A       $my_ip
www               IN      A       $my_ip" >> $my_zonefile

# Make sure to set the group on this file to named
chgrp named $my_zonefile

####################

# Backup our named.conf
cp /etc/named.conf /etc/named.conf.bak

# Then write our own
echo '//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator`s Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
        version "I`m not telling you";
        listen-on port 53 { any; };  //listen-on port 53 { 127.0.0.1; };
        //listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };  //allow-query     { localhost; };
        allow-transfer { any; };
        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion no;
        dnssec-enable yes;
        dnssec-validation yes;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.ca";
};
zone "mccann.com" IN {
        type master;
        file "mccann.com";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
' > /etc/named.conf

####################

# And now start our named service
systemctl start named

####################

# make sure we have nmap and ncat to find which ports are good to leave open.
yum install nmap

####################

printf "%s\n" "======================="
printf "%s\n" "== Open Random Ports =="
printf "%s\n" "======================="

read -p "How many ports would you like to open? " numPorts

printf "How many ports?: %s\n" $numPorts

for x in $(seq 1 $numPorts)
do
        tempRandom=$RANDOM
        # printf "NetCat is listening on port number: %d\n" $tempRandom

        if [ $(($tempRandom%2)) -eq 0 ];
        then
                # This is even numbers 
		ncat -4 --keep-open --listen --source-port $tempRandom --sh-exec 'printf "%s\n" "IPTABLES: This is A Good Port, keep me open"' &
        else
                # This is odd numbers
		ncat -4 --keep-open --listen --source-port $tempRandom --sh-exec 'printf "%s\n" "IPTABLES: This is a Bad Port, close me"' &
        fi
done

####################

# We need to bring the firewall down to make port scanning faster
systemctl stop iptables

# make copy of stdout so we can tee nmap
exec 3>&1

# Now find which ports are good
nmap -script=banner -p 1-65535 $my_ip | tee /dev/fd/3 | grep -B 1 "Good Port" | grep -oP "[0-9]{2,5}" > good_ports

####################

# Now build our firewall rules

# Flush the selected chain, or all the chains in the table if none is given.
# This deletes all the rules one by one
iptables -F

# Creates a default "Deny All" policy
# -P sets the policy for the built-in (non-user-defined) chain to either ACCEPT or DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow all traffic on the loopback interface
# -A appends the rule to the end of the selected chain
# -i gives the name of the interface via which a packet is received
iptables -A INPUT -i lo -j ACCEPT

# Prevents loopback address spoofing from outside the box
# -s gives the source ip address(es) of the incoming packet
# When the source and/or destination resolve to more than one address,
# a rule will be added for each possible address combination
iptables -A INPUT -s 127.0.0.0/8 -j DROP

# Allow outbound traffic
# -p gives the protocol of the rule or the packet to check
# -m specifies a match to use and enables stateful session handling
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow returning traffic from outbound connections
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT

# Allow incoming traffic
# --dport gives the destination port for traffic
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT  # open port for SSH
iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT  # open port for DNS over TCP
iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT  # open port for DNS over UDP

echo "Good Ports left open"
#Allow our "Good Ports"
while read -r line
do
        iptables -A INPUT -p tcp --dport "$line" -m state --state NEW -j ACCEPT
done < good_ports

# Log everything else before dropping it
iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG

# Save our iptables configuration
cat /etc/sysconfig/iptables >  "/etc/sysconfig/iptables.$(date +%s)"
iptables-save > /etc/sysconfig/iptables

# Put our rules into effect
systemctl start iptables

####################

unset IFS
exit 0