Bash
1 前言
一个问题,一篇文章,一出故事。
笔者想要获取需要访问生产数据库的MySQL客户端列表,于是开启了Firewalld的拒绝日志,但是被拒绝后的MySQL客户端需要自动加入被允许连接MySQL服务的防火墙列表中,于是创建此脚本。
2 最佳实践
2.1 开启防火墙的拒绝日志
2.2 创建自动配置脚本
mkdir ~/scripts/ vim ~/scripts/autoFirewalld.sh
加入如下配置,
#!/bin/bash
logFile="/var/log/messages"
excludeIPs="192.168.0.95 192.168.0.96"
rejectIPs=`grep 'kernel: FINAL_REJECT:' "$logFile" | grep "DPT=3306" |awk -F'SRC=' '{print $2}' | awk -F' ' '{print $1}' | sort -u`
firewallRules=`firewall-cmd --list-all | grep 'rule family="ipv4"'`
reloadStatus=0
for rejectIP in $rejectIPs; do
excludeStatus=0
for excludeIP in $excludeIPs; do
if [ "$rejectIP" == "$excludeIP" ]; then
excludeStatus=1
fi
done
if [ $excludeStatus == 1 ]; then
continue
fi
if [ `echo $firewallRules | grep "$rejectIP" | wc -l` -ge 1 ]; then
continue
fi
firewall-cmd --permanent --add-rich-rule "rule family='ipv4' source address='"$rejectIP"/32' port port='3306' protocol='tcp' accept"
reloadStatus=1
done
if [ $reloadStatus == 1 ]; then
firewall-cmd --reload
fi
2.3 创建脚本触发
crontab -e
加入如下配置,
*/1 * * * * sh ~/scripts/autoFirewalld.sh
没有评论