#!/usr/local/bin/expect
#
# Script install protocol explicit permit network access rules
# In accordance to cisco-sa20030717 / CERT VU#411332 Interface 
# Buffer Overflow Attack. Inbound filters installed on router
# Interfaces facing unsecured networks protects against attack
# Inbound filters defining what can be sent out protects 
# against having a node on your site launch an attack.
#
# TCP and UDP are required for most applications to function
# your location may require additional protocols i.e., 
# GRE (Protocol 47) ESP (protocol 50) AHP (protocol 51) for 
# Tunneling and IPSEC and OSPF (protocol 89) or EIGRP (protocol 88)
# for IGP routing. Check ACL Templates before installing.
#
# This script is freely distributable, feel free to make modifications
# just be sure to pass them on to others and helpful during
# this time of crisis.
#
# Command syntax <target host> <user> <pass> <enable> <acl#> <install L2 interface> 
# <install interface L3 address> <interface filter dir (in|out)> <src/dst network prefix|any>
# <filter orientation -in|-out> <network wildcard mask (if net prefix is defined)>
#
set host [lindex $argv 0]
#

set USER [lindex $argv 1]
set PASS [lindex $argv 2]
set ENPASS [lindex $argv 3]
set ACLNAME [lindex $argv 4]
set INT [lindex $argv 5]
set INTIP [lindex $argv 6]
set FDIR [lindex $argv 7]
set NET [lindex $argv 8]
set DIR [lindex $argv 9]
set MASK [lindex $argv 10]

# This ACL is invoked when the filter orientation -in flag is used
# The ACL permits traffic from any src to a specfic network prefix

set ACLIN "
access-list $ACLNAME deny tcp any any fragments log-input
access-list $ACLNAME deny tcp any any fragments log-input
access-list $ACLNAME permit tcp any host $INTIP
access-list $ACLNAME permit tcp any $NET $MASK 
access-list $ACLNAME permit udp any $NET $MASK
! Uncomment bellow the protocols you allow inbound
access-list $ACLNAME permit gre any $NET $MASK
access-list $ACLNAME permit esp any $NET $MASK
access-list $ACLNAME permit ahp any $NET $MASK
access-list $ACLNAME permit ospf any any
access-list $ACLNAME permit igrp any any
access-list $ACLNAME permit eigrp any any
access-list $ACLNAME permit icmp any $NET $MASK echo
access-list $ACLNAME permit icmp any $NET $MASK echo-reply
access-list $ACLNAME permit icmp any $NET $MASK net-redirect log-input
access-list $ACLNAME permit icmp any $NET $MASK host-redirect log-input
access-list $ACLNAME permit icmp any $NET $MASK source-quench
access-list $ACLNAME permit icmp any $NET $MASK ttl-exceeded
access-list $ACLNAME permit icmp any $NET $MASK unreachable
"
# This ACL is invoked when the filter orientation -out flag is used
# The ACL permits traffic from a specfic network prefix to any dest

set ACLOU "
access-list $ACLNAME deny tcp any any fragments log-input
access-list $ACLNAME deny tcp any any fragments log-input
access-list $ACLNAME permit tcp host $INTIP any
access-list $ACLNAME permit tcp $NET $MASK any  
access-list $ACLNAME permit udp $NET $MASK any 
! Uncomment bellow the protocols you allow inbound
access-list $ACLNAME permit gre $NET $MASK any 
access-list $ACLNAME permit esp $NET $MASK any 
access-list $ACLNAME permit ahp $NET $MASK any
access-list $ACLNAME permit ospf any any
access-list $ACLNAME permit igrp any any
access-list $ACLNAME permit eigrp any any
access-list $ACLNAME permit icmp $NET $MASK any  echo
access-list $ACLNAME permit icmp $NET $MASK any  echo-reply
access-list $ACLNAME permit icmp $NET $MASK any  net-redirect log-input
access-list $ACLNAME permit icmp $NET $MASK any  host-redirect log-input
access-list $ACLNAME permit icmp $NET $MASK any source-quench
access-list $ACLNAME permit icmp $NET $MASK any ttl-exceeded
access-list $ACLNAME permit icmp $NET $MASK any unreachable
"
# This ACL can be applied to any interface in either direction
set ACLANY "
access-list $ACLNAME deny tcp any any fragments log-input
access-list $ACLNAME deny tcp any any fragments log-input
access-list $ACLNAME permit tcp host $INTIP any
access-list $ACLNAME permit tcp any any  
access-list $ACLNAME permit udp any any 
! Uncomment bellow the protocols you wish to permit
access-list $ACLNAME permit gre any any 
access-list $ACLNAME permit esp any any 
access-list $ACLNAME permit ahp any any 
access-list $ACLNAME permit ospf any any
access-list $ACLNAME permit igrp any any
access-list $ACLNAME permit eigrp any any
access-list $ACLNAME permit icmp any any  echo
access-list $ACLNAME permit icmp any any  echo-reply
access-list $ACLNAME permit icmp any any  net-redirect log-input
access-list $ACLNAME permit icmp any any  host-redirect log-input
access-list $ACLNAME permit icmp any any source-quench
access-list $ACLNAME permit icmp any any ttl-exceeded
access-list $ACLNAME permit icmp any any unreachable
"

#Decide the orentation of the ACL 

if {"$NET" == "any"} {set ACL $ACLANY} elseif {
"$DIR" == "-in"} {set ACL $ACLIN} elseif {
"$DIR" == "-out"} {set ACL $ACLOU}

#puts stdout $ACL

# Set how you want to connect to the router Telnet or SSH
spawn telnet -K $host

# Do Not Edit Bellow This Line
#
#
# 

#
expect "Username:" {send "$USER\r"} \
       "word: " {send "$PASS\r"} \
        "refused" exit

expect "Password: " {send "$PASS\r"} \
        ">" {send "enable\r"}

#
# Enter into Enable Mode
#
expect ">" {send "enable\r"} \
       "Password:" {send "$ENPASS\r"} \

expect "Password:" {send "$ENPASS\r"} \
       "#" {send "\r"}
#
#
expect "#"
send "config t\r"
expect "(config)#"
send "$ACL\r" 
expect "(config)#"
send "interface $INT\r"
expect "(config-if)#"
send "ip access-group $ACLNAME $FDIR\r"
expect "(config-if)#"
send "exit\r"
expect "(config)#"
send "exit\r"
expect "#"
send "copy run start\r"
expect "config]?"
send "\r"
expect "#"
send "exit\r"

puts stdout "ACL $ACLNAME Installed on $host Interface $INT"