在suse上折腾iptables
需求背景:有台服务器希望屏蔽掉某IP对它的SSH连接。
临时客串下DevOps,下面的做法可能在专业运维的同学里不太专业,还请指教。
该服务器的操作系统是SuSE Linux,服务器上是安装了iptables,但是没有启用,也没用加入服务组。
所以我手动把它加入了系统服务中,并创建了一些必要文件:
/etc/init.d/iptables
#!/bin/sh
#
# iptables Start iptables firewall
#
# chkconfig:
# description: Starts, stops and saves iptables firewall
#
# config: /etc/sysconfig/iptables
# config: /etc/sysconfig/iptables-config
#
### BEGIN INIT INFO
# Provides: iptables
# Required-Start:
# Required-Stop:
# Default-Start:
# Default-Stop:
# Short-Description: start and stop iptables firewall
# Description: Start, stop and save iptables firewall
### END INIT INFO # Source function library.
. /etc/init.d/functions IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config
IPV=${IPTABLES%tables} # ip for ipv4 | ip6 for ipv6
[ "$IPV" = "ip" ] && _IPV="ipv4" || _IPV="ipv6"
PROC_IPTABLES_NAMES=/proc/net/${IPV}_tables_names
VAR_SUBSYS_IPTABLES=/var/lock/subsys/$IPTABLES # only usable for root
[ $EUID = ] || exit if [ ! -x /sbin/$IPTABLES ]; then
echo -n $"${IPTABLES}: /sbin/$IPTABLES does not exist."; warning; echo
exit
fi # Old or new modutils
/sbin/modprobe --version >& | grep -q module-init-tools \
&& NEW_MODUTILS= \
|| NEW_MODUTILS= # Default firewall configuration:
IPTABLES_MODULES=""
IPTABLES_MODULES_UNLOAD="yes"
IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"
IPTABLES_SAVE_COUNTER="no"
IPTABLES_STATUS_NUMERIC="yes"
IPTABLES_STATUS_VERBOSE="no"
IPTABLES_STATUS_LINENUMBERS="yes"
IPTABLES_SYSCTL_LOAD_LIST="" # Load firewall configuration.
[ -f "$IPTABLES_CONFIG" ] && . "$IPTABLES_CONFIG" # Netfilter modules
NF_MODULES=($(lsmod | awk "/^${IPV}table_/ {print \$1}") ${IPV}_tables)
NF_MODULES_COMMON=(x_tables nf_nat nf_conntrack) # Used by netfilter v4 and v6 # Get active tables
NF_TABLES=$(cat "$PROC_IPTABLES_NAMES" >/dev/null) rmmod_r() {
# Unload module with all referring modules.
# At first all referring modules will be unloaded, then the module itself.
local mod=$
local ret=
local ref= # Get referring modules.
# New modutils have another output format.
[ $NEW_MODUTILS = ] \
&& ref=$(lsmod | awk "/^${mod}/ { print \$4; }" | tr ',' ' ') \
|| ref=$(lsmod | grep ^${mod} | cut -d "[" -s -f | cut -d "]" -s -f ) # recursive call for all referring modules
for i in $ref; do
rmmod_r $i
let ret+=$?;
done # Unload module.
# The extra test is for 2.6: The module might have autocleaned,
# after all referring modules are unloaded.
if grep -q "^${mod}" /proc/modules ; then
modprobe -r $mod > /dev/null >&
res=$?
[ $res -eq ] || echo -n " $mod"
let ret+=$res;
fi return $ret
} flush_n_delete() {
# Flush firewall rules and delete chains.
[ ! -e "$PROC_IPTABLES_NAMES" ] && return # Check if firewall is configured (has tables)
[ -z "$NF_TABLES" ] && return echo -n $"${IPTABLES}: Flushing firewall rules: "
ret=
# For all tables
for i in $NF_TABLES; do
# Flush firewall rules.
$IPTABLES -t $i -F;
let ret+=$?; # Delete firewall chains.
$IPTABLES -t $i -X;
let ret+=$?; # Set counter to zero.
$IPTABLES -t $i -Z;
let ret+=$?;
done [ $ret -eq ] && success || failure
echo
return $ret
} set_policy() {
# Set policy for configured tables.
policy=$ # Check if iptable module is loaded
[ ! -e "$PROC_IPTABLES_NAMES" ] && return # Check if firewall is configured (has tables)
tables=$(cat "$PROC_IPTABLES_NAMES" >/dev/null)
[ -z "$tables" ] && return echo -n $"${IPTABLES}: Setting chains to policy $policy: "
ret=
for i in $tables; do
echo -n "$i "
case "$i" in
raw)
$IPTABLES -t raw -P PREROUTING $policy \
&& $IPTABLES -t raw -P OUTPUT $policy \
|| let ret+=
;;
filter)
$IPTABLES -t filter -P INPUT $policy \
&& $IPTABLES -t filter -P OUTPUT $policy \
&& $IPTABLES -t filter -P FORWARD $policy \
|| let ret+=
;;
nat)
$IPTABLES -t nat -P PREROUTING $policy \
&& $IPTABLES -t nat -P POSTROUTING $policy \
&& $IPTABLES -t nat -P OUTPUT $policy \
|| let ret+=
;;
mangle)
$IPTABLES -t mangle -P PREROUTING $policy \
&& $IPTABLES -t mangle -P POSTROUTING $policy \
&& $IPTABLES -t mangle -P INPUT $policy \
&& $IPTABLES -t mangle -P OUTPUT $policy \
&& $IPTABLES -t mangle -P FORWARD $policy \
|| let ret+=
;;
*)
let ret+=
;;
esac
done [ $ret -eq ] && success || failure
echo
return $ret
} load_sysctl() {
# load matched sysctl values
if [ -n "$IPTABLES_SYSCTL_LOAD_LIST" ]; then
echo -n $"Loading sysctl settings: "
ret=
for item in $IPTABLES_SYSCTL_LOAD_LIST; do
fgrep $item /etc/sysctl.conf | sysctl -p - >/dev/null
let ret+=$?;
done
[ $ret -eq ] && success || failure
echo
fi
return $ret
} start() {
# Do not start if there is no config file.
[ ! -f "$IPTABLES_DATA" ] && return # check if ipv6 module load is deactivated
if [ "${_IPV}" = "ipv6" ] \
&& grep -qIsE "^install[[:space:]]+${_IPV}[[:space:]]+/bin/(true|false)" /etc/modprobe.conf /etc/modprobe.d/* ; then
echo $"${IPTABLES}: ${_IPV} is disabled."
return 150
fi echo -n $"${IPTABLES}: Applying firewall rules: " OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" $IPTABLES-restore $OPT $IPTABLES_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo;
if [ -f "$IPTABLES_FALLBACK_DATA" ]; then
echo -n $"${IPTABLES}: Applying firewall fallback rules: "
$IPTABLES-restore $OPT $IPTABLES_FALLBACK_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo; return 1
fi
else
return 1
fi
fi # Load additional modules (helpers)
if [ -n "$IPTABLES_MODULES" ]; then
echo -n $"${IPTABLES}: Loading additional modules: "
ret=0
for mod in $IPTABLES_MODULES; do
echo -n "$mod "
modprobe $mod > /dev/null 2>&1
let ret+=$?;
done
[ $ret -eq 0 ] && success || failure
echo
fi # Load sysctl settings
load_sysctl touch $VAR_SUBSYS_IPTABLES
return $ret
} stop() {
# Do not stop if iptables module is not loaded.
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 flush_n_delete
set_policy ACCEPT if [ "x$IPTABLES_MODULES_UNLOAD" = "xyes" ]; then
echo -n $"${IPTABLES}: Unloading modules: "
ret=0
for mod in ${NF_MODULES[*]}; do
rmmod_r $mod
let ret+=$?;
done
# try to unload remaining netfilter modules used by ipv4 and ipv6
# netfilter
for mod in ${NF_MODULES_COMMON[*]}; do
rmmod_r $mod >/dev/null
done
[ $ret -eq 0 ] && success || failure
echo
fi rm -f $VAR_SUBSYS_IPTABLES
return $ret
} save() {
# Check if iptable module is loaded
[ ! -e "$PROC_IPTABLES_NAMES" ] && return 0 # Check if firewall is configured (has tables)
[ -z "$NF_TABLES" ] && return 6 echo -n $"${IPTABLES}: Saving firewall rules to $IPTABLES_DATA: " OPT=
[ "x$IPTABLES_SAVE_COUNTER" = "xyes" ] && OPT="-c" ret=0
TMP_FILE=$(/bin/mktemp -q $IPTABLES_DATA.XXXXXX) \
&& chmod 600 "$TMP_FILE" \
&& $IPTABLES-save $OPT > $TMP_FILE 2>/dev/null \
&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
|| ret=1
if [ $ret -eq 0 ]; then
if [ -e $IPTABLES_DATA ]; then
cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
&& chmod 600 $IPTABLES_DATA.save \
&& restorecon $IPTABLES_DATA.save \
|| ret=1
fi
if [ $ret -eq 0 ]; then
mv -f $TMP_FILE $IPTABLES_DATA \
&& chmod 600 $IPTABLES_DATA \
&& restorecon $IPTABLES_DATA \
|| ret=1
fi
fi
rm -f $TMP_FILE
[ $ret -eq 0 ] && success || failure
echo
return $ret
} status() {
if [ ! -f "$VAR_SUBSYS_IPTABLES" -a -z "$NF_TABLES" ]; then
echo $"${IPTABLES}: Firewall is not running."
return 3
fi # Do not print status if lockfile is missing and iptables modules are not
# loaded.
# Check if iptable modules are loaded
if [ ! -e "$PROC_IPTABLES_NAMES" ]; then
echo $"${IPTABLES}: Firewall modules are not loaded."
return 3
fi # Check if firewall is configured (has tables)
if [ -z "$NF_TABLES" ]; then
echo $"${IPTABLES}: Firewall is not configured. "
return 3
fi NUM=
[ "x$IPTABLES_STATUS_NUMERIC" = "xyes" ] && NUM="-n"
VERBOSE=
[ "x$IPTABLES_STATUS_VERBOSE" = "xyes" ] && VERBOSE="--verbose"
COUNT=
[ "x$IPTABLES_STATUS_LINENUMBERS" = "xyes" ] && COUNT="--line-numbers" for table in $NF_TABLES; do
echo $"Table: $table"
$IPTABLES -t $table --list $NUM $VERBOSE $COUNT && echo
done return 0
} restart() {
[ "x$IPTABLES_SAVE_ON_RESTART" = "xyes" ] && save
stop
start
} case "$1" in
start)
[ -f "$VAR_SUBSYS_IPTABLES" ] && exit 0
start
RETVAL=$?
;;
stop)
[ "x$IPTABLES_SAVE_ON_STOP" = "xyes" ] && save
stop
RETVAL=$?
;;
restart|force-reload)
restart
RETVAL=$?
;;
reload)
# unimplemented
RETVAL=3
;;
condrestart|try-restart)
[ ! -e "$VAR_SUBSYS_IPTABLES" ] && exit 0
restart
RETVAL=$?
;;
status)
status
RETVAL=$?
;;
panic)
flush_n_delete
set_policy DROP
RETVAL=$?
;;
save)
save
RETVAL=$?
;;
*)
echo $"Usage: ${IPTABLES} {start|stop|restart|condrestart|status|panic|save}"
RETVAL=2
;;
esac exit $RETVAL
/etc/init.d/functions
# -*-Shell-script-*-
#
# functions This file contains functions to be used by most or all
# shell scripts in the /etc/init.d directory.
# TEXTDOMAIN=initscripts # Make sure umask is sane
umask # Set up a default search path.
PATH="/sbin:/usr/sbin:/bin:/usr/bin"
export PATH # Get a sane screen width
[ -z "${COLUMNS:-}" ] && COLUMNS= [ -z "${CONSOLETYPE:-}" ] && CONSOLETYPE="`/sbin/consoletype`" if [ -f /etc/sysconfig/i18n -a -z "${NOLOCALE:-}" ] ; then
. /etc/profile.d/lang.sh
fi # Read in our configuration
if [ -z "${BOOTUP:-}" ]; then
if [ -f /etc/sysconfig/init ]; then
. /etc/sysconfig/init
else
# This all seem confusing? Look in /etc/sysconfig/init,
# or in /usr/doc/initscripts-*/sysconfig.txt
BOOTUP=color
RES_COL=
MOVE_TO_COL="echo -en \\033[${RES_COL}G"
SETCOLOR_SUCCESS="echo -en \\033[1;32m"
SETCOLOR_FAILURE="echo -en \\033[1;31m"
SETCOLOR_WARNING="echo -en \\033[1;33m"
SETCOLOR_NORMAL="echo -en \\033[0;39m"
LOGLEVEL=
fi
if [ "$CONSOLETYPE" = "serial" ]; then
BOOTUP=serial
MOVE_TO_COL=
SETCOLOR_SUCCESS=
SETCOLOR_FAILURE=
SETCOLOR_WARNING=
SETCOLOR_NORMAL=
fi
fi if [ "${BOOTUP:-}" != "verbose" ]; then
INITLOG_ARGS="-q"
else
INITLOG_ARGS=
fi # Interpret escape sequences in an fstab entry
fstab_decode_str() {
fstab-decode echo "$1"
} # Check if $pid (could be plural) are running
checkpid() {
local i for i in $* ; do
[ -d "/proc/$i" ] && return
done
return
} __readlink() {
ls -bl "$@" >/dev/null| awk '{ print $NF }'
} # __umount_loop awk_program fstab_file first_msg retry_msg umount_args
# awk_program should process fstab_file and return a list of fstab-encoded
# paths; it doesn't have to handle comments in fstab_file.
__umount_loop() {
local remaining sig=
local retry= remaining=$(LC_ALL=C awk "/^#/ {next} $1" "$2" | sort -r)
while [ -n "$remaining" -a "$retry" -gt ]; do
if [ "$retry" -eq ]; then
action "$3" fstab-decode umount $ $remaining
else
action "$4" fstab-decode umount $ $remaining
fi
sleep
remaining=$(LC_ALL=C awk "/^#/ {next} $1" "$2" | sort -r)
[ -z "$remaining" ] && break
fstab-decode /sbin/fuser -k -m $sig $remaining >/dev/null
sleep
retry=$(($retry -))
sig=-
done
} # Similar to __umount loop above, specialized for loopback devices
__umount_loopback_loop() {
local remaining devremaining sig=
local retry= remaining=$(awk '$1 ~ /^\/dev\/loop/ && $2 != "/" {print $2}' /proc/mounts)
devremaining=$(awk '$1 ~ /^\/dev\/loop/ && $2 != "/" {print $1}' /proc/mounts)
while [ -n "$remaining" -a "$retry" -gt ]; do
if [ "$retry" -eq ]; then
action $"Unmounting loopback filesystems: " \
fstab-decode umount $remaining
else
action $"Unmounting loopback filesystems (retry):" \
fstab-decode umount $remaining
fi
for dev in $devremaining ; do
losetup $dev > /dev/null >& && \
action $"Detaching loopback device $dev: " \
losetup -d $dev
done
remaining=$(awk '$1 ~ /^\/dev\/loop/ && $2 != "/" {print $2}' /proc/mounts)
devremaining=$(awk '$1 ~ /^\/dev\/loop/ && $2 != "/" {print $1}' /proc/mounts)
[ -z "$remaining" ] && break
fstab-decode /sbin/fuser -k -m $sig $remaining >/dev/null
sleep
retry=$(($retry -))
sig=-
done
} # __proc_pids {program} [pidfile]
# Set $pid to pids from /var/run* for {program}. $pid should be declared
# local in the caller.
# Returns LSB exit code for the 'status' action.
__pids_var_run() {
local base=${##*/}
local pid_file=${:-/var/run/$base.pid} pid=
if [ -f "$pid_file" ] ; then
local line p
read line < "$pid_file"
for p in $line ; do
[ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p"
done
if [ -n "$pid" ]; then
return
fi
return # "Program is dead and /var/run pid file exists"
fi
return # "Program is not running"
} # Output PIDs of matching processes, found using pidof
__pids_pidof() {
pidof -c -o $$ -o $PPID -o %PPID -x "$1" || \
pidof -c -o $$ -o $PPID -o %PPID -x "${1##*/}"
} # A function to start a program.
daemon() {
# Test syntax.
local gotbase= force= nicelevel corelimit
local pid base= user= nice= bg= pid_file=
nicelevel=
while [ "$1" != "${1##[-+]}" ]; do
case $ in
'') echo $"$0: Usage: daemon [+/-nicelevel] {program}"
return ;;
--check)
base=$
gotbase="yes"
shift
;;
--check=?*)
base=${#--check=}
gotbase="yes"
shift
;;
--user)
user=$
shift
;;
--user=?*)
user=${#--user=}
shift
;;
--pidfile)
pid_file=$
shift
;;
--pidfile=?*)
pid_file=${#--pidfile=}
shift
;;
--force)
force="force"
shift
;;
[-+][-]*)
nice="nice -n $1"
shift
;;
*) echo $"$0: Usage: daemon [+/-nicelevel] {program}"
return ;;
esac
done # Save basename.
[ -z "$gotbase" ] && base=${##*/} # See if it's already running. Look *only* at the pid file.
__pids_var_run "$base" "$pid_file" [ -n "$pid" -a -z "$force" ] && return # make sure it doesn't core dump anywhere unless requested
corelimit="ulimit -S -c ${DAEMON_COREFILE_LIMIT:-0}" # if they set NICELEVEL in /etc/sysconfig/foo, honor it
[ -n "${NICELEVEL:-}" ] && nice="nice -n $NICELEVEL" # Echo daemon
[ "${BOOTUP:-}" = "verbose" -a -z "${LSB:-}" ] && echo -n " $base" # And start it up.
if [ -z "$user" ]; then
$nice /bin/bash -c "$corelimit >/dev/null 2>&1 ; $*"
else
$nice runuser -s /bin/bash - $user -c "$corelimit >/dev/null 2>&1 ; $*"
fi
[ "$?" -eq ] && success $"$base startup" || failure $"$base startup"
} # A function to stop a program.
killproc() {
local RC killlevel= base pid pid_file= delay RC=; delay=
# Test syntax.
if [ "$#" -eq ]; then
echo $"Usage: killproc [-p pidfile] [ -d delay] {program} [-signal]"
return
fi
if [ "$1" = "-p" ]; then
pid_file=$
shift
fi
if [ "$1" = "-d" ]; then
delay=$
shift
fi # check for second arg to be kill level
[ -n "${2:-}" ] && killlevel=$ # Save basename.
base=${##*/} # Find pid.
__pids_var_run "$1" "$pid_file"
if [ -z "$pid_file" -a -z "$pid" ]; then
pid="$(__pids_pidof "$")"
fi # Kill it.
if [ -n "$pid" ] ; then
[ "$BOOTUP" = "verbose" -a -z "${LSB:-}" ] && echo -n "$base "
if [ -z "$killlevel" ] ; then
if checkpid $pid >&; then
# TERM first, then KILL if not dead
kill -TERM $pid >/dev/null >&
usleep
if checkpid $pid && sleep &&
checkpid $pid && sleep $delay &&
checkpid $pid ; then
kill -KILL $pid >/dev/null >&
usleep
fi
fi
checkpid $pid
RC=$?
[ "$RC" -eq ] && failure $"$base shutdown" || success $"$base shutdown"
RC=$((! $RC))
# use specified level only
else
if checkpid $pid; then
kill $killlevel $pid >/dev/null >&
RC=$?
[ "$RC" -eq ] && success $"$base $killlevel" || failure $"$base $killlevel"
elif [ -n "${LSB:-}" ]; then
RC= # Program is not running
fi
fi
else
if [ -n "${LSB:-}" -a -n "$killlevel" ]; then
RC= # Program is not running
else
failure $"$base shutdown"
RC=
fi
fi # Remove pid file if any.
if [ -z "$killlevel" ]; then
rm -f "${pid_file:-/var/run/$base.pid}"
fi
return $RC
} # A function to find the pid of a program. Looks *only* at the pidfile
pidfileofproc() {
local pid # Test syntax.
if [ "$#" = ] ; then
echo $"Usage: pidfileofproc {program}"
return
fi __pids_var_run "$1"
[ -n "$pid" ] && echo $pid
return
} # A function to find the pid of a program.
pidofproc() {
local RC pid pid_file= # Test syntax.
if [ "$#" = ]; then
echo $"Usage: pidofproc [-p pidfile] {program}"
return
fi
if [ "$1" = "-p" ]; then
pid_file=$
shift
fi
fail_code= # "Program is not running" # First try "/var/run/*.pid" files
__pids_var_run "$1" "$pid_file"
RC=$?
if [ -n "$pid" ]; then
echo $pid
return
fi [ -n "$pid_file" ] && return $RC
__pids_pidof "$1" || return $RC
} status() {
local base pid pid_file= # Test syntax.
if [ "$#" = ] ; then
echo $"Usage: status [-p pidfile] {program}"
return
fi
if [ "$1" = "-p" ]; then
pid_file=$
shift
fi
base=${##*/} # First try "pidof"
__pids_var_run "$1" "$pid_file"
RC=$?
if [ -z "$pid_file" -a -z "$pid" ]; then
pid="$(__pids_pidof "$")"
fi
if [ -n "$pid" ]; then
echo $"${base} (pid $pid) is running..."
return
fi case "$RC" in
)
echo $"${base} (pid $pid) is running..."
return
;;
)
echo $"${base} dead but pid file exists"
return
;;
esac
# See if /var/lock/subsys/${base} exists
if [ -f /var/lock/subsys/${base} ]; then
echo $"${base} dead but subsys locked"
return
fi
echo $"${base} is stopped"
return
} echo_success() {
[ "$BOOTUP" = "color" ] && $MOVE_TO_COL
echo -n "["
[ "$BOOTUP" = "color" ] && $SETCOLOR_SUCCESS
echo -n $" OK "
[ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
echo -n "]"
echo -ne "\r"
return
} echo_failure() {
[ "$BOOTUP" = "color" ] && $MOVE_TO_COL
echo -n "["
[ "$BOOTUP" = "color" ] && $SETCOLOR_FAILURE
echo -n $"FAILED"
[ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
echo -n "]"
echo -ne "\r"
return
} echo_passed() {
[ "$BOOTUP" = "color" ] && $MOVE_TO_COL
echo -n "["
[ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING
echo -n $"PASSED"
[ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
echo -n "]"
echo -ne "\r"
return
} echo_warning() {
[ "$BOOTUP" = "color" ] && $MOVE_TO_COL
echo -n "["
[ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING
echo -n $"WARNING"
[ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL
echo -n "]"
echo -ne "\r"
return
} # Inform the graphical boot of our current state
update_boot_stage() {
if [ "$GRAPHICAL" = "yes" -a -x /usr/bin/rhgb-client ]; then
/usr/bin/rhgb-client --update="$1"
fi
return
} # Log that something succeeded
success() {
#if [ -z "${IN_INITLOG:-}" ]; then
# initlog $INITLOG_ARGS -n $ -s "$1" -e
#fi
[ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_success
return
} # Log that something failed
failure() {
local rc=$?
#if [ -z "${IN_INITLOG:-}" ]; then
# initlog $INITLOG_ARGS -n $ -s "$1" -e
#fi
[ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_failure
[ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes
return $rc
} # Log that something passed, but may have had errors. Useful for fsck
passed() {
local rc=$?
#if [ -z "${IN_INITLOG:-}" ]; then
# initlog $INITLOG_ARGS -n $ -s "$1" -e
#fi
[ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_passed
return $rc
} # Log a warning
warning() {
local rc=$?
#if [ -z "${IN_INITLOG:-}" ]; then
# initlog $INITLOG_ARGS -n $ -s "$1" -e
#fi
[ "$BOOTUP" != "verbose" -a -z "${LSB:-}" ] && echo_warning
return $rc
} # Run some action. Log its output.
action() {
local STRING rc STRING=$
echo -n "$STRING "
if [ "${RHGB_STARTED:-}" != "" -a -w /etc/rhgb/temp/rhgb-console ]; then
echo -n "$STRING " > /etc/rhgb/temp/rhgb-console
fi
shift
"$@" && success $"$STRING" || failure $"$STRING"
rc=$?
echo
if [ "${RHGB_STARTED:-}" != "" -a -w /etc/rhgb/temp/rhgb-console ]; then
if [ "$rc" = "" ]; then
echo_success > /etc/rhgb/temp/rhgb-console
else
echo_failure > /etc/rhgb/temp/rhgb-console
[ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes
fi
echo > /etc/rhgb/temp/rhgb-console
fi
return $rc
} # returns OK if $ contains $
strstr() {
[ "${1#*$2*}" = "$1" ] && return
return
} # Confirm whether we really want to run this service
confirm() {
[ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=yes
while : ; do
echo -n $"Start service $1 (Y)es/(N)o/(C)ontinue? [Y] "
read answer
if strstr $"yY" "$answer" || [ "$answer" = "" ] ; then
return
elif strstr $"cC" "$answer" ; then
rm -f /var/run/confirm
[ -x /usr/bin/rhgb-client ] && /usr/bin/rhgb-client --details=no
return
elif strstr $"nN" "$answer" ; then
return
fi
done
} # resolve a device node to its major:minor numbers in decimal or hex
get_numeric_dev() {
(
fmt="%d:%d"
if [ "$1" == "hex" ]; then
fmt="%x:%x"
fi
ls -lH "$2" | awk '{ sub(/,/, "", $5); printf("'"$fmt"'", $5, $6); }'
) >/dev/null
} # find the working name for a running dm device with the same table as one
# that dmraid would create
resolve_dm_name() {
(
name="$1" line=$(/sbin/dmraid -ay -t --ignorelocking | \
egrep -iv "no block devices found|No RAID disks" | \
awk -F ':' "{ if (\$1 ~ /^$name$/) { print \$2; }}")
for x in $line ; do
if [[ "$x" =~ "^/dev/" ]] ; then
majmin=$(get_numeric_dev dec $x)
line=$(echo "$line" | sed -e "s,$x\( \|$\),$majmin\1,g")
fi
done
line=$(echo "$line" | sed -e 's/^[ \t]*//' -e 's/[ \t]*$//' \
-e 's/ core [12] [[:digit:]]\+ / core [12] [[:digit:]]\\+ /')
/sbin/dmsetup table | \
sed -n -e "s/.*\(no block devices found\|No devices found\).*//" \
-e "s/\(^[^:]\+\): $line\( \+$\|$\)/\1/p"
) >/dev/null
} # Check whether file $ is a backup or rpm-generated file and should be ignored
is_ignored_file() {
case "$1" in
*~ | *.bak | *.orig | *.rpmnew | *.rpmorig | *.rpmsave)
return
;;
esac
return
}
# A sed expression to filter out the files that is_ignored_file recognizes
__sed_discard_ignored_files='/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave\)$/d'
/sbin/consoletype
#!/bin/sh
# consoletype shell version:)
# print current console type
# by lichmama who | awk -F"[ /]+" '{print $2}'
/etc/sysconfig/iptables
touch /etc/sysconfig/iptables
创建软连接一枚:
ln -s /usr/sbin/iptables /sbin/iptables
加入服务组:
chkconfig --add iptables
添加防火墙策略:
iptables -A INPUT -p tcp -s 192.168..x --dport -j DROP
启动iptables:
service iptables start
在suse上折腾iptables的更多相关文章
- 服务器上的iptables
服务器上的iptables 防火墙设置脚本规则 完整脚本如下: 复制代码代码示例: #!/bin/bash# by www.jbxue.comiptab="/sbin/iptables&qu ...
- 在mac本上折腾android 开发环境
众所周知的原因,google的很多网站在国内无法访问,苦逼了一堆天朝程序员,下是在mac本上折腾android 开发环境的过程: 一.先下载android sdk for mac 给二个靠谱的网址: ...
- centos7上安装iptables
centos7上安装iptables的步骤 注意:CentOS7默认的防火墙不是iptables,而是firewalle. 安装iptable iptable-service #安装iptables ...
- 记录一些在VPS上折腾的东西
折腾这些东西,总是要经常借助搜索引擎找答案,找的次数多了,也就烦了,不想总是做重复工作. 所以把做过的一些事情记录一下,加深一下印象. 1.安装python2.7 VPS上面的太老了,之前安装的,过程 ...
- 阿里云服务器上使用iptables设置安全策略
转自:http://www.netingcn.com/aliyun-iptables.html 公司的产品一直运行在云服务器上,从而有幸接触过aws的ec2,盛大的云服务器,最近准备有使用阿里云的弹性 ...
- Linux 上关于iptables
有几个命令: 1.service iptables staus 2.service iptables start 3.service iptables restart 有个配置文件/ec ...
- Centos6.5上的iptables
1.Centos6.5默认开启了iptables 当Centos6.5上安装了MySQL后,在远程连接它,如果出现10060的错误,说明iptables在起作用. 关闭iptables即可,sudo ...
- vmware + opensuse windows如何远程登录到suse上
vmware我还是比较偏向7.1.4版本,其他版本装在win7上似乎有点问题.windows平台下,使用vmware + opensuse的网络配置过程如下: 1. 装完vm后,会在本地连接 ...
- 阿里云CentOS6上配置iptables
参考:http://blog.abv.cn/?p=50 阿里云CentOS6默认没有启动iptables 1.检查iptables状态 [root@iZ94jj63a3sZ ~]# service i ...
随机推荐
- chrome的断点调试
DOM节点变化时触发断点具体触发条件可分3种情况:子节点有变化.节点的属性发生变化或这个节点被删除.可以快速找到对应的事件处理函数. 条件断点 写一个表达式,表达式为 true 时才触发该断点. 在D ...
- 开源网络操作系统--VyOS
User Guide Jump to: navigation, search Contents 1 Introduction 2 Installation 3 Using the Command-Li ...
- 用c++实现高精度加法
c++实习高精度加法 最近遇到一个c++实现高精度加法的问题,高精度问题往往十复杂但发现其中的规律后发现并没有那么复杂,这里我实现了一个整数的高精度加法,主要需要注意以下几点: 1:将所需输入的数据以 ...
- WebLogic 安装
首先 需要下载好Weblogic 官网:http://www.oracle.com/technetwork/middleware/weblogic/downloads/wls-main-097127. ...
- 写给Android App开发人员看的Android底层知识(8)
(十)PMS及App安装过程 PMS,全称PackageManagerService,是用来获取Apk包的信息的. 在前面分析四大组件与AMS通信的时候,我们介绍过,AMS总是会使用PMS加载包的信息 ...
- int 与 int *
#include <iostream>using namespace std;int QKPass(int* , int , int); //若声明为 int QKPass(int, i ...
- 读Zepto源码之样式操作
这篇依然是跟 dom 相关的方法,侧重点是操作样式的方法. 读Zepto源码系列文章已经放到了github上,欢迎star: reading-zepto 源码版本 本文阅读的源码为 zepto1.2. ...
- 音视频编解码问题:javaCV如何快速进行音频预处理和解复用编解码(基于javaCV-FFMPEG)
前言: 前面我用了很多章实现了javaCV的基本操作,包括:音视频捕捉(摄像头视频捕捉和话筒音频捕捉),推流(本地音视频或者摄像头话筒混合推流到服务器),转流(rtsp->rtmp),收流(录制 ...
- qt编译的基于xlib cairo的桌面程序
在*.pro中添加以下代码: INCLUDEPATH += /usr/include/cairo LIBS += -lX11 -lcairo 在ubuntu16下编译通过
- C# 通过Bartender模板打印条码,二维码, 文字, 及操作RFID标签等。
1.在之前写的一篇文章中, 有讲到如何利用ZPL命令去操作打印里, 后面发现通过模板的方式会更加方便快捷, 既不用去掌握ZPL的实现细节, 就可以轻松的调用实现打印的功能. 解决方案: 1.网络下载 ...