• 在suse上折腾iptables


    需求背景:有台服务器希望屏蔽掉某IP对它的SSH连接。

    临时客串下DevOps,下面的做法可能在专业运维的同学里不太专业,还请指教。

    该服务器的操作系统是SuSE Linux,服务器上是安装了iptables,但是没有启用,也没用加入服务组。

    所以我手动把它加入了系统服务中,并创建了一些必要文件:

    /etc/init.d/iptables

    #!/bin/sh
    #
    # iptables      Start iptables firewall
    #
    # chkconfig: 2345 08 92
    # description:  Starts, stops and saves iptables firewall
    #
    # config: /etc/sysconfig/iptables
    # config: /etc/sysconfig/iptables-config
    #
    ### BEGIN INIT INFO
    # Provides: iptables
    # Required-Start:
    # Required-Stop:
    # Default-Start: 2 3 4 5
    # Default-Stop: 0 1 6
    # Short-Description: start and stop iptables firewall
    # Description: Start, stop and save iptables firewall
    ### END INIT INFO
    
    # Source function library.
    . /etc/init.d/functions
    
    IPTABLES=iptables
    IPTABLES_DATA=/etc/sysconfig/$IPTABLES
    IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
    IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
    IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
    [ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
    PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
    VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES
    
    # only usable for root
    [ $EUID = 0 ] || exit 4
    
    if [ ! -x /sbin/$IPTABLES ]; then
        echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
        exit 5
    fi
    
    # Old or new modutils
    /sbin/modprobe --version 2>&1 | grep -q module-init-tools 
        && NEW_MODUTILS=1 
        || NEW_MODUTILS=0
    
    # Default firewall configuration:
    IPTABLES_MODULES=""
    IPTABLES_MODULES_UNLOAD="yes"
    IPTABLES_SAVE_ON_STOP="no"
    IPTABLES_SAVE_ON_RESTART="no"
    IPTABLES_SAVE_COUNTER="no"
    IPTABLES_STATUS_NUMERIC="yes"
    IPTABLES_STATUS_VERBOSE="no"
    IPTABLES_STATUS_LINENUMBERS="yes"
    IPTABLES_SYSCTL_LOAD_LIST=""
    
    # Load firewall configuration.
    [ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG"
    
    # Netfilter modules
    NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print $1}") ${IPV}_tables)
    NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6
    
    # Get active tables
    NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
    
    
    rmmod_r() {
        # Unload module with all referring modules.
        # At first all referring modules will be unloaded, then the module itself.
        local mod=$1
        local ret=0
        local ref=
    
        # Get referring modules.
        # New modutils have another output format.
        [ $NEW_MODUTILS = 1 ] 
            && ref=$(lsmod | awk "/^${mod}/ { print $4; }" | tr ',' ' ') 
            || ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f 2 | cut -d "]" -s -f 1)
    
        # recursive call for all referring modules
        for i in $ref; do
            rmmod_r $i
            let ret+=$?;
        done
    
        # Unload module.
        # The extra test is for 2.6: The module might have autocleaned,
        # after all referring modules are unloaded.
        if grep -q "^${mod}" /proc/modules ; then
            modprobe -r $mod > /dev/null 2>&1
            res=$?
            [ $res -eq 0 ] || echo -n " $mod"
            let ret+=$res;
        fi
    
        return $ret
    }
    
    flush_n_delete() {
        # Flush firewall rules and delete chains.
        [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
    
        # Check if firewall is configured (has tables)
        [ -z "$NF_TABLES" ] && return 1
    
        echo -n $"${IPTABLES}: Flushing firewall rules: "
        ret=0
        # For all tables
        for i in $NF_TABLES; do
            # Flush firewall rules.
            $IPTABLES -t $i -F;
            let ret+=$?;
    
            # Delete firewall chains.
            $IPTABLES -t $i -X;
            let ret+=$?;
    
            # Set counter to zero.
            $IPTABLES -t $i -Z;
            let ret+=$?;
        done
    
        [ $ret -eq 0 ] && success || failure
        echo
        return $ret
    }
    
    set_policy() {
        # Set policy for configured tables.
        policy=$1
    
        # Check if iptable module is loaded
        [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
    
        # Check if firewall is configured (has tables)
        tables=$(cat "$PROC_IPTABLES_NAMES" 2>/dev/null)
        [ -z "$tables" ] && return 1
    
        echo -n $"${IPTABLES}: Setting chains to policy $policy: "
        ret=0
        for i in $tables; do
            echo -n "$i "
            case "$i" in
                raw)
                    $IPTABLES -t raw -P PREROUTING $policy 
                        && $IPTABLES -t raw -P OUTPUT $policy 
                        || let ret+=1
                    ;;
                filter)
                    $IPTABLES -t filter -P INPUT $policy 
                        && $IPTABLES -t filter -P OUTPUT $policy 
                        && $IPTABLES -t filter -P FORWARD $policy 
                        || let ret+=1
                    ;;
                nat)
                    $IPTABLES -t nat -P PREROUTING $policy 
                        && $IPTABLES -t nat -P POSTROUTING $policy 
                        && $IPTABLES -t nat -P OUTPUT $policy 
                        || let ret+=1
                    ;;
                mangle)
                    $IPTABLES -t mangle -P PREROUTING $policy 
                        && $IPTABLES -t mangle -P POSTROUTING $policy 
                        && $IPTABLES -t mangle -P INPUT $policy 
                        && $IPTABLES -t mangle -P OUTPUT $policy 
                        && $IPTABLES -t mangle -P FORWARD $policy 
                        || let ret+=1
                    ;;
                *)
                    let ret+=1
                    ;;
            esac
        done
    
        [ $ret -eq 0 ] && success || failure
        echo
        return $ret
    }
    
    load_sysctl() {
        # load matched sysctl values
        if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
            echo -n $"Loading sysctl settings: "
            ret=0
            for item in $IPTABLES_SYSCTL_LOAD_LIST; do
                fgrep $item /etc/sysctl.conf | sysctl -p - >/dev/null
                let ret+=$?;
            done
            [ $ret -eq 0 ] && success || failure
            echo
        fi
        return $ret
    }
    
    start() {
        # Do not start if there is no config file.
        [ ! -f "$IPTABLES_DATA" ] && return 6
    
        # check if ipv6 module load is deactivated
        if [ "${_IPV}" = "ipv6" ] 
            && grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
            echo $"${IPTABLES}: ${_IPV} is disabled."
            return 150
        fi
    
        echo -n $"${IPTABLES}: Applying firewall rules: "
    
        OPT=
        [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
    
        $IPTABLES-restore $OPT $IPTABLES_DATA
        if [ $? -eq 0 ]; then
            success; echo
        else
            failure; echo;
            if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
                echo -n $"${IPTABLES}: Applying firewall fallback rules: "
                $IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
                if [ $? -eq 0 ]; then
                    success; echo
                else
                    failure; echo; return 1
                fi
            else
                return 1
            fi
        fi
        
        # Load additional modules (helpers)
        if [ -n "$IPTABLES_MODULES" ]; then
            echo -n $"${IPTABLES}: Loading additional modules: "
            ret=0
            for mod in $IPTABLES_MODULES; do
                echo -n "$mod "
                modprobe $mod > /dev/null 2>&1
                let ret+=$?;
            done
            [ $ret -eq 0 ] && success || failure
            echo
        fi
        
        # Load sysctl settings
        load_sysctl
    
        touch $VAR_SUBSYS_IPTABLES
        return $ret
    }
    
    stop() {
        # Do not stop if iptables module is not loaded.
        [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
    
        flush_n_delete
        set_policy ACCEPT
        
        if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
            echo -n $"${IPTABLES}: Unloading modules: "
            ret=0
            for mod in ${NF_MODULES[*]}; do
                rmmod_r $mod
                let ret+=$?;
            done
            # try to unload remaining netfilter modules used by ipv4 and ipv6 
            # netfilter
            for mod in ${NF_MODULES_COMMON[*]}; do
                rmmod_r $mod >/dev/null
            done
            [ $ret -eq 0 ] && success || failure
            echo
        fi
        
        rm -f $VAR_SUBSYS_IPTABLES
        return $ret
    }
    
    save() {
        # Check if iptable module is loaded
        [ ! -e "$PROC_IPTABLES_NAMES" ] && return 0
    
        # Check if firewall is configured (has tables)
        [ -z "$NF_TABLES" ] && return 6
    
        echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: "
    
        OPT=
        [ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c"
    
        ret=0
        TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) 
            && chmod 600 "$TMP_FILE" 
            && $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null 
            && size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] 
            || ret=1
        if [ $ret -eq 0 ]; then
            if [ -e $IPTABLES_DATA ]; then
                cp -f $IPTABLES_DATA $IPTABLES_DATA.save 
                    && chmod 600 $IPTABLES_DATA.save 
                    && restorecon $IPTABLES_DATA.save 
                    || ret=1
            fi
            if [ $ret -eq 0 ]; then
                mv -f $TMP_FILE $IPTABLES_DATA 
                    && chmod 600 $IPTABLES_DATA 
                    && restorecon $IPTABLES_DATA 
                    || ret=1
            fi
        fi
        rm -f $TMP_FILE
        [ $ret -eq 0 ] && success || failure
        echo
        return $ret
    }
    
    status() {
        if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
            echo $"${IPTABLES}: Firewall is not running."
            return 3
        fi
    
        # Do not print status if lockfile is missing and iptables modules are not 
        # loaded.
        # Check if iptable modules are loaded
        if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
            echo $"${IPTABLES}: Firewall modules are not loaded."
            return 3
        fi
    
        # Check if firewall is configured (has tables)
        if [ -z "$NF_TABLES" ]; then
            echo $"${IPTABLES}: Firewall is not configured. "
            return 3
        fi
    
        NUM=
        [ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
        VERBOSE= 
        [ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
        COUNT=
        [ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers"
    
        for table in $NF_TABLES; do
            echo $"Table: $table"
            $IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
        done
    
        return 0
    }
    
    restart() {
        [ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
        stop
        start
    }
    
    
    case "$1" in
        start)
            [ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
            start
            RETVAL=$?
            ;;
        stop)
            [ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
            stop
            RETVAL=$?
            ;;
        restart|force-reload)
            restart
            RETVAL=$?
            ;;
        reload)
            # unimplemented
            RETVAL=3
            ;;
        condrestart|try-restart)
            [ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
            restart
            RETVAL=$?
            ;;
        status)
            status
            RETVAL=$?
            ;;
        panic)
            flush_n_delete
            set_policy DROP
            RETVAL=$?
            ;;
        save)
            save
            RETVAL=$?
            ;;
        *)
            echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}"
            RETVAL=2
            ;;
    esac
    
    exit $RETVAL
    View Code

    /etc/init.d/functions

    # -*-Shell-script-*-
    #
    # functions    This file contains functions to be used by most or all
    #        shell scripts in the /etc/init.d directory.
    #
    
    TEXTDOMAIN=initscripts
    
    # Make sure umask is sane
    umask 022
    
    # Set up a default search path.
    PATH="/sbin:/usr/sbin:/bin:/usr/bin"
    export PATH
    
    # Get a sane screen width
    [ -z "${COLUMNS:-}" ] && COLUMNS=80
    
    [ -z "${CONSOLETYPE:-}" ] && CONSOLETYPE="`/sbin/consoletype`"
    
    if [ -f /etc/sysconfig/i18n -a -z "${NOLOCALE:-}" ] ; then
      . /etc/profile.d/lang.sh
    fi
    
    # Read in our configuration
    if [ -z "${BOOTUP:-}" ]; then
      if [ -f /etc/sysconfig/init ]; then
          . /etc/sysconfig/init
      else
        # This all seem confusing? Look in /etc/sysconfig/init,
        # or in /usr/doc/initscripts-*/sysconfig.txt
        BOOTUP=color
        RES_COL=60
        MOVE_TO_COL="echo -en \033[${RES_COL}G"
        SETCOLOR_SUCCESS="echo -en \033[1;32m"
        SETCOLOR_FAILURE="echo -en \033[1;31m"
        SETCOLOR_WARNING="echo -en \033[1;33m"
        SETCOLOR_NORMAL="echo -en \033[0;39m"
        LOGLEVEL=1
      fi
      if [ "$CONSOLETYPE" = "serial" ]; then
          BOOTUP=serial
          MOVE_TO_COL=
          SETCOLOR_SUCCESS=
          SETCOLOR_FAILURE=
          SETCOLOR_WARNING=
          SETCOLOR_NORMAL=
      fi
    fi
    
    if [ "${BOOTUP:-}" != "verbose" ]; then
       INITLOG_ARGS="-q"
    else
       INITLOG_ARGS=
    fi
    
    # Interpret escape sequences in an fstab entry
    fstab_decode_str() {
        fstab-decode echo "$1"
    }
    
    # Check if $pid (could be plural) are running
    checkpid() {
        local i
    
        for i in $* ; do
            [ -d "/proc/$i" ] && return 0
        done
        return 1
    }
    
    __readlink() {
        ls -bl "$@" 2>/dev/null| awk '{ print $NF }'
    }
    
    # __umount_loop awk_program fstab_file first_msg retry_msg umount_args
    # awk_program should process fstab_file and return a list of fstab-encoded
    # paths; it doesn't have to handle comments in fstab_file.
    __umount_loop() {
        local remaining sig=
        local retry=3
    
        remaining=$(LC_ALL=C awk "/^#/ {next} $1" "$2" | sort -r)
        while [ -n "$remaining" -a "$retry" -gt 0 ]; do
            if [ "$retry" -eq 3 ]; then
                action "$3" fstab-decode umount $5 $remaining
            else
                action "$4" fstab-decode umount $5 $remaining
            fi
            sleep 2
            remaining=$(LC_ALL=C awk "/^#/ {next} $1" "$2" | sort -r)
            [ -z "$remaining" ] && break
            fstab-decode /sbin/fuser -k -m $sig $remaining >/dev/null
            sleep 5
            retry=$(($retry -1))
            sig=-9
        done
    }
    
    # Similar to __umount loop above, specialized for loopback devices
    __umount_loopback_loop() {
        local remaining devremaining sig=
        local retry=3
    
        remaining=$(awk '$1 ~ /^/dev/loop/ && $2 != "/" {print $2}' /proc/mounts)
        devremaining=$(awk '$1 ~ /^/dev/loop/ && $2 != "/" {print $1}' /proc/mounts)
        while [ -n "$remaining" -a "$retry" -gt 0 ]; do
            if [ "$retry" -eq 3 ]; then
                action $"Unmounting loopback filesystems: " 
                    fstab-decode umount $remaining
            else
                action $"Unmounting loopback filesystems (retry):" 
                    fstab-decode umount $remaining
            fi
            for dev in $devremaining ; do
                losetup $dev > /dev/null 2>&1 && 
                    action $"Detaching loopback device $dev: " 
                    losetup -d $dev
            done
            remaining=$(awk '$1 ~ /^/dev/loop/ && $2 != "/" {print $2}' /proc/mounts)
            devremaining=$(awk '$1 ~ /^/dev/loop/ && $2 != "/" {print $1}' /proc/mounts)
            [ -z "$remaining" ] && break
            fstab-decode /sbin/fuser -k -m $sig $remaining >/dev/null
            sleep 5
            retry=$(($retry -1))
            sig=-9
        done
    }
    
    # __proc_pids {program} [pidfile]
    # Set $pid to pids from /var/run* for {program}.  $pid should be declared
    # local in the caller.
    # Returns LSB exit code for the 'status' action.
    __pids_var_run() {
        local base=${1##*/}
        local pid_file=${2:-/var/run/$base.pid}
    
        pid=
        if [ -f "$pid_file" ] ; then
                local line p
            read line < "$pid_file"
            for p in $line ; do
                [ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p"
            done
                if [ -n "$pid" ]; then
                        return 0
                fi
            return 1 # "Program is dead and /var/run pid file exists"
        fi
        return 3 # "Program is not running"
    }
    
    # Output PIDs of matching processes, found using pidof
    __pids_pidof() {
        pidof -c -o $$ -o $PPID -o %PPID -x "$1" || 
            pidof -c -o $$ -o $PPID -o %PPID -x "${1##*/}"
    }
    
    
    # A function to start a program.
    daemon() {
        # Test syntax.
        local gotbase= force= nicelevel corelimit
        local pid base= user= nice= bg= pid_file=
        nicelevel=0
        while [ "$1" != "${1##[-+]}" ]; do
          case $1 in
            '')    echo $"$0: Usage: daemon [+/-nicelevel] {program}"
                   return 1;;
            --check)
               base=$2
               gotbase="yes"
               shift 2
               ;;
            --check=?*)
                   base=${1#--check=}
               gotbase="yes"
               shift
               ;;
            --user)
               user=$2
               shift 2
               ;;
            --user=?*)
                   user=${1#--user=}
               shift
               ;;
            --pidfile)
               pid_file=$2
               shift 2
               ;;
            --pidfile=?*)
               pid_file=${1#--pidfile=}
               shift
               ;;
            --force)
                   force="force"
               shift
               ;;
            [-+][0-9]*)
                   nice="nice -n $1"
                   shift
               ;;
            *)     echo $"$0: Usage: daemon [+/-nicelevel] {program}"
                   return 1;;
          esac
        done
    
            # Save basename.
            [ -z "$gotbase" ] && base=${1##*/}
    
            # See if it's already running. Look *only* at the pid file.
        __pids_var_run "$base" "$pid_file"
    
        [ -n "$pid" -a -z "$force" ] && return
    
        # make sure it doesn't core dump anywhere unless requested
        corelimit="ulimit -S -c ${DAEMON_COREFILE_LIMIT:-0}"
        
        # if they set NICELEVEL in /etc/sysconfig/foo, honor it
        [ -n "${NICELEVEL:-}" ] && nice="nice -n $NICELEVEL"
        
        # Echo daemon
            [ "${BOOTUP:-}" = "verbose" -a -z "${LSB:-}" ] && echo -n " $base"
    
        # And start it up.
        if [ -z "$user" ]; then
           $nice /bin/bash -c "$corelimit >/dev/null 2>&1 ; $*"
        else
           $nice runuser -s /bin/bash - $user -c "$corelimit >/dev/null 2>&1 ; $*"
        fi
        [ "$?" -eq 0 ] && success $"$base startup" || failure $"$base startup"
    }
    
    # A function to stop a program.
    killproc() {
        local RC killlevel= base pid pid_file= delay
    
        RC=0; delay=3
        # Test syntax.
        if [ "$#" -eq 0 ]; then
            echo $"Usage: killproc [-p pidfile] [ -d delay] {program} [-signal]"
            return 1
        fi
        if [ "$1" = "-p" ]; then
            pid_file=$2
            shift 2
        fi
        if [ "$1" = "-d" ]; then
            delay=$2
            shift 2
        fi
            
    
        # check for second arg to be kill level
        [ -n "${2:-}" ] && killlevel=$2
    
            # Save basename.
            base=${1##*/}
    
            # Find pid.
        __pids_var_run "$1" "$pid_file"
        if [ -z "$pid_file" -a -z "$pid" ]; then
            pid="$(__pids_pidof "$1")"
        fi
    
            # Kill it.
            if [ -n "$pid" ] ; then
                    [ "$BOOTUP" = "verbose" -a -z "${LSB:-}" ] && echo -n "$base "
            if [ -z "$killlevel" ] ; then
                   if checkpid $pid 2>&1; then
                   # TERM first, then KILL if not dead
                   kill -TERM $pid >/dev/null 2>&1
                   usleep 100000
                   if checkpid $pid && sleep 1 &&
                      checkpid $pid && sleep $delay &&
                      checkpid $pid ; then
                                    kill -KILL $pid >/dev/null 2>&1
                    usleep 100000
                   fi
                    fi
                checkpid $pid
                RC=$?
                [ "$RC" -eq 0 ] && failure $"$base shutdown" || success $"$base shutdown"
                RC=$((! $RC))
            # use specified level only
            else
                    if checkpid $pid; then
                            kill $killlevel $pid >/dev/null 2>&1
                    RC=$?
                    [ "$RC" -eq 0 ] && success $"$base $killlevel" || failure $"$base $killlevel"
                elif [ -n "${LSB:-}" ]; then
                    RC=7 # Program is not running
                fi
            fi
        else
            if [ -n "${LSB:-}" -a -n "$killlevel" ]; then
                RC=7 # Program is not running
            else
                failure $"$base shutdown"
                RC=0
            fi
        fi
    
            # Remove pid file if any.
        if [ -z "$killlevel" ]; then
                rm -f "${pid_file:-/var/run/$base.pid}"
        fi
        return $RC
    }
    
    # A function to find the pid of a program. Looks *only* at the pidfile
    pidfileofproc() {
        local pid
    
        # Test syntax.
        if [ "$#" = 0 ] ; then
            echo $"Usage: pidfileofproc {program}"
            return 1
        fi
    
        __pids_var_run "$1"
        [ -n "$pid" ] && echo $pid
        return 0
    }
    
    # A function to find the pid of a program.
    pidofproc() {
        local RC pid pid_file=
    
        # Test syntax.
        if [ "$#" = 0 ]; then
            echo $"Usage: pidofproc [-p pidfile] {program}"
            return 1
        fi
        if [ "$1" = "-p" ]; then
            pid_file=$2
            shift 2
        fi
        fail_code=3 # "Program is not running"
    
        # First try "/var/run/*.pid" files
        __pids_var_run "$1" "$pid_file"
        RC=$?
        if [ -n "$pid" ]; then
            echo $pid
            return 0
        fi
    
        [ -n "$pid_file" ] && return $RC
        __pids_pidof "$1" || return $RC
    }
    
    status() {
        local base pid pid_file=
    
        # Test syntax.
        if [ "$#" = 0 ] ; then
            echo $"Usage: status [-p pidfile] {program}"
            return 1
        fi
        if [ "$1" = "-p" ]; then
            pid_file=$2
            shift 2
        fi
        base=${1##*/}
    
        # First try "pidof"
        __pids_var_run "$1" "$pid_file"
        RC=$?
        if [ -z "$pid_file" -a -z "$pid" ]; then
            pid="$(__pids_pidof "$1")"
        fi
        if [ -n "$pid" ]; then
                echo $"${base} (pid $pid) is running..."
                return 0
        fi
    
        case "$RC" in
            0)
                echo $"${base} (pid $pid) is running..."
                return 0
                ;;
            1)
                        echo $"${base} dead but pid file exists"
                        return 1
                ;;
        esac
        # See if /var/lock/subsys/${base} exists
        if [ -f /var/lock/subsys/${base} ]; then
            echo $"${base} dead but subsys locked"
            return 2
        fi
        echo $"${base} is stopped"
        return 3
    }
    
    echo_success() {
      [ "$BOOTUP" = "color" ] && $MOVE_TO_COL
      echo -n "["
      [ "$BOOTUP" = "color" ] && $SETCOLOR_SUCCESS
      echo -n $"  OK  "
      [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
      echo -n "]"
      echo -ne "
    "
      return 0
    }
    
    echo_failure() {
      [ "$BOOTUP" = "color" ] && $MOVE_TO_COL
      echo -n "["
      [ "$BOOTUP" = "color" ] && $SETCOLOR_FAILURE
      echo -n $"FAILED"
      [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
      echo -n "]"
      echo -ne "
    "
      return 1
    }
    
    echo_passed() {
      [ "$BOOTUP" = "color" ] && $MOVE_TO_COL
      echo -n "["
      [ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING
      echo -n $"PASSED"
      [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
      echo -n "]"
      echo -ne "
    "
      return 1
    }
    
    echo_warning() {
      [ "$BOOTUP" = "color" ] && $MOVE_TO_COL
      echo -n "["
      [ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING
      echo -n $"WARNING"
      [ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
      echo -n "]"
      echo -ne "
    "
      return 1
    }
    
    # Inform the graphical boot of our current state
    update_boot_stage() {
      if [ "$GRAPHICAL" = "yes" -a -x /usr/bin/rhgb-client ]; then
        /usr/bin/rhgb-client --update="$1"
      fi
      return 0
    }
    
    # Log that something succeeded
    success() {
      #if [ -z "${IN_INITLOG:-}" ]; then
      #   initlog $INITLOG_ARGS -n $0 -s "$1" -e 1
      #fi
      [ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_success
      return 0
    }
    
    # Log that something failed
    failure() {
      local rc=$?
      #if [ -z "${IN_INITLOG:-}" ]; then
      #   initlog $INITLOG_ARGS -n $0 -s "$1" -e 2
      #fi
      [ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_failure
      [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes
      return $rc
    }
    
    # Log that something passed, but may have had errors. Useful for fsck
    passed() {
      local rc=$?
      #if [ -z "${IN_INITLOG:-}" ]; then
      #   initlog $INITLOG_ARGS -n $0 -s "$1" -e 1
      #fi
      [ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_passed
      return $rc
    }  
    
    # Log a warning
    warning() {
      local rc=$?
      #if [ -z "${IN_INITLOG:-}" ]; then
      #   initlog $INITLOG_ARGS -n $0 -s "$1" -e 1
      #fi
      [ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_warning
      return $rc
    }  
    
    # Run some action. Log its output.
    action() {
      local STRING rc
    
      STRING=$1
      echo -n "$STRING "
      if [ "${RHGB_STARTED:-}" != "" -a -w /etc/rhgb/temp/rhgb-console ]; then
          echo -n "$STRING " > /etc/rhgb/temp/rhgb-console
      fi
      shift
      "$@" && success $"$STRING" || failure $"$STRING"
      rc=$?
      echo
      if [ "${RHGB_STARTED:-}" != "" -a -w /etc/rhgb/temp/rhgb-console ]; then
          if [ "$rc" = "0" ]; then
              echo_success > /etc/rhgb/temp/rhgb-console
          else
            echo_failure > /etc/rhgb/temp/rhgb-console
        [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes
          fi
          echo > /etc/rhgb/temp/rhgb-console
      fi
      return $rc
    }
    
    # returns OK if $1 contains $2
    strstr() {
      [ "${1#*$2*}" = "$1" ] && return 1
      return 0
    }
    
    # Confirm whether we really want to run this service
    confirm() {
      [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes
      while : ; do 
          echo -n $"Start service $1 (Y)es/(N)o/(C)ontinue? [Y] "
          read answer
          if strstr $"yY" "$answer" || [ "$answer" = "" ] ; then
             return 0
          elif strstr $"cC" "$answer" ; then
         rm -f /var/run/confirm
         [ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=no
             return 2
          elif strstr $"nN" "$answer" ; then
             return 1
          fi
      done
    }
    
    # resolve a device node to its major:minor numbers in decimal or hex
    get_numeric_dev() {
    (
        fmt="%d:%d"
        if [ "$1" == "hex" ]; then
            fmt="%x:%x"
        fi
        ls -lH "$2" | awk '{ sub(/,/, "", $5); printf("'"$fmt"'", $5, $6); }'
    ) 2>/dev/null
    }
    
    # find the working name for a running dm device with the same table as one
    # that dmraid would create
    resolve_dm_name() {
    (
        name="$1"
    
        line=$(/sbin/dmraid -ay -t --ignorelocking | 
            egrep -iv "no block devices found|No RAID disks" | 
            awk -F ':' "{ if ($1 ~ /^$name$/) { print $2; }}")
        for x in $line ; do
            if [[ "$x" =~ "^/dev/" ]] ; then
                majmin=$(get_numeric_dev dec $x)
                line=$(echo "$line" | sed -e "s,$x( |$),$majmin1,g")
            fi
        done
        line=$(echo "$line" | sed -e 's/^[ 	]*//' -e 's/[ 	]*$//' 
                   -e 's/ core [12] [[:digit:]]+ / core [12] [[:digit:]]\+ /')
        /sbin/dmsetup table | 
            sed -n -e "s/.*(no block devices found|No devices found).*//" 
                   -e "s/(^[^:]+): $line( +$|$)/1/p"
    ) 2>/dev/null
    }
    
    # Check whether file $1 is a backup or rpm-generated file and should be ignored
    is_ignored_file() {
        case "$1" in
        *~ | *.bak | *.orig | *.rpmnew | *.rpmorig | *.rpmsave)
            return 0
            ;;
        esac
        return 1
    }
    # A sed expression to filter out the files that is_ignored_file recognizes
    __sed_discard_ignored_files='/(~|.bak|.orig|.rpmnew|.rpmorig|.rpmsave)$/d'
    View Code

    /sbin/consoletype

    #!/bin/sh
    # consoletype shell version:)
    # print current console type
    # by lichmama
    
    who | awk -F"[ /]+" '{print $2}'

    /etc/sysconfig/iptables

    touch /etc/sysconfig/iptables

    创建软连接一枚:

    ln -s /usr/sbin/iptables /sbin/iptables

    加入服务组:

    chkconfig --add iptables

    添加防火墙策略:

    iptables -A INPUT -p tcp -s 192.168.5.x --dport 22 -j DROP

    启动iptables:

    service iptables start
  • 相关阅读:
    Syncfusion Essential DocIO操作word文件实用函数
    用Ubuntu破解wep无线加密
    Wubi 安装的 Ubuntu 在引导时进入grub,无法进入系统的解决办法
    Ubuntu 下挂ISO到虚拟光驱的方法
    令人失望的联通3G
    个性的国度
    也谈人脸识别
    红日
    在应用程序里识别UserAgent对应的浏览器
    缘起
  • 原文地址:https://www.cnblogs.com/lichmama/p/6925155.html
Copyright © 2020-2023  润新知