需求背景:有台服务器希望屏蔽掉某IP对它的SSH连接。
临时客串下DevOps,下面的做法可能在专业运维的同学里不太专业,还请指教。
该服务器的操作系统是SuSE Linux,服务器上是安装了iptables,但是没有启用,也没用加入服务组。
所以我手动把它加入了系统服务中,并创建了一些必要文件:
/etc/init.d/iptables
#!/bin/sh # # iptables Start iptables firewall # # chkconfig: 2345 08 92 # description: Starts, stops and saves iptables firewall # # config: /etc/sysconfig/iptables # config: /etc/sysconfig/iptables-config # ### BEGIN INIT INFO # Provides: iptables # Required-Start: # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: start and stop iptables firewall # Description: Start, stop and save iptables firewall ### END INIT INFO # Source function library. . /etc/init.d/functions IPTABLES=iptables IPTABLES_DATA=/etc/sysconfig/$IPTABLES IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6 [ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6" PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES # only usable for root [ $EUID = 0 ] || exit 4 if [ ! -x /sbin/$IPTABLES ]; then echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo exit 5 fi # Old or new modutils /sbin/modprobe --version 2>&1 | grep -q module-init-tools && NEW_MODUTILS=1 || NEW_MODUTILS=0 # Default firewall configuration: IPTABLES_MODULES="" IPTABLES_MODULES_UNLOAD="yes" IPTABLES_SAVE_ON_STOP="no" IPTABLES_SAVE_ON_RESTART="no" IPTABLES_SAVE_COUNTER="no" IPTABLES_STATUS_NUMERIC="yes" IPTABLES_STATUS_VERBOSE="no" IPTABLES_STATUS_LINENUMBERS="yes" IPTABLES_SYSCTL_LOAD_LIST="" # Load firewall configuration. [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" # Netfilter modules NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print $1}") ${IPV}_tables) NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6 # Get active tables NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) rmmod_r() { # Unload module with all referring modules. # At first all referring modules will be unloaded, then the module itself. local mod=$1 local ret=0 local ref= # Get referring modules. # New modutils have another output format. [ $NEW_MODUTILS = 1 ] && ref=$(lsmod | awk "/^${mod}/ { print $4; }" | tr ',' ' ') || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1) # recursive call for all referring modules for i in $ref; do rmmod_r $i let ret+=$?; done # Unload module. # The extra test is for 2.6: The module might have autocleaned, # after all referring modules are unloaded. if grep -q "^${mod}" /proc/modules ; then modprobe -r $mod > /dev/null 2>&1 res=$? [ $res -eq 0 ] || echo -n " $mod" let ret+=$res; fi return $ret } flush_n_delete() { # Flush firewall rules and delete chains. [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 # Check if firewall is configured (has tables) [ -z "$NF_TABLES" ] && return 1 echo -n $"${IPTABLES}: Flushing firewall rules: " ret=0 # For all tables for i in $NF_TABLES; do # Flush firewall rules. $IPTABLES -t $i -F; let ret+=$?; # Delete firewall chains. $IPTABLES -t $i -X; let ret+=$?; # Set counter to zero. $IPTABLES -t $i -Z; let ret+=$?; done [ $ret -eq 0 ] && success || failure echo return $ret } set_policy() { # Set policy for configured tables. policy=$1 # Check if iptable module is loaded [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 # Check if firewall is configured (has tables) tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null) [ -z "$tables" ] && return 1 echo -n $"${IPTABLES}: Setting chains to policy $policy: " ret=0 for i in $tables; do echo -n "$i " case "$i" in raw) $IPTABLES -t raw -P PREROUTING $policy && $IPTABLES -t raw -P OUTPUT $policy || let ret+=1 ;; filter) $IPTABLES -t filter -P INPUT $policy && $IPTABLES -t filter -P OUTPUT $policy && $IPTABLES -t filter -P FORWARD $policy || let ret+=1 ;; nat) $IPTABLES -t nat -P PREROUTING $policy && $IPTABLES -t nat -P POSTROUTING $policy && $IPTABLES -t nat -P OUTPUT $policy || let ret+=1 ;; mangle) $IPTABLES -t mangle -P PREROUTING $policy && $IPTABLES -t mangle -P POSTROUTING $policy && $IPTABLES -t mangle -P INPUT $policy && $IPTABLES -t mangle -P OUTPUT $policy && $IPTABLES -t mangle -P FORWARD $policy || let ret+=1 ;; *) let ret+=1 ;; esac done [ $ret -eq 0 ] && success || failure echo return $ret } load_sysctl() { # load matched sysctl values if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then echo -n $"Loading sysctl settings: " ret=0 for item in $IPTABLES_SYSCTL_LOAD_LIST; do fgrep $item /etc/sysctl.conf | sysctl -p - >/dev/null let ret+=$?; done [ $ret -eq 0 ] && success || failure echo fi return $ret } start() { # Do not start if there is no config file. [ ! -f "$IPTABLES_DATA" ] && return 6 # check if ipv6 module load is deactivated if [ "${_IPV}" = "ipv6" ] && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then echo $"${IPTABLES}: ${_IPV} is disabled." return 150 fi echo -n $"${IPTABLES}: Applying firewall rules: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" $IPTABLES-restore $OPT $IPTABLES_DATA if [ $? -eq 0 ]; then success; echo else failure; echo; if [ -f "$IPTABLES_FALLBACK_DATA" ]; then echo -n $"${IPTABLES}: Applying firewall fallback rules: " $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA if [ $? -eq 0 ]; then success; echo else failure; echo; return 1 fi else return 1 fi fi # Load additional modules (helpers) if [ -n "$IPTABLES_MODULES" ]; then echo -n $"${IPTABLES}: Loading additional modules: " ret=0 for mod in $IPTABLES_MODULES; do echo -n "$mod " modprobe $mod > /dev/null 2>&1 let ret+=$?; done [ $ret -eq 0 ] && success || failure echo fi # Load sysctl settings load_sysctl touch $VAR_SUBSYS_IPTABLES return $ret } stop() { # Do not stop if iptables module is not loaded. [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 flush_n_delete set_policy ACCEPT if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then echo -n $"${IPTABLES}: Unloading modules: " ret=0 for mod in ${NF_MODULES[*]}; do rmmod_r $mod let ret+=$?; done # try to unload remaining netfilter modules used by ipv4 and ipv6 # netfilter for mod in ${NF_MODULES_COMMON[*]}; do rmmod_r $mod >/dev/null done [ $ret -eq 0 ] && success || failure echo fi rm -f $VAR_SUBSYS_IPTABLES return $ret } save() { # Check if iptable module is loaded [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 # Check if firewall is configured (has tables) [ -z "$NF_TABLES" ] && return 6 echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: " OPT= [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" ret=0 TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) && chmod 600 "$TMP_FILE" && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] || ret=1 if [ $ret -eq 0 ]; then if [ -e $IPTABLES_DATA ]; then cp -f $IPTABLES_DATA $IPTABLES_DATA.save && chmod 600 $IPTABLES_DATA.save && restorecon $IPTABLES_DATA.save || ret=1 fi if [ $ret -eq 0 ]; then mv -f $TMP_FILE $IPTABLES_DATA && chmod 600 $IPTABLES_DATA && restorecon $IPTABLES_DATA || ret=1 fi fi rm -f $TMP_FILE [ $ret -eq 0 ] && success || failure echo return $ret } status() { if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then echo $"${IPTABLES}: Firewall is not running." return 3 fi # Do not print status if lockfile is missing and iptables modules are not # loaded. # Check if iptable modules are loaded if [ ! -e "$PROC_IPTABLES_NAMES" ]; then echo $"${IPTABLES}: Firewall modules are not loaded." return 3 fi # Check if firewall is configured (has tables) if [ -z "$NF_TABLES" ]; then echo $"${IPTABLES}: Firewall is not configured. " return 3 fi NUM= [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n" VERBOSE= [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose" COUNT= [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" for table in $NF_TABLES; do echo $"Table: $table" $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo done return 0 } restart() { [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save stop start } case "$1" in start) [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0 start RETVAL=$? ;; stop) [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save stop RETVAL=$? ;; restart|force-reload) restart RETVAL=$? ;; reload) # unimplemented RETVAL=3 ;; condrestart|try-restart) [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0 restart RETVAL=$? ;; status) status RETVAL=$? ;; panic) flush_n_delete set_policy DROP RETVAL=$? ;; save) save RETVAL=$? ;; *) echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}" RETVAL=2 ;; esac exit $RETVAL
/etc/init.d/functions
# -*-Shell-script-*- # # functions This file contains functions to be used by most or all # shell scripts in the /etc/init.d directory. # TEXTDOMAIN=initscripts # Make sure umask is sane umask 022 # Set up a default search path. PATH="/sbin:/usr/sbin:/bin:/usr/bin" export PATH # Get a sane screen width [ -z "${COLUMNS:-}" ] && COLUMNS=80 [ -z "${CONSOLETYPE:-}" ] && CONSOLETYPE="`/sbin/consoletype`" if [ -f /etc/sysconfig/i18n -a -z "${NOLOCALE:-}" ] ; then . /etc/profile.d/lang.sh fi # Read in our configuration if [ -z "${BOOTUP:-}" ]; then if [ -f /etc/sysconfig/init ]; then . /etc/sysconfig/init else # This all seem confusing? Look in /etc/sysconfig/init, # or in /usr/doc/initscripts-*/sysconfig.txt BOOTUP=color RES_COL=60 MOVE_TO_COL="echo -en \033[${RES_COL}G" SETCOLOR_SUCCESS="echo -en \033[1;32m" SETCOLOR_FAILURE="echo -en \033[1;31m" SETCOLOR_WARNING="echo -en \033[1;33m" SETCOLOR_NORMAL="echo -en \033[0;39m" LOGLEVEL=1 fi if [ "$CONSOLETYPE" = "serial" ]; then BOOTUP=serial MOVE_TO_COL= SETCOLOR_SUCCESS= SETCOLOR_FAILURE= SETCOLOR_WARNING= SETCOLOR_NORMAL= fi fi if [ "${BOOTUP:-}" != "verbose" ]; then INITLOG_ARGS="-q" else INITLOG_ARGS= fi # Interpret escape sequences in an fstab entry fstab_decode_str() { fstab-decode echo "$1" } # Check if $pid (could be plural) are running checkpid() { local i for i in $* ; do [ -d "/proc/$i" ] && return 0 done return 1 } __readlink() { ls -bl "$@" 2>/dev/null| awk '{ print $NF }' } # __umount_loop awk_program fstab_file first_msg retry_msg umount_args # awk_program should process fstab_file and return a list of fstab-encoded # paths; it doesn't have to handle comments in fstab_file. __umount_loop() { local remaining sig= local retry=3 remaining=$(LC_ALL=C awk "/^#/ {next} $1" "$2" | sort -r) while [ -n "$remaining" -a "$retry" -gt 0 ]; do if [ "$retry" -eq 3 ]; then action "$3" fstab-decode umount $5 $remaining else action "$4" fstab-decode umount $5 $remaining fi sleep 2 remaining=$(LC_ALL=C awk "/^#/ {next} $1" "$2" | sort -r) [ -z "$remaining" ] && break fstab-decode /sbin/fuser -k -m $sig $remaining >/dev/null sleep 5 retry=$(($retry -1)) sig=-9 done } # Similar to __umount loop above, specialized for loopback devices __umount_loopback_loop() { local remaining devremaining sig= local retry=3 remaining=$(awk '$1 ~ /^/dev/loop/ && $2 != "/" {print $2}' /proc/mounts) devremaining=$(awk '$1 ~ /^/dev/loop/ && $2 != "/" {print $1}' /proc/mounts) while [ -n "$remaining" -a "$retry" -gt 0 ]; do if [ "$retry" -eq 3 ]; then action $"Unmounting loopback filesystems: " fstab-decode umount $remaining else action $"Unmounting loopback filesystems (retry):" fstab-decode umount $remaining fi for dev in $devremaining ; do losetup $dev > /dev/null 2>&1 && action $"Detaching loopback device $dev: " losetup -d $dev done remaining=$(awk '$1 ~ /^/dev/loop/ && $2 != "/" {print $2}' /proc/mounts) devremaining=$(awk '$1 ~ /^/dev/loop/ && $2 != "/" {print $1}' /proc/mounts) [ -z "$remaining" ] && break fstab-decode /sbin/fuser -k -m $sig $remaining >/dev/null sleep 5 retry=$(($retry -1)) sig=-9 done } # __proc_pids {program} [pidfile] # Set $pid to pids from /var/run* for {program}. $pid should be declared # local in the caller. # Returns LSB exit code for the 'status' action. __pids_var_run() { local base=${1##*/} local pid_file=${2:-/var/run/$base.pid} pid= if [ -f "$pid_file" ] ; then local line p read line < "$pid_file" for p in $line ; do [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p" done if [ -n "$pid" ]; then return 0 fi return 1 # "Program is dead and /var/run pid file exists" fi return 3 # "Program is not running" } # Output PIDs of matching processes, found using pidof __pids_pidof() { pidof -c -o $$ -o $PPID -o %PPID -x "$1" || pidof -c -o $$ -o $PPID -o %PPID -x "${1##*/}" } # A function to start a program. daemon() { # Test syntax. local gotbase= force= nicelevel corelimit local pid base= user= nice= bg= pid_file= nicelevel=0 while [ "$1" != "${1##[-+]}" ]; do case $1 in '') echo $"$0: Usage: daemon [+/-nicelevel] {program}" return 1;; --check) base=$2 gotbase="yes" shift 2 ;; --check=?*) base=${1#--check=} gotbase="yes" shift ;; --user) user=$2 shift 2 ;; --user=?*) user=${1#--user=} shift ;; --pidfile) pid_file=$2 shift 2 ;; --pidfile=?*) pid_file=${1#--pidfile=} shift ;; --force) force="force" shift ;; [-+][0-9]*) nice="nice -n $1" shift ;; *) echo $"$0: Usage: daemon [+/-nicelevel] {program}" return 1;; esac done # Save basename. [ -z "$gotbase" ] && base=${1##*/} # See if it's already running. Look *only* at the pid file. __pids_var_run "$base" "$pid_file" [ -n "$pid" -a -z "$force" ] && return # make sure it doesn't core dump anywhere unless requested corelimit="ulimit -S -c ${DAEMON_COREFILE_LIMIT:-0}" # if they set NICELEVEL in /etc/sysconfig/foo, honor it [ -n "${NICELEVEL:-}" ] && nice="nice -n $NICELEVEL" # Echo daemon [ "${BOOTUP:-}" = "verbose" -a -z "${LSB:-}" ] && echo -n " $base" # And start it up. if [ -z "$user" ]; then $nice /bin/bash -c "$corelimit >/dev/null 2>&1 ; $*" else $nice runuser -s /bin/bash - $user -c "$corelimit >/dev/null 2>&1 ; $*" fi [ "$?" -eq 0 ] && success $"$base startup" || failure $"$base startup" } # A function to stop a program. killproc() { local RC killlevel= base pid pid_file= delay RC=0; delay=3 # Test syntax. if [ "$#" -eq 0 ]; then echo $"Usage: killproc [-p pidfile] [ -d delay] {program} [-signal]" return 1 fi if [ "$1" = "-p" ]; then pid_file=$2 shift 2 fi if [ "$1" = "-d" ]; then delay=$2 shift 2 fi # check for second arg to be kill level [ -n "${2:-}" ] && killlevel=$2 # Save basename. base=${1##*/} # Find pid. __pids_var_run "$1" "$pid_file" if [ -z "$pid_file" -a -z "$pid" ]; then pid="$(__pids_pidof "$1")" fi # Kill it. if [ -n "$pid" ] ; then [ "$BOOTUP" = "verbose" -a -z "${LSB:-}" ] && echo -n "$base " if [ -z "$killlevel" ] ; then if checkpid $pid 2>&1; then # TERM first, then KILL if not dead kill -TERM $pid >/dev/null 2>&1 usleep 100000 if checkpid $pid && sleep 1 && checkpid $pid && sleep $delay && checkpid $pid ; then kill -KILL $pid >/dev/null 2>&1 usleep 100000 fi fi checkpid $pid RC=$? [ "$RC" -eq 0 ] && failure $"$base shutdown" || success $"$base shutdown" RC=$((! $RC)) # use specified level only else if checkpid $pid; then kill $killlevel $pid >/dev/null 2>&1 RC=$? [ "$RC" -eq 0 ] && success $"$base $killlevel" || failure $"$base $killlevel" elif [ -n "${LSB:-}" ]; then RC=7 # Program is not running fi fi else if [ -n "${LSB:-}" -a -n "$killlevel" ]; then RC=7 # Program is not running else failure $"$base shutdown" RC=0 fi fi # Remove pid file if any. if [ -z "$killlevel" ]; then rm -f "${pid_file:-/var/run/$base.pid}" fi return $RC } # A function to find the pid of a program. Looks *only* at the pidfile pidfileofproc() { local pid # Test syntax. if [ "$#" = 0 ] ; then echo $"Usage: pidfileofproc {program}" return 1 fi __pids_var_run "$1" [ -n "$pid" ] && echo $pid return 0 } # A function to find the pid of a program. pidofproc() { local RC pid pid_file= # Test syntax. if [ "$#" = 0 ]; then echo $"Usage: pidofproc [-p pidfile] {program}" return 1 fi if [ "$1" = "-p" ]; then pid_file=$2 shift 2 fi fail_code=3 # "Program is not running" # First try "/var/run/*.pid" files __pids_var_run "$1" "$pid_file" RC=$? if [ -n "$pid" ]; then echo $pid return 0 fi [ -n "$pid_file" ] && return $RC __pids_pidof "$1" || return $RC } status() { local base pid pid_file= # Test syntax. if [ "$#" = 0 ] ; then echo $"Usage: status [-p pidfile] {program}" return 1 fi if [ "$1" = "-p" ]; then pid_file=$2 shift 2 fi base=${1##*/} # First try "pidof" __pids_var_run "$1" "$pid_file" RC=$? if [ -z "$pid_file" -a -z "$pid" ]; then pid="$(__pids_pidof "$1")" fi if [ -n "$pid" ]; then echo $"${base} (pid $pid) is running..." return 0 fi case "$RC" in 0) echo $"${base} (pid $pid) is running..." return 0 ;; 1) echo $"${base} dead but pid file exists" return 1 ;; esac # See if /var/lock/subsys/${base} exists if [ -f /var/lock/subsys/${base} ]; then echo $"${base} dead but subsys locked" return 2 fi echo $"${base} is stopped" return 3 } echo_success() { [ "$BOOTUP" = "color" ] && $MOVE_TO_COL echo -n "[" [ "$BOOTUP" = "color" ] && $SETCOLOR_SUCCESS echo -n $" OK " [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL echo -n "]" echo -ne " " return 0 } echo_failure() { [ "$BOOTUP" = "color" ] && $MOVE_TO_COL echo -n "[" [ "$BOOTUP" = "color" ] && $SETCOLOR_FAILURE echo -n $"FAILED" [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL echo -n "]" echo -ne " " return 1 } echo_passed() { [ "$BOOTUP" = "color" ] && $MOVE_TO_COL echo -n "[" [ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING echo -n $"PASSED" [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL echo -n "]" echo -ne " " return 1 } echo_warning() { [ "$BOOTUP" = "color" ] && $MOVE_TO_COL echo -n "[" [ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING echo -n $"WARNING" [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL echo -n "]" echo -ne " " return 1 } # Inform the graphical boot of our current state update_boot_stage() { if [ "$GRAPHICAL" = "yes" -a -x /usr/bin/rhgb-client ]; then /usr/bin/rhgb-client --update="$1" fi return 0 } # Log that something succeeded success() { #if [ -z "${IN_INITLOG:-}" ]; then # initlog $INITLOG_ARGS -n $0 -s "$1" -e 1 #fi [ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_success return 0 } # Log that something failed failure() { local rc=$? #if [ -z "${IN_INITLOG:-}" ]; then # initlog $INITLOG_ARGS -n $0 -s "$1" -e 2 #fi [ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_failure [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes return $rc } # Log that something passed, but may have had errors. Useful for fsck passed() { local rc=$? #if [ -z "${IN_INITLOG:-}" ]; then # initlog $INITLOG_ARGS -n $0 -s "$1" -e 1 #fi [ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_passed return $rc } # Log a warning warning() { local rc=$? #if [ -z "${IN_INITLOG:-}" ]; then # initlog $INITLOG_ARGS -n $0 -s "$1" -e 1 #fi [ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_warning return $rc } # Run some action. Log its output. action() { local STRING rc STRING=$1 echo -n "$STRING " if [ "${RHGB_STARTED:-}" != "" -a -w /etc/rhgb/temp/rhgb-console ]; then echo -n "$STRING " > /etc/rhgb/temp/rhgb-console fi shift "$@" && success $"$STRING" || failure $"$STRING" rc=$? echo if [ "${RHGB_STARTED:-}" != "" -a -w /etc/rhgb/temp/rhgb-console ]; then if [ "$rc" = "0" ]; then echo_success > /etc/rhgb/temp/rhgb-console else echo_failure > /etc/rhgb/temp/rhgb-console [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes fi echo > /etc/rhgb/temp/rhgb-console fi return $rc } # returns OK if $1 contains $2 strstr() { [ "${1#*$2*}" = "$1" ] && return 1 return 0 } # Confirm whether we really want to run this service confirm() { [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes while : ; do echo -n $"Start service $1 (Y)es/(N)o/(C)ontinue? [Y] " read answer if strstr $"yY" "$answer" || [ "$answer" = "" ] ; then return 0 elif strstr $"cC" "$answer" ; then rm -f /var/run/confirm [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=no return 2 elif strstr $"nN" "$answer" ; then return 1 fi done } # resolve a device node to its major:minor numbers in decimal or hex get_numeric_dev() { ( fmt="%d:%d" if [ "$1" == "hex" ]; then fmt="%x:%x" fi ls -lH "$2" | awk '{ sub(/,/, "", $5); printf("'"$fmt"'", $5, $6); }' ) 2>/dev/null } # find the working name for a running dm device with the same table as one # that dmraid would create resolve_dm_name() { ( name="$1" line=$(/sbin/dmraid -ay -t --ignorelocking | egrep -iv "no block devices found|No RAID disks" | awk -F ':' "{ if ($1 ~ /^$name$/) { print $2; }}") for x in $line ; do if [[ "$x" =~ "^/dev/" ]] ; then majmin=$(get_numeric_dev dec $x) line=$(echo "$line" | sed -e "s,$x( |$),$majmin1,g") fi done line=$(echo "$line" | sed -e 's/^[ ]*//' -e 's/[ ]*$//' -e 's/ core [12] [[:digit:]]+ / core [12] [[:digit:]]\+ /') /sbin/dmsetup table | sed -n -e "s/.*(no block devices found|No devices found).*//" -e "s/(^[^:]+): $line( +$|$)/1/p" ) 2>/dev/null } # Check whether file $1 is a backup or rpm-generated file and should be ignored is_ignored_file() { case "$1" in *~ | *.bak | *.orig | *.rpmnew | *.rpmorig | *.rpmsave) return 0 ;; esac return 1 } # A sed expression to filter out the files that is_ignored_file recognizes __sed_discard_ignored_files='/(~|.bak|.orig|.rpmnew|.rpmorig|.rpmsave)$/d'
/sbin/consoletype
#!/bin/sh # consoletype shell version:) # print current console type # by lichmama who | awk -F"[ /]+" '{print $2}'
/etc/sysconfig/iptables
touch /etc/sysconfig/iptables
创建软连接一枚:
ln -s /usr/sbin/iptables /sbin/iptables
加入服务组:
chkconfig --add iptables
添加防火墙策略:
iptables -A INPUT -p tcp -s 192.168.5.x --dport 22 -j DROP
启动iptables:
service iptables start