需求背景:有台服务器希望屏蔽掉某IP对它的SSH连接。
临时客串下DevOps,下面的做法可能在专业运维的同学里不太专业,还请指教。
该服务器的操作系统是SuSE Linux,服务器上是安装了iptables,但是没有启用,也没用加入服务组。
所以我手动把它加入了系统服务中,并创建了一些必要文件:
/etc/init.d/iptables
#!/bin/sh
#
# iptables Start iptables firewall
#
# chkconfig: 2345 08 92
# description: Starts, stops and saves iptables firewall
#
# config: /etc/sysconfig/iptables
# config: /etc/sysconfig/iptables-config
#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop iptables firewall
# Description: Start, stop and save iptables firewall
### END INIT INFO
# Source function library.
. /etc/init.d/functions
IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
# only usable for root
[ $EUID = 0 ] || exit 4
if [ ! -x /sbin/$IPTABLES ]; then
echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
exit 5
fi
# Old or new modutils
/sbin/modprobe --version 2>&1 | grep -q module-init-tools && NEW_MODUTILS=1 || NEW_MODUTILS=0
# Default firewall configuration:
IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"
IPTABLES_STATUS_VERBOSE="no"
IPTABLES_STATUS_LINENUMBERS="yes"
IPTABLES_SYSCTL_LOAD_LIST=""
# Load firewall configuration.
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
# Netfilter modules
NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables)
NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6
# Get active tables
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
rmmod_r() {
# Unload module with all referring modules.
# At first all referring modules will be unloaded, then the module itself.
local mod=$1
local ret=0
local ref=
# Get referring modules.
# New modutils have another output format.
[ $NEW_MODUTILS = 1 ] && ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ‘,‘ ‘ ‘) || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
# recursive call for all referring modules
for i in $ref; do
rmmod_r $i
let ret+=$?;
done
# Unload module.
# The extra test is for 2.6: The module might have autocleaned,
# after all referring modules are unloaded.
if grep -q "^${mod}" /proc/modules ; then
modprobe -r $mod > /dev/null 2>&1
res=$?
[ $res -eq 0 ] || echo -n " $mod"
let ret+=$res;
fi
return $ret
}
flush_n_delete() {
# Flush firewall rules and delete chains.
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
# Check if firewall is configured (has tables)
[ -z "$NF_TABLES" ] && return 1
echo -n $"${IPTABLES}: Flushing firewall rules: "
ret=0
# For all tables
for i in $NF_TABLES; do
# Flush firewall rules.
$IPTABLES -t $i -F;
let ret+=$?;
# Delete firewall chains.
$IPTABLES -t $i -X;
let ret+=$?;
# Set counter to zero.
$IPTABLES -t $i -Z;
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
return $ret
}
set_policy() {
# Set policy for configured tables.
policy=$1
# Check if iptable module is loaded
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
# Check if firewall is configured (has tables)
tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
[ -z "$tables" ] && return 1
echo -n $"${IPTABLES}: Setting chains to policy $policy: "
ret=0
for i in $tables; do
echo -n "$i "
case "$i" in
raw)
$IPTABLES -t raw -P PREROUTING $policy && $IPTABLES -t raw -P OUTPUT $policy || let ret+=1
;;
filter)
$IPTABLES -t filter -P INPUT $policy && $IPTABLES -t filter -P OUTPUT $policy && $IPTABLES -t filter -P FORWARD $policy || let ret+=1
;;
nat)
$IPTABLES -t nat -P PREROUTING $policy && $IPTABLES -t nat -P POSTROUTING $policy && $IPTABLES -t nat -P OUTPUT $policy || let ret+=1
;;
mangle)
$IPTABLES -t mangle -P PREROUTING $policy && $IPTABLES -t mangle -P POSTROUTING $policy && $IPTABLES -t mangle -P INPUT $policy && $IPTABLES -t mangle -P OUTPUT $policy && $IPTABLES -t mangle -P FORWARD $policy || let ret+=1
;;
*)
let ret+=1
;;
esac
done
[ $ret -eq 0 ] && success || failure
echo
return $ret
}
load_sysctl() {
# load matched sysctl values
if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
echo -n $"Loading sysctl settings: "
ret=0
for item in $IPTABLES_SYSCTL_LOAD_LIST; do
fgrep $item /etc/sysctl.conf | sysctl -p - >/dev/null
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
fi
return $ret
}
start() {
# Do not start if there is no config file.
[ ! -f "$IPTABLES_DATA" ] && return 6
# check if ipv6 module load is deactivated
if [ "${_IPV}" = "ipv6" ] && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
echo $"${IPTABLES}: ${_IPV} is disabled."
return 150
fi
echo -n $"${IPTABLES}: Applying firewall rules: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
$IPTABLES-restore $OPT $IPTABLES_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo;
if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
echo -n $"${IPTABLES}: Applying firewall fallback rules: "
$IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo; return 1
fi
else
return 1
fi
fi
# Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"${IPTABLES}: Loading additional modules: "
ret=0
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
modprobe $mod > /dev/null 2>&1
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
fi
# Load sysctl settings
load_sysctl
touch $VAR_SUBSYS_IPTABLES
return $ret
}
stop() {
# Do not stop if iptables module is not loaded.
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
flush_n_delete
set_policy ACCEPT
if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
echo -n $"${IPTABLES}: Unloading modules: "
ret=0
for mod in ${NF_MODULES[*]}; do
rmmod_r $mod
let ret+=$?;
done
# try to unload remaining netfilter modules used by ipv4 and ipv6
# netfilter
for mod in ${NF_MODULES_COMMON[*]}; do
rmmod_r $mod >/dev/null
done
[ $ret -eq 0 ] && success || failure
echo
fi
rm -f $VAR_SUBSYS_IPTABLES
return $ret
}
save() {
# Check if iptable module is loaded
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
# Check if firewall is configured (has tables)
[ -z "$NF_TABLES" ] && return 6
echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
ret=0
TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) && chmod 600 "$TMP_FILE" && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null && size=$(stat -c ‘%s‘ $TMP_FILE) && [ $size -gt 0 ] || ret=1
if [ $ret -eq 0 ]; then
if [ -e $IPTABLES_DATA ]; then
cp -f $IPTABLES_DATA $IPTABLES_DATA.save && chmod 600 $IPTABLES_DATA.save && restorecon $IPTABLES_DATA.save || ret=1
fi
if [ $ret -eq 0 ]; then
mv -f $TMP_FILE $IPTABLES_DATA && chmod 600 $IPTABLES_DATA && restorecon $IPTABLES_DATA || ret=1
fi
fi
rm -f $TMP_FILE
[ $ret -eq 0 ] && success || failure
echo
return $ret
}
status() {
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
echo $"${IPTABLES}: Firewall is not running."
return 3
fi
# Do not print status if lockfile is missing and iptables modules are not
# loaded.
# Check if iptable modules are loaded
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
echo $"${IPTABLES}: Firewall modules are not loaded."
return 3
fi
# Check if firewall is configured (has tables)
if [ -z "$NF_TABLES" ]; then
echo $"${IPTABLES}: Firewall is not configured. "
return 3
fi
NUM=
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
VERBOSE=
[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
COUNT=
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
for table in $NF_TABLES; do
echo $"Table: $table"
$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
done
return 0
}
restart() {
[ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
stop
start
}
case "$1" in
start)
[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
start
RETVAL=$?
;;
stop)
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
stop
RETVAL=$?
;;
restart|force-reload)
restart
RETVAL=$?
;;
reload)
# unimplemented
RETVAL=3
;;
condrestart|try-restart)
[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
restart
RETVAL=$?
;;
status)
status
RETVAL=$?
;;
panic)
flush_n_delete
set_policy DROP
RETVAL=$?
;;
save)
save
RETVAL=$?
;;
*)
echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}"
RETVAL=2
;;
esac
exit $RETVAL
/etc/init.d/functions
# -*-Shell-script-*-
#
# functions This file contains functions to be used by most or all
# shell scripts in the /etc/init.d directory.
#
TEXTDOMAIN=initscripts
# Make sure umask is sane
umask 022
# Set up a default search path.
PATH="/sbin:/usr/sbin:/bin:/usr/bin"
export PATH
# Get a sane screen width
[ -z "${COLUMNS:-}" ] && COLUMNS=80
[ -z "${CONSOLETYPE:-}" ] && CONSOLETYPE="`/sbin/consoletype`"
if [ -f /etc/sysconfig/i18n -a -z "${NOLOCALE:-}" ] ; then
. /etc/profile.d/lang.sh
fi
# Read in our configuration
if [ -z "${BOOTUP:-}" ]; then
if [ -f /etc/sysconfig/init ]; then
. /etc/sysconfig/init
else
# This all seem confusing? Look in /etc/sysconfig/init,
# or in /usr/doc/initscripts-*/sysconfig.txt
BOOTUP=color
RES_COL=60
MOVE_TO_COL="echo -en \\033[${RES_COL}G"
SETCOLOR_SUCCESS="echo -en \\033[1;32m"
SETCOLOR_FAILURE="echo -en \\033[1;31m"
SETCOLOR_WARNING="echo -en \\033[1;33m"
SETCOLOR_NORMAL="echo -en \\033[0;39m"
LOGLEVEL=1
fi
if [ "$CONSOLETYPE" = "serial" ]; then
BOOTUP=serial
MOVE_TO_COL=
SETCOLOR_SUCCESS=
SETCOLOR_FAILURE=
SETCOLOR_WARNING=
SETCOLOR_NORMAL=
fi
fi
if [ "${BOOTUP:-}" != "verbose" ]; then
INITLOG_ARGS="-q"
else
INITLOG_ARGS=
fi
# Interpret escape sequences in an fstab entry
fstab_decode_str() {
fstab-decode echo "$1"
}
# Check if $pid (could be plural) are running
checkpid() {
local i
for i in $* ; do
[ -d "/proc/$i" ] && return 0
done
return 1
}
__readlink() {
ls -bl "[email protected]" 2>/dev/null| awk ‘{ print $NF }‘
}
# __umount_loop awk_program fstab_file first_msg retry_msg umount_args
# awk_program should process fstab_file and return a list of fstab-encoded
# paths; it doesn‘t have to handle comments in fstab_file.
__umount_loop() {
local remaining sig=
local retry=3
remaining=$(LC_ALL=C awk "/^#/ {next} $1" "$2" | sort -r)
while [ -n "$remaining" -a "$retry" -gt 0 ]; do
if [ "$retry" -eq 3 ]; then
action "$3" fstab-decode umount $5 $remaining
else
action "$4" fstab-decode umount $5 $remaining
fi
sleep 2
remaining=$(LC_ALL=C awk "/^#/ {next} $1" "$2" | sort -r)
[ -z "$remaining" ] && break
fstab-decode /sbin/fuser -k -m $sig $remaining >/dev/null
sleep 5
retry=$(($retry -1))
sig=-9
done
}
# Similar to __umount loop above, specialized for loopback devices
__umount_loopback_loop() {
local remaining devremaining sig=
local retry=3
remaining=$(awk ‘$1 ~ /^\/dev\/loop/ && $2 != "/" {print $2}‘ /proc/mounts)
devremaining=$(awk ‘$1 ~ /^\/dev\/loop/ && $2 != "/" {print $1}‘ /proc/mounts)
while [ -n "$remaining" -a "$retry" -gt 0 ]; do
if [ "$retry" -eq 3 ]; then
action $"Unmounting loopback filesystems: " fstab-decode umount $remaining
else
action $"Unmounting loopback filesystems (retry):" fstab-decode umount $remaining
fi
for dev in $devremaining ; do
losetup $dev > /dev/null 2>&1 && action $"Detaching loopback device $dev: " losetup -d $dev
done
remaining=$(awk ‘$1 ~ /^\/dev\/loop/ && $2 != "/" {print $2}‘ /proc/mounts)
devremaining=$(awk ‘$1 ~ /^\/dev\/loop/ && $2 != "/" {print $1}‘ /proc/mounts)
[ -z "$remaining" ] && break
fstab-decode /sbin/fuser -k -m $sig $remaining >/dev/null
sleep 5
retry=$(($retry -1))
sig=-9
done
}
# __proc_pids {program} [pidfile]
# Set $pid to pids from /var/run* for {program}. $pid should be declared
# local in the caller.
# Returns LSB exit code for the ‘status‘ action.
__pids_var_run() {
local base=${1##*/}
local pid_file=${2:-/var/run/$base.pid}
pid=
if [ -f "$pid_file" ] ; then
local line p
read line < "$pid_file"
for p in $line ; do
[ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p"
done
if [ -n "$pid" ]; then
return 0
fi
return 1 # "Program is dead and /var/run pid file exists"
fi
return 3 # "Program is not running"
}
# Output PIDs of matching processes, found using pidof
__pids_pidof() {
pidof -c -o $$ -o $PPID -o %PPID -x "$1" || pidof -c -o $$ -o $PPID -o %PPID -x "${1##*/}"
}
# A function to start a program.
daemon() {
# Test syntax.
local gotbase= force= nicelevel corelimit
local pid base= user= nice= bg= pid_file=
nicelevel=0
while [ "$1" != "${1##[-+]}" ]; do
case $1 in
‘‘) echo $"$0: Usage: daemon [+/-nicelevel] {program}"
return 1;;
--check)
base=$2
gotbase="yes"
shift 2
;;
--check=?*)
base=${1#--check=}
gotbase="yes"
shift
;;
--user)
user=$2
shift 2
;;
--user=?*)
user=${1#--user=}
shift
;;
--pidfile)
pid_file=$2
shift 2
;;
--pidfile=?*)
pid_file=${1#--pidfile=}
shift
;;
--force)
force="force"
shift
;;
[-+][0-9]*)
nice="nice -n $1"
shift
;;
*) echo $"$0: Usage: daemon [+/-nicelevel] {program}"
return 1;;
esac
done
# Save basename.
[ -z "$gotbase" ] && base=${1##*/}
# See if it‘s already running. Look *only* at the pid file.
__pids_var_run "$base" "$pid_file"
[ -n "$pid" -a -z "$force" ] && return
# make sure it doesn‘t core dump anywhere unless requested
corelimit="ulimit -S -c ${DAEMON_COREFILE_LIMIT:-0}"
# if they set NICELEVEL in /etc/sysconfig/foo, honor it
[ -n "${NICELEVEL:-}" ] && nice="nice -n $NICELEVEL"
# Echo daemon
[ "${BOOTUP:-}" = "verbose" -a -z "${LSB:-}" ] && echo -n " $base"
# And start it up.
if [ -z "$user" ]; then
$nice /bin/bash -c "$corelimit >/dev/null 2>&1 ; $*"
else
$nice runuser -s /bin/bash - $user -c "$corelimit >/dev/null 2>&1 ; $*"
fi
[ "$?" -eq 0 ] && success $"$base startup" || failure $"$base startup"
}
# A function to stop a program.
killproc() {
local RC killlevel= base pid pid_file= delay
RC=0; delay=3
# Test syntax.
if [ "$#" -eq 0 ]; then
echo $"Usage: killproc [-p pidfile] [ -d delay] {program} [-signal]"
return 1
fi
if [ "$1" = "-p" ]; then
pid_file=$2
shift 2
fi
if [ "$1" = "-d" ]; then
delay=$2
shift 2
fi
# check for second arg to be kill level
[ -n "${2:-}" ] && killlevel=$2
# Save basename.
base=${1##*/}
# Find pid.
__pids_var_run "$1" "$pid_file"
if [ -z "$pid_file" -a -z "$pid" ]; then
pid="$(__pids_pidof "$1")"
fi
# Kill it.
if [ -n "$pid" ] ; then
[ "$BOOTUP" = "verbose" -a -z "${LSB:-}" ] && echo -n "$base "
if [ -z "$killlevel" ] ; then
if checkpid $pid 2>&1; then
# TERM first, then KILL if not dead
kill -TERM $pid >/dev/null 2>&1
usleep 100000
if checkpid $pid && sleep 1 &&
checkpid $pid && sleep $delay &&
checkpid $pid ; then
kill -KILL $pid >/dev/null 2>&1
usleep 100000
fi
fi
checkpid $pid
RC=$?
[ "$RC" -eq 0 ] && failure $"$base shutdown" || success $"$base shutdown"
RC=$((! $RC))
# use specified level only
else
if checkpid $pid; then
kill $killlevel $pid >/dev/null 2>&1
RC=$?
[ "$RC" -eq 0 ] && success $"$base $killlevel" || failure $"$base $killlevel"
elif [ -n "${LSB:-}" ]; then
RC=7 # Program is not running
fi
fi
else
if [ -n "${LSB:-}" -a -n "$killlevel" ]; then
RC=7 # Program is not running
else
failure $"$base shutdown"
RC=0
fi
fi
# Remove pid file if any.
if [ -z "$killlevel" ]; then
rm -f "${pid_file:-/var/run/$base.pid}"
fi
return $RC
}
# A function to find the pid of a program. Looks *only* at the pidfile
pidfileofproc() {
local pid
# Test syntax.
if [ "$#" = 0 ] ; then
echo $"Usage: pidfileofproc {program}"
return 1
fi
__pids_var_run "$1"
[ -n "$pid" ] && echo $pid
return 0
}
# A function to find the pid of a program.
pidofproc() {
local RC pid pid_file=
# Test syntax.
if [ "$#" = 0 ]; then
echo $"Usage: pidofproc [-p pidfile] {program}"
return 1
fi
if [ "$1" = "-p" ]; then
pid_file=$2
shift 2
fi
fail_code=3 # "Program is not running"
# First try "/var/run/*.pid" files
__pids_var_run "$1" "$pid_file"
RC=$?
if [ -n "$pid" ]; then
echo $pid
return 0
fi
[ -n "$pid_file" ] && return $RC
__pids_pidof "$1" || return $RC
}
status() {
local base pid pid_file=
# Test syntax.
if [ "$#" = 0 ] ; then
echo $"Usage: status [-p pidfile] {program}"
return 1
fi
if [ "$1" = "-p" ]; then
pid_file=$2
shift 2
fi
base=${1##*/}
# First try "pidof"
__pids_var_run "$1" "$pid_file"
RC=$?
if [ -z "$pid_file" -a -z "$pid" ]; then
pid="$(__pids_pidof "$1")"
fi
if [ -n "$pid" ]; then
echo $"${base} (pid $pid) is running..."
return 0
fi
case "$RC" in
0)
echo $"${base} (pid $pid) is running..."
return 0
;;
1)
echo $"${base} dead but pid file exists"
return 1
;;
esac
# See if /var/lock/subsys/${base} exists
if [ -f /var/lock/subsys/${base} ]; then
echo $"${base} dead but subsys locked"
return 2
fi
echo $"${base} is stopped"
return 3
}
echo_success() {
[ "$BOOTUP" = "color" ] && $MOVE_TO_COL
echo -n "["
[ "$BOOTUP" = "color" ] && $SETCOLOR_SUCCESS
echo -n $" OK "
[ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
echo -n "]"
echo -ne "\r"
return 0
}
echo_failure() {
[ "$BOOTUP" = "color" ] && $MOVE_TO_COL
echo -n "["
[ "$BOOTUP" = "color" ] && $SETCOLOR_FAILURE
echo -n $"FAILED"
[ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
echo -n "]"
echo -ne "\r"
return 1
}
echo_passed() {
[ "$BOOTUP" = "color" ] && $MOVE_TO_COL
echo -n "["
[ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING
echo -n $"PASSED"
[ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
echo -n "]"
echo -ne "\r"
return 1
}
echo_warning() {
[ "$BOOTUP" = "color" ] && $MOVE_TO_COL
echo -n "["
[ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING
echo -n $"WARNING"
[ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
echo -n "]"
echo -ne "\r"
return 1
}
# Inform the graphical boot of our current state
update_boot_stage() {
if [ "$GRAPHICAL" = "yes" -a -x /usr/bin/rhgb-client ]; then
/usr/bin/rhgb-client --update="$1"
fi
return 0
}
# Log that something succeeded
success() {
#if [ -z "${IN_INITLOG:-}" ]; then
# initlog $INITLOG_ARGS -n $0 -s "$1" -e 1
#fi
[ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_success
return 0
}
# Log that something failed
failure() {
local rc=$?
#if [ -z "${IN_INITLOG:-}" ]; then
# initlog $INITLOG_ARGS -n $0 -s "$1" -e 2
#fi
[ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_failure
[ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes
return $rc
}
# Log that something passed, but may have had errors. Useful for fsck
passed() {
local rc=$?
#if [ -z "${IN_INITLOG:-}" ]; then
# initlog $INITLOG_ARGS -n $0 -s "$1" -e 1
#fi
[ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_passed
return $rc
}
# Log a warning
warning() {
local rc=$?
#if [ -z "${IN_INITLOG:-}" ]; then
# initlog $INITLOG_ARGS -n $0 -s "$1" -e 1
#fi
[ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_warning
return $rc
}
# Run some action. Log its output.
action() {
local STRING rc
STRING=$1
echo -n "$STRING "
if [ "${RHGB_STARTED:-}" != "" -a -w /etc/rhgb/temp/rhgb-console ]; then
echo -n "$STRING " > /etc/rhgb/temp/rhgb-console
fi
shift
"[email protected]" && success $"$STRING" || failure $"$STRING"
rc=$?
echo
if [ "${RHGB_STARTED:-}" != "" -a -w /etc/rhgb/temp/rhgb-console ]; then
if [ "$rc" = "0" ]; then
echo_success > /etc/rhgb/temp/rhgb-console
else
echo_failure > /etc/rhgb/temp/rhgb-console
[ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes
fi
echo > /etc/rhgb/temp/rhgb-console
fi
return $rc
}
# returns OK if $1 contains $2
strstr() {
[ "${1#*$2*}" = "$1" ] && return 1
return 0
}
# Confirm whether we really want to run this service
confirm() {
[ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes
while : ; do
echo -n $"Start service $1 (Y)es/(N)o/(C)ontinue? [Y] "
read answer
if strstr $"yY" "$answer" || [ "$answer" = "" ] ; then
return 0
elif strstr $"cC" "$answer" ; then
rm -f /var/run/confirm
[ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=no
return 2
elif strstr $"nN" "$answer" ; then
return 1
fi
done
}
# resolve a device node to its major:minor numbers in decimal or hex
get_numeric_dev() {
(
fmt="%d:%d"
if [ "$1" == "hex" ]; then
fmt="%x:%x"
fi
ls -lH "$2" | awk ‘{ sub(/,/, "", $5); printf("‘"$fmt"‘", $5, $6); }‘
) 2>/dev/null
}
# find the working name for a running dm device with the same table as one
# that dmraid would create
resolve_dm_name() {
(
name="$1"
line=$(/sbin/dmraid -ay -t --ignorelocking | egrep -iv "no block devices found|No RAID disks" | awk -F ‘:‘ "{ if (\$1 ~ /^$name$/) { print \$2; }}")
for x in $line ; do
if [[ "$x" =~ "^/dev/" ]] ; then
majmin=$(get_numeric_dev dec $x)
line=$(echo "$line" | sed -e "s,$x\( \|$\),$majmin\1,g")
fi
done
line=$(echo "$line" | sed -e ‘s/^[ \t]*//‘ -e ‘s/[ \t]*$//‘ -e ‘s/ core [12] [[:digit:]]\+ / core [12] [[:digit:]]\\+ /‘)
/sbin/dmsetup table | sed -n -e "s/.*\(no block devices found\|No devices found\).*//" -e "s/\(^[^:]\+\): $line\( \+$\|$\)/\1/p"
) 2>/dev/null
}
# Check whether file $1 is a backup or rpm-generated file and should be ignored
is_ignored_file() {
case "$1" in
*~ | *.bak | *.orig | *.rpmnew | *.rpmorig | *.rpmsave)
return 0
;;
esac
return 1
}
# A sed expression to filter out the files that is_ignored_file recognizes
__sed_discard_ignored_files=‘/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave\)$/d‘
/sbin/consoletype
#!/bin/sh
# consoletype shell version:)
# print current console type
# by lichmama
who | awk -F"[ /]+" ‘{print $2}‘
/etc/sysconfig/iptables
touch /etc/sysconfig/iptables
创建软连接一枚:
ln -s /usr/sbin/iptables /sbin/iptables
加入服务组:
chkconfig --add iptables
添加防火墙策略:
iptables -I INPUT -p tcp -s 192.168.5.x --dport 22 -j DROP
启动iptables:
service iptables start
时间: 2024-11-03 05:44:23