在suse上折腾iptables

需求背景:有台服务器希望屏蔽掉某IP对它的SSH连接。

临时客串下DevOps,下面的做法可能在专业运维的同学里不太专业,还请指教。

该服务器的操作系统是SuSE Linux,服务器上是安装了iptables,但是没有启用,也没用加入服务组。

所以我手动把它加入了系统服务中,并创建了一些必要文件:

/etc/init.d/iptables

#!/bin/sh
#
# iptables      Start iptables firewall
#
# chkconfig: 2345 08 92
# description:  Starts, stops and saves iptables firewall
#
# config: /etc/sysconfig/iptables
# config: /etc/sysconfig/iptables-config
#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop iptables firewall
# Description: Start, stop and save iptables firewall
### END INIT INFO

# Source function library.
. /etc/init.d/functions

IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES

# only usable for root
[ $EUID = 0 ] || exit 4

if [ ! -x /sbin/$IPTABLES ]; then
    echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
    exit 5
fi

# Old or new modutils
/sbin/modprobe --version 2>&1 | grep -q module-init-tools     && NEW_MODUTILS=1     || NEW_MODUTILS=0

# Default firewall configuration:
IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"
IPTABLES_STATUS_VERBOSE="no"
IPTABLES_STATUS_LINENUMBERS="yes"
IPTABLES_SYSCTL_LOAD_LIST=""

# Load firewall configuration.
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"

# Netfilter modules
NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables)
NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6

# Get active tables
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)

rmmod_r() {
    # Unload module with all referring modules.
    # At first all referring modules will be unloaded, then the module itself.
    local mod=$1
    local ret=0
    local ref=

    # Get referring modules.
    # New modutils have another output format.
    [ $NEW_MODUTILS = 1 ]         && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ‘,‘ ‘ ‘)         || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)

    # recursive call for all referring modules
    for i in $ref; do
        rmmod_r $i
        let ret+=$?;
    done

    # Unload module.
    # The extra test is for 2.6: The module might have autocleaned,
    # after all referring modules are unloaded.
    if grep -q "^${mod}" /proc/modules ; then
        modprobe -r $mod > /dev/null 2>&1
        res=$?
        [ $res -eq 0 ] || echo -n " $mod"
        let ret+=$res;
    fi

    return $ret
}

flush_n_delete() {
    # Flush firewall rules and delete chains.
    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0

    # Check if firewall is configured (has tables)
    [ -z "$NF_TABLES" ] && return 1

    echo -n $"${IPTABLES}: Flushing firewall rules: "
    ret=0
    # For all tables
    for i in $NF_TABLES; do
        # Flush firewall rules.
        $IPTABLES -t $i -F;
        let ret+=$?;

        # Delete firewall chains.
        $IPTABLES -t $i -X;
        let ret+=$?;

        # Set counter to zero.
        $IPTABLES -t $i -Z;
        let ret+=$?;
    done

    [ $ret -eq 0 ] && success || failure
    echo
    return $ret
}

set_policy() {
    # Set policy for configured tables.
    policy=$1

    # Check if iptable module is loaded
    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0

    # Check if firewall is configured (has tables)
    tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
    [ -z "$tables" ] && return 1

    echo -n $"${IPTABLES}: Setting chains to policy $policy: "
    ret=0
    for i in $tables; do
        echo -n "$i "
        case "$i" in
            raw)
                $IPTABLES -t raw -P PREROUTING $policy                     && $IPTABLES -t raw -P OUTPUT $policy                     || let ret+=1
                ;;
            filter)
                $IPTABLES -t filter -P INPUT $policy                     && $IPTABLES -t filter -P OUTPUT $policy                     && $IPTABLES -t filter -P FORWARD $policy                     || let ret+=1
                ;;
            nat)
                $IPTABLES -t nat -P PREROUTING $policy                     && $IPTABLES -t nat -P POSTROUTING $policy                     && $IPTABLES -t nat -P OUTPUT $policy                     || let ret+=1
                ;;
            mangle)
                $IPTABLES -t mangle -P PREROUTING $policy                     && $IPTABLES -t mangle -P POSTROUTING $policy                     && $IPTABLES -t mangle -P INPUT $policy                     && $IPTABLES -t mangle -P OUTPUT $policy                     && $IPTABLES -t mangle -P FORWARD $policy                     || let ret+=1
                ;;
            *)
                let ret+=1
                ;;
        esac
    done

    [ $ret -eq 0 ] && success || failure
    echo
    return $ret
}

load_sysctl() {
    # load matched sysctl values
    if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
        echo -n $"Loading sysctl settings: "
        ret=0
        for item in $IPTABLES_SYSCTL_LOAD_LIST; do
            fgrep $item /etc/sysctl.conf | sysctl -p - >/dev/null
            let ret+=$?;
        done
        [ $ret -eq 0 ] && success || failure
        echo
    fi
    return $ret
}

start() {
    # Do not start if there is no config file.
    [ ! -f "$IPTABLES_DATA" ] && return 6

    # check if ipv6 module load is deactivated
    if [ "${_IPV}" = "ipv6" ]         && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
        echo $"${IPTABLES}: ${_IPV} is disabled."
        return 150
    fi

    echo -n $"${IPTABLES}: Applying firewall rules: "

    OPT=
    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"

    $IPTABLES-restore $OPT $IPTABLES_DATA
    if [ $? -eq 0 ]; then
        success; echo
    else
        failure; echo;
        if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
            echo -n $"${IPTABLES}: Applying firewall fallback rules: "
            $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
            if [ $? -eq 0 ]; then
                success; echo
            else
                failure; echo; return 1
            fi
        else
            return 1
        fi
    fi

    # Load additional modules (helpers)
    if [ -n "$IPTABLES_MODULES" ]; then
        echo -n $"${IPTABLES}: Loading additional modules: "
        ret=0
        for mod in $IPTABLES_MODULES; do
            echo -n "$mod "
            modprobe $mod > /dev/null 2>&1
            let ret+=$?;
        done
        [ $ret -eq 0 ] && success || failure
        echo
    fi

    # Load sysctl settings
    load_sysctl

    touch $VAR_SUBSYS_IPTABLES
    return $ret
}

stop() {
    # Do not stop if iptables module is not loaded.
    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0

    flush_n_delete
    set_policy ACCEPT

    if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
        echo -n $"${IPTABLES}: Unloading modules: "
        ret=0
        for mod in ${NF_MODULES[*]}; do
            rmmod_r $mod
            let ret+=$?;
        done
        # try to unload remaining netfilter modules used by ipv4 and ipv6
        # netfilter
        for mod in ${NF_MODULES_COMMON[*]}; do
            rmmod_r $mod >/dev/null
        done
        [ $ret -eq 0 ] && success || failure
        echo
    fi

    rm -f $VAR_SUBSYS_IPTABLES
    return $ret
}

save() {
    # Check if iptable module is loaded
    [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0

    # Check if firewall is configured (has tables)
    [ -z "$NF_TABLES" ] && return 6

    echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "

    OPT=
    [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"

    ret=0
    TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX)         && chmod 600 "$TMP_FILE"         && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null         && size=$(stat -c ‘%s‘ $TMP_FILE) && [ $size -gt 0 ]         || ret=1
    if [ $ret -eq 0 ]; then
        if [ -e $IPTABLES_DATA ]; then
            cp -f $IPTABLES_DATA $IPTABLES_DATA.save                 && chmod 600 $IPTABLES_DATA.save                 && restorecon $IPTABLES_DATA.save                 || ret=1
        fi
        if [ $ret -eq 0 ]; then
            mv -f $TMP_FILE $IPTABLES_DATA                 && chmod 600 $IPTABLES_DATA                 && restorecon $IPTABLES_DATA                 || ret=1
        fi
    fi
    rm -f $TMP_FILE
    [ $ret -eq 0 ] && success || failure
    echo
    return $ret
}

status() {
    if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
        echo $"${IPTABLES}: Firewall is not running."
        return 3
    fi

    # Do not print status if lockfile is missing and iptables modules are not
    # loaded.
    # Check if iptable modules are loaded
    if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
        echo $"${IPTABLES}: Firewall modules are not loaded."
        return 3
    fi

    # Check if firewall is configured (has tables)
    if [ -z "$NF_TABLES" ]; then
        echo $"${IPTABLES}: Firewall is not configured. "
        return 3
    fi

    NUM=
    [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
    VERBOSE=
    [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
    COUNT=
    [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"

    for table in $NF_TABLES; do
        echo $"Table: $table"
        $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
    done

    return 0
}

restart() {
    [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
    stop
    start
}

case "$1" in
    start)
        [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
        start
        RETVAL=$?
        ;;
    stop)
        [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
        stop
        RETVAL=$?
        ;;
    restart|force-reload)
        restart
        RETVAL=$?
        ;;
    reload)
        # unimplemented
        RETVAL=3
        ;;
    condrestart|try-restart)
        [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
        restart
        RETVAL=$?
        ;;
    status)
        status
        RETVAL=$?
        ;;
    panic)
        flush_n_delete
        set_policy DROP
        RETVAL=$?
        ;;
    save)
        save
        RETVAL=$?
        ;;
    *)
        echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}"
        RETVAL=2
        ;;
esac

exit $RETVAL

/etc/init.d/functions

# -*-Shell-script-*-
#
# functions    This file contains functions to be used by most or all
#        shell scripts in the /etc/init.d directory.
#

TEXTDOMAIN=initscripts

# Make sure umask is sane
umask 022

# Set up a default search path.
PATH="/sbin:/usr/sbin:/bin:/usr/bin"
export PATH

# Get a sane screen width
[ -z "${COLUMNS:-}" ] && COLUMNS=80

[ -z "${CONSOLETYPE:-}" ] && CONSOLETYPE="`/sbin/consoletype`"

if [ -f /etc/sysconfig/i18n -a -z "${NOLOCALE:-}" ] ; then
  . /etc/profile.d/lang.sh
fi

# Read in our configuration
if [ -z "${BOOTUP:-}" ]; then
  if [ -f /etc/sysconfig/init ]; then
      . /etc/sysconfig/init
  else
    # This all seem confusing? Look in /etc/sysconfig/init,
    # or in /usr/doc/initscripts-*/sysconfig.txt
    BOOTUP=color
    RES_COL=60
    MOVE_TO_COL="echo -en \\033[${RES_COL}G"
    SETCOLOR_SUCCESS="echo -en \\033[1;32m"
    SETCOLOR_FAILURE="echo -en \\033[1;31m"
    SETCOLOR_WARNING="echo -en \\033[1;33m"
    SETCOLOR_NORMAL="echo -en \\033[0;39m"
    LOGLEVEL=1
  fi
  if [ "$CONSOLETYPE" = "serial" ]; then
      BOOTUP=serial
      MOVE_TO_COL=
      SETCOLOR_SUCCESS=
      SETCOLOR_FAILURE=
      SETCOLOR_WARNING=
      SETCOLOR_NORMAL=
  fi
fi

if [ "${BOOTUP:-}" != "verbose" ]; then
   INITLOG_ARGS="-q"
else
   INITLOG_ARGS=
fi

# Interpret escape sequences in an fstab entry
fstab_decode_str() {
    fstab-decode echo "$1"
}

# Check if $pid (could be plural) are running
checkpid() {
    local i

    for i in $* ; do
        [ -d "/proc/$i" ] && return 0
    done
    return 1
}

__readlink() {
    ls -bl "[email protected]" 2>/dev/null| awk ‘{ print $NF }‘
}

# __umount_loop awk_program fstab_file first_msg retry_msg umount_args
# awk_program should process fstab_file and return a list of fstab-encoded
# paths; it doesn‘t have to handle comments in fstab_file.
__umount_loop() {
    local remaining sig=
    local retry=3

    remaining=$(LC_ALL=C awk "/^#/ {next} $1" "$2" | sort -r)
    while [ -n "$remaining" -a "$retry" -gt 0 ]; do
        if [ "$retry" -eq 3 ]; then
            action "$3" fstab-decode umount $5 $remaining
        else
            action "$4" fstab-decode umount $5 $remaining
        fi
        sleep 2
        remaining=$(LC_ALL=C awk "/^#/ {next} $1" "$2" | sort -r)
        [ -z "$remaining" ] && break
        fstab-decode /sbin/fuser -k -m $sig $remaining >/dev/null
        sleep 5
        retry=$(($retry -1))
        sig=-9
    done
}

# Similar to __umount loop above, specialized for loopback devices
__umount_loopback_loop() {
    local remaining devremaining sig=
    local retry=3

    remaining=$(awk ‘$1 ~ /^\/dev\/loop/ && $2 != "/" {print $2}‘ /proc/mounts)
    devremaining=$(awk ‘$1 ~ /^\/dev\/loop/ && $2 != "/" {print $1}‘ /proc/mounts)
    while [ -n "$remaining" -a "$retry" -gt 0 ]; do
        if [ "$retry" -eq 3 ]; then
            action $"Unmounting loopback filesystems: "                 fstab-decode umount $remaining
        else
            action $"Unmounting loopback filesystems (retry):"                 fstab-decode umount $remaining
        fi
        for dev in $devremaining ; do
            losetup $dev > /dev/null 2>&1 &&                 action $"Detaching loopback device $dev: "                 losetup -d $dev
        done
        remaining=$(awk ‘$1 ~ /^\/dev\/loop/ && $2 != "/" {print $2}‘ /proc/mounts)
        devremaining=$(awk ‘$1 ~ /^\/dev\/loop/ && $2 != "/" {print $1}‘ /proc/mounts)
        [ -z "$remaining" ] && break
        fstab-decode /sbin/fuser -k -m $sig $remaining >/dev/null
        sleep 5
        retry=$(($retry -1))
        sig=-9
    done
}

# __proc_pids {program} [pidfile]
# Set $pid to pids from /var/run* for {program}.  $pid should be declared
# local in the caller.
# Returns LSB exit code for the ‘status‘ action.
__pids_var_run() {
    local base=${1##*/}
    local pid_file=${2:-/var/run/$base.pid}

    pid=
    if [ -f "$pid_file" ] ; then
            local line p
        read line < "$pid_file"
        for p in $line ; do
            [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p"
        done
            if [ -n "$pid" ]; then
                    return 0
            fi
        return 1 # "Program is dead and /var/run pid file exists"
    fi
    return 3 # "Program is not running"
}

# Output PIDs of matching processes, found using pidof
__pids_pidof() {
    pidof -c -o $$ -o $PPID -o %PPID -x "$1" ||         pidof -c -o $$ -o $PPID -o %PPID -x "${1##*/}"
}

# A function to start a program.
daemon() {
    # Test syntax.
    local gotbase= force= nicelevel corelimit
    local pid base= user= nice= bg= pid_file=
    nicelevel=0
    while [ "$1" != "${1##[-+]}" ]; do
      case $1 in
        ‘‘)    echo $"$0: Usage: daemon [+/-nicelevel] {program}"
               return 1;;
        --check)
           base=$2
           gotbase="yes"
           shift 2
           ;;
        --check=?*)
               base=${1#--check=}
           gotbase="yes"
           shift
           ;;
        --user)
           user=$2
           shift 2
           ;;
        --user=?*)
               user=${1#--user=}
           shift
           ;;
        --pidfile)
           pid_file=$2
           shift 2
           ;;
        --pidfile=?*)
           pid_file=${1#--pidfile=}
           shift
           ;;
        --force)
               force="force"
           shift
           ;;
        [-+][0-9]*)
               nice="nice -n $1"
               shift
           ;;
        *)     echo $"$0: Usage: daemon [+/-nicelevel] {program}"
               return 1;;
      esac
    done

        # Save basename.
        [ -z "$gotbase" ] && base=${1##*/}

        # See if it‘s already running. Look *only* at the pid file.
    __pids_var_run "$base" "$pid_file"

    [ -n "$pid" -a -z "$force" ] && return

    # make sure it doesn‘t core dump anywhere unless requested
    corelimit="ulimit -S -c ${DAEMON_COREFILE_LIMIT:-0}"

    # if they set NICELEVEL in /etc/sysconfig/foo, honor it
    [ -n "${NICELEVEL:-}" ] && nice="nice -n $NICELEVEL"

    # Echo daemon
        [ "${BOOTUP:-}" = "verbose" -a -z "${LSB:-}" ] && echo -n " $base"

    # And start it up.
    if [ -z "$user" ]; then
       $nice /bin/bash -c "$corelimit >/dev/null 2>&1 ; $*"
    else
       $nice runuser -s /bin/bash - $user -c "$corelimit >/dev/null 2>&1 ; $*"
    fi
    [ "$?" -eq 0 ] && success $"$base startup" || failure $"$base startup"
}

# A function to stop a program.
killproc() {
    local RC killlevel= base pid pid_file= delay

    RC=0; delay=3
    # Test syntax.
    if [ "$#" -eq 0 ]; then
        echo $"Usage: killproc [-p pidfile] [ -d delay] {program} [-signal]"
        return 1
    fi
    if [ "$1" = "-p" ]; then
        pid_file=$2
        shift 2
    fi
    if [ "$1" = "-d" ]; then
        delay=$2
        shift 2
    fi

    # check for second arg to be kill level
    [ -n "${2:-}" ] && killlevel=$2

        # Save basename.
        base=${1##*/}

        # Find pid.
    __pids_var_run "$1" "$pid_file"
    if [ -z "$pid_file" -a -z "$pid" ]; then
        pid="$(__pids_pidof "$1")"
    fi

        # Kill it.
        if [ -n "$pid" ] ; then
                [ "$BOOTUP" = "verbose" -a -z "${LSB:-}" ] && echo -n "$base "
        if [ -z "$killlevel" ] ; then
               if checkpid $pid 2>&1; then
               # TERM first, then KILL if not dead
               kill -TERM $pid >/dev/null 2>&1
               usleep 100000
               if checkpid $pid && sleep 1 &&
                  checkpid $pid && sleep $delay &&
                  checkpid $pid ; then
                                kill -KILL $pid >/dev/null 2>&1
                usleep 100000
               fi
                fi
            checkpid $pid
            RC=$?
            [ "$RC" -eq 0 ] && failure $"$base shutdown" || success $"$base shutdown"
            RC=$((! $RC))
        # use specified level only
        else
                if checkpid $pid; then
                        kill $killlevel $pid >/dev/null 2>&1
                RC=$?
                [ "$RC" -eq 0 ] && success $"$base $killlevel" || failure $"$base $killlevel"
            elif [ -n "${LSB:-}" ]; then
                RC=7 # Program is not running
            fi
        fi
    else
        if [ -n "${LSB:-}" -a -n "$killlevel" ]; then
            RC=7 # Program is not running
        else
            failure $"$base shutdown"
            RC=0
        fi
    fi

        # Remove pid file if any.
    if [ -z "$killlevel" ]; then
            rm -f "${pid_file:-/var/run/$base.pid}"
    fi
    return $RC
}

# A function to find the pid of a program. Looks *only* at the pidfile
pidfileofproc() {
    local pid

    # Test syntax.
    if [ "$#" = 0 ] ; then
        echo $"Usage: pidfileofproc {program}"
        return 1
    fi

    __pids_var_run "$1"
    [ -n "$pid" ] && echo $pid
    return 0
}

# A function to find the pid of a program.
pidofproc() {
    local RC pid pid_file=

    # Test syntax.
    if [ "$#" = 0 ]; then
        echo $"Usage: pidofproc [-p pidfile] {program}"
        return 1
    fi
    if [ "$1" = "-p" ]; then
        pid_file=$2
        shift 2
    fi
    fail_code=3 # "Program is not running"

    # First try "/var/run/*.pid" files
    __pids_var_run "$1" "$pid_file"
    RC=$?
    if [ -n "$pid" ]; then
        echo $pid
        return 0
    fi

    [ -n "$pid_file" ] && return $RC
    __pids_pidof "$1" || return $RC
}

status() {
    local base pid pid_file=

    # Test syntax.
    if [ "$#" = 0 ] ; then
        echo $"Usage: status [-p pidfile] {program}"
        return 1
    fi
    if [ "$1" = "-p" ]; then
        pid_file=$2
        shift 2
    fi
    base=${1##*/}

    # First try "pidof"
    __pids_var_run "$1" "$pid_file"
    RC=$?
    if [ -z "$pid_file" -a -z "$pid" ]; then
        pid="$(__pids_pidof "$1")"
    fi
    if [ -n "$pid" ]; then
            echo $"${base} (pid $pid) is running..."
            return 0
    fi

    case "$RC" in
        0)
            echo $"${base} (pid $pid) is running..."
            return 0
            ;;
        1)
                    echo $"${base} dead but pid file exists"
                    return 1
            ;;
    esac
    # See if /var/lock/subsys/${base} exists
    if [ -f /var/lock/subsys/${base} ]; then
        echo $"${base} dead but subsys locked"
        return 2
    fi
    echo $"${base} is stopped"
    return 3
}

echo_success() {
  [ "$BOOTUP" = "color" ] && $MOVE_TO_COL
  echo -n "["
  [ "$BOOTUP" = "color" ] && $SETCOLOR_SUCCESS
  echo -n $"  OK  "
  [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
  echo -n "]"
  echo -ne "\r"
  return 0
}

echo_failure() {
  [ "$BOOTUP" = "color" ] && $MOVE_TO_COL
  echo -n "["
  [ "$BOOTUP" = "color" ] && $SETCOLOR_FAILURE
  echo -n $"FAILED"
  [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
  echo -n "]"
  echo -ne "\r"
  return 1
}

echo_passed() {
  [ "$BOOTUP" = "color" ] && $MOVE_TO_COL
  echo -n "["
  [ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING
  echo -n $"PASSED"
  [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
  echo -n "]"
  echo -ne "\r"
  return 1
}

echo_warning() {
  [ "$BOOTUP" = "color" ] && $MOVE_TO_COL
  echo -n "["
  [ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING
  echo -n $"WARNING"
  [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
  echo -n "]"
  echo -ne "\r"
  return 1
}

# Inform the graphical boot of our current state
update_boot_stage() {
  if [ "$GRAPHICAL" = "yes" -a -x /usr/bin/rhgb-client ]; then
    /usr/bin/rhgb-client --update="$1"
  fi
  return 0
}

# Log that something succeeded
success() {
  #if [ -z "${IN_INITLOG:-}" ]; then
  #   initlog $INITLOG_ARGS -n $0 -s "$1" -e 1
  #fi
  [ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_success
  return 0
}

# Log that something failed
failure() {
  local rc=$?
  #if [ -z "${IN_INITLOG:-}" ]; then
  #   initlog $INITLOG_ARGS -n $0 -s "$1" -e 2
  #fi
  [ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_failure
  [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes
  return $rc
}

# Log that something passed, but may have had errors. Useful for fsck
passed() {
  local rc=$?
  #if [ -z "${IN_INITLOG:-}" ]; then
  #   initlog $INITLOG_ARGS -n $0 -s "$1" -e 1
  #fi
  [ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_passed
  return $rc
}  

# Log a warning
warning() {
  local rc=$?
  #if [ -z "${IN_INITLOG:-}" ]; then
  #   initlog $INITLOG_ARGS -n $0 -s "$1" -e 1
  #fi
  [ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_warning
  return $rc
}  

# Run some action. Log its output.
action() {
  local STRING rc

  STRING=$1
  echo -n "$STRING "
  if [ "${RHGB_STARTED:-}" != "" -a -w /etc/rhgb/temp/rhgb-console ]; then
      echo -n "$STRING " > /etc/rhgb/temp/rhgb-console
  fi
  shift
  "[email protected]" && success $"$STRING" || failure $"$STRING"
  rc=$?
  echo
  if [ "${RHGB_STARTED:-}" != "" -a -w /etc/rhgb/temp/rhgb-console ]; then
      if [ "$rc" = "0" ]; then
          echo_success > /etc/rhgb/temp/rhgb-console
      else
        echo_failure > /etc/rhgb/temp/rhgb-console
    [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes
      fi
      echo > /etc/rhgb/temp/rhgb-console
  fi
  return $rc
}

# returns OK if $1 contains $2
strstr() {
  [ "${1#*$2*}" = "$1" ] && return 1
  return 0
}

# Confirm whether we really want to run this service
confirm() {
  [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes
  while : ; do
      echo -n $"Start service $1 (Y)es/(N)o/(C)ontinue? [Y] "
      read answer
      if strstr $"yY" "$answer" || [ "$answer" = "" ] ; then
         return 0
      elif strstr $"cC" "$answer" ; then
     rm -f /var/run/confirm
     [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=no
         return 2
      elif strstr $"nN" "$answer" ; then
         return 1
      fi
  done
}

# resolve a device node to its major:minor numbers in decimal or hex
get_numeric_dev() {
(
    fmt="%d:%d"
    if [ "$1" == "hex" ]; then
        fmt="%x:%x"
    fi
    ls -lH "$2" | awk ‘{ sub(/,/, "", $5); printf("‘"$fmt"‘", $5, $6); }‘
) 2>/dev/null
}

# find the working name for a running dm device with the same table as one
# that dmraid would create
resolve_dm_name() {
(
    name="$1"

    line=$(/sbin/dmraid -ay -t --ignorelocking |         egrep -iv "no block devices found|No RAID disks" |         awk -F ‘:‘ "{ if (\$1 ~ /^$name$/) { print \$2; }}")
    for x in $line ; do
        if [[ "$x" =~ "^/dev/" ]] ; then
            majmin=$(get_numeric_dev dec $x)
            line=$(echo "$line" | sed -e "s,$x\( \|$\),$majmin\1,g")
        fi
    done
    line=$(echo "$line" | sed -e ‘s/^[ \t]*//‘ -e ‘s/[ \t]*$//‘                -e ‘s/ core [12] [[:digit:]]\+ / core [12] [[:digit:]]\\+ /‘)
    /sbin/dmsetup table |         sed -n -e "s/.*\(no block devices found\|No devices found\).*//"                -e "s/\(^[^:]\+\): $line\( \+$\|$\)/\1/p"
) 2>/dev/null
}

# Check whether file $1 is a backup or rpm-generated file and should be ignored
is_ignored_file() {
    case "$1" in
    *~ | *.bak | *.orig | *.rpmnew | *.rpmorig | *.rpmsave)
        return 0
        ;;
    esac
    return 1
}
# A sed expression to filter out the files that is_ignored_file recognizes
__sed_discard_ignored_files=‘/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave\)$/d‘

/sbin/consoletype

#!/bin/sh
# consoletype shell version:)
# print current console type
# by lichmama

who | awk -F"[ /]+" ‘{print $2}‘

/etc/sysconfig/iptables

touch /etc/sysconfig/iptables

创建软连接一枚:

ln -s /usr/sbin/iptables /sbin/iptables

加入服务组:

chkconfig --add iptables

添加防火墙策略:

iptables -I INPUT -p tcp -s 192.168.5.x --dport 22 -j DROP

启动iptables:

service iptables start
时间: 2024-11-03 05:44:23

在suse上折腾iptables的相关文章

Linux主机上通过iptables实现NAT功能

实验:如下模型,node1为内网主机,IP地址为192.168.10.2:node3为外网主机,IP地址为10.72.37.177(假设此地址为公网地址),node3上提供web server和FTP Server的功能:内网主机node2主机有2块网卡,地址分别为eth0:192.168.10.1和eth2:10.72.37.91(假设此地址为公网地址): 现要求在node2上通过iptables配置实现SNAT功能,并做如下限制: 1.node1可以访问node3提供的web服务和ftp服务

Centos 6.6上 netfilter/iptables防火墙的基本用法

友情提醒:本文实验环境 vmware 10 + Centos 6.6 X86_64,文件命令请谨慎使用 1 事前必知: 1)什么是防火墙? 防火墙:工作于主机或网络边缘,对于进出的报文根据事先定义的规则做检查,被匹配到的报文作出相应处理的组件. 所以: (1)防火墙不是杀毒软件. (2)既然是根据规则检查报文,存在2个问题:规则定义严格了,使用者觉着别扭:定义松散了形同虚设,还占用内核资源. 2)centos6.6上防火墙的组件: netfilter:过滤器,内核中工作在tcp/ip网络协议栈上

在mac本上折腾android 开发环境

众所周知的原因,google的很多网站在国内无法访问,苦逼了一堆天朝程序员,下是在mac本上折腾android 开发环境的过程: 一.先下载android sdk for mac 给二个靠谱的网址: a). http://down.tech.sina.com.cn/page/45703.html b). http://mac.softpedia.com/get/Developer-Tools/Google-Android-SDK.shtml 到这个面下载后,解压到某个目录 二.设置下载的代理服务

Linux 上关于iptables

有几个命令: 1.service iptables staus 2.service iptables start 3.service iptables restart 有个配置文件/ect/sysconfig/iptables 执行第一条命令的时候发现没有任何反应,到/ect/sysconfig/目录下也没有iptables这个文件,应该是iptables没有安装,那么通过yum命令来安装 1 yum install -t iptables 参考的资料链接:http://www.cnblogs.

在 windows 上折腾 GitHub

GitHub for Windows 这是最好的方法,强烈推荐.下载GitHub for Windows. GitHub 正在开发新的桌面客户端,可以留意 这里. 在安装完 GitHub for Windows 之后,完全可以使用客户端操作,不需要输多余的命令.但是当我们需要配合其他软件使用的时候,还是得配置 git shell. 通过 Git 链接 GitHub 官方教程在 这里. 到 这里 下载 Git.安装完后打开 Git Bash. 依次输入以下命令: ls -al ~/.ssh ssh

SUSE上配置SAMBA服务

在*nix上安装samba的方法有很多,debian系的apt和.deb安装,redhat系的yum和.rpm包安装,还有通用的ios挂在安装和源代码编译安装,我介绍的是使用下载的源代码安装.原因有两点,其一是源代码安装是通用的方法,在任何机器,不同操作系统下都可以使用,其次,源代码只有一份,在samba官网可以下载,安全可靠,且在有需要的情况下可以自己拓展. 1.准备编译环境gcc和python2.7 (gcc和python是*nix的标配,但是有些机器的python版本可能过低,一般我们推荐

阿里云CentOS6上配置iptables

参考:http://blog.abv.cn/?p=50 阿里云CentOS6默认没有启动iptables 1.检查iptables状态 [[email protected] ~]# service iptables status iptables: Firewall is not running. [[email protected] ~]# 说明iptables没有启动. 如果没有安装,则使用如下命令安装 [[email protected] ~]# yum install -y iptabl

在SUSE LINUX上编译安装CouchDB1.5.0

按照这个步骤装了两台,在SUSE上安装是没有问题了,打包的话还在研究,查了一下光拷贝编译后文件有些问题. 软件版本及依赖: 1.SpiderMonkey 1.7.0 2.icu4c 4.2.1 3.libcurl 7.36.0 4.ncurses 5.9 5.openssl 1.0.1g 6.erlang R16B03 依赖 ncurses.openssl 7.couchDB 1.5.0 依赖上述所有 SpiderMonkey: js-1.7.0.tar.gz 1 tar 2 cd 3 make

2.使用iptables监控上传流量

我们可以通过在网关上添加iptables规则来监控某台主机的上传或下载流量,以下是具体步骤: 添加iptables规则: /sbin/iptables -I INPUT -s 10.0.5.110 创建数据库进行存储:只需一列, mysql> desc proxy; +-------+----------+------+-----+---------+-------+ | Field | Type     | Null | Key | Default | Extra | +-------+---