📄 portblock.in
字号:
#!/bin/sh## portblock: iptables temporary portblocking control #CMD=`basename $0`usage(){ cat <<-!USAGE >&2 usage: $CMD {udp|tcp} portno,portno {block|unblock} {start|stop|status} $CMD is used to temporarily block ports using iptables. It can be used to turn off a port before bringing up an IP address, and enable it after a service is started. To do that for samba, the following resource line can be used: $CMD::tcp::137,138::block \\ 10.10.10.20 \\ nmbd smbd \\ $CMD::tcp::137,138::unblock This will do the follwing things: - DROP all incoming packets for TCP ports 137 and 138 - Bring up the IP alias 10.10.10.20 - start the nmbd and smbd services - Re-enable TCP ports 137 and 138 (enable normal firewall rules on those ports) This prevents clients from getting ICMP port unreachable if they try to reconnect to the service after the alias is enabled but before nmbd and smbd are running. These packets will cause some clients to give up attempting to reconnect to the server. NOTE: iptables is linux-specific... !USAGE exit 1}## Because this is the normal usage, we consider "block"# resources to be pseudo-resources -- that is, their status can't# be reliably determined through external means.# This is because we expect an "unblock" resource to come along# and disable us -- but we're still in some sense active...## So, we track the state here using the pseudo_resource() function.## The psuedo_resource function should be moved into the functions# available to resources so other resource scripts could use it...##VARLIB=@localstatedir@/lib/@HB_PKG@/rsctmpprefix=@prefix@exec_prefix=@exec_prefix@. @sysconfdir@/ha.d/shellfuncsRSCNAME=${CMD}_${1}_${2}_${3}# pseudo_resource filename operationpseudo_resource(){ file="$VARLIB/$1" case $2 in start|restart|reload) touch "$file";; stop) rm -f $file;; status) test -f "$file";; *) exit 3;; esac}iptables=@IPTABLES@BlockOrUnblock=block#iptables_spec {udp|tcp} portno,portnoiptables_spec(){ echo -D INPUT -p $1 -i ! lo -m multiport --dports $2 -j DROP}#active_grep_pat {udp|tcp} portno,portnoactive_grep_pat(){ w="[ ][ ]*" any="0\\.0\\.0\\.0/0" echo " DROP${w}${1}${w}--${w}!lo${w}\*${w}${any}${w}${any}${w}multiport${w}dports${w}${2} "}#chain_isactive {udp|tcp} portno,portnochain_isactive(){ PAT=`active_grep_pat "$1" "$2"` $iptables -v -n -L INPUT | grep "$PAT" >/dev/null}SayActive(){ echo "$CMD DROP rule for INPUT chain [$*] is running (OK)" return 0}SayConsideredActive(){ echo "$CMD DROP rule for INPUT chain [$*] considered to be running (OK)" return 0}SayInactive(){ echo "$CMD DROP rule for INPUT chain [$*] is inactive" return 1}#IptablesStatus {udp|tcp} portno,portno {block|unblock}IptablesStatus(){ activewords="$CMD $1 $2 is running (OK)" if chain_isactive "$1" "$2" then case $3 in block) SayActive $*; return $?;; *) SayInactive $*; return $?;; esac else case $3 in block) if pseudo_resource "$RSCNAME" status then SayConsideredActive $*; return $? else SayInactive $*; return $? fi;; *) SayActive $*; return $?;; esac fi }#IptablesBLOCK {udp|tcp} portno,portnoIptablesBLOCK(){ if chain_isactive "$1" "$2" then : OK -- chain already active else $iptables -I INPUT -p "$1" -i ! lo -m multiport --dports "$2" -j DROP fi}#IptablesUNBLOCK {udp|tcp} portno,portnoIptablesUNBLOCK(){ if chain_isactive "$1" "$2" then $iptables -D INPUT -p "$1" -i ! lo -m multiport --dports "$2" -j DROP else : Chain Not active fi}#IptablesStart {udp|tcp} portno,portno {block|unblock}IptablesStart(){ pseudo_resource "$RSCNAME" start case $3 in block) IptablesBLOCK "$@";; unblock) IptablesUNBLOCK "$@";; *) usage; esac}#IptablesStop {udp|tcp} portno,portno {block|unblock}IptablesStop(){ pseudo_resource "$RSCNAME" stop case $3 in block) IptablesUNBLOCK "$@";; unblock) IptablesBLOCK "$@";; *) usage;; esac}case $4 in start) IptablesStart "$@";; stop) IptablesStop "$@";; status) IptablesStatus "$1" "$2" "$3";; *) usage;;esac⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -