Bash
1 前言
一个问题,一篇文章,一出故事。
笔者想要获取需要访问生产数据库的MySQL客户端列表,于是开启了Firewalld的拒绝日志,但是被拒绝后的MySQL客户端需要自动加入被允许连接MySQL服务的防火墙列表中,于是创建此脚本。
2 最佳实践
2.1 开启防火墙的拒绝日志
2.2 创建自动配置脚本
mkdir ~/scripts/ vim ~/scripts/autoFirewalld.sh
加入如下配置,
#!/bin/bash logFile="/var/log/messages" excludeIPs="192.168.0.95 192.168.0.96" rejectIPs=`grep 'kernel: FINAL_REJECT:' "$logFile" | grep "DPT=3306" |awk -F'SRC=' '{print $2}' | awk -F' ' '{print $1}' | sort -u` firewallRules=`firewall-cmd --list-all | grep 'rule family="ipv4"'` reloadStatus=0 for rejectIP in $rejectIPs; do excludeStatus=0 for excludeIP in $excludeIPs; do if [ "$rejectIP" == "$excludeIP" ]; then excludeStatus=1 fi done if [ $excludeStatus == 1 ]; then continue fi if [ `echo $firewallRules | grep "$rejectIP" | wc -l` -ge 1 ]; then continue fi firewall-cmd --permanent --add-rich-rule "rule family='ipv4' source address='"$rejectIP"/32' port port='3306' protocol='tcp' accept" reloadStatus=1 done if [ $reloadStatus == 1 ]; then firewall-cmd --reload fi
2.3 创建脚本触发
crontab -e
加入如下配置,
*/1 * * * * sh ~/scripts/autoFirewalld.sh
没有评论