替換iptables配置檔案中某段規則
阿新 • • 發佈:2018-12-21
背景:
小夥伴基於openresty寫了一個管理iptables規則的web應用,web頁面配置的IP地址最終會儲存在伺服器本地的一個檔案中,內容示例:
[{"ip":"192.168.1.2"},{"ip":"192.168.1.3"},{"ip":"192.168.1.4"},{"ip":"192.168.1.2"},{"ip":"192.168.1.2"},{"ip":"192.168.1.2"},{"ip":"192.168.1.2"},{"ip":"192.168.1.2"}]
剩下的問題是如何把這些IP地址刷寫到/etc/sysconfig/iptables中,考慮的解決方案是設定crontab,每分鐘執行一次檢查,有新內容則重新整理規則;
於是寫了個指令碼,已經驗證OK;
#!/bin/env python #-*- coding: utf-8 -*- #Author: Limuitech #Date: 2018-11-12 #Version: 1.0 #Description:從ipConfFile獲取ip地址列表---->構造防火牆規則---->替換掉/etc/sysconfig/iptables檔案中#CONF-START和#CONF-END之間的規則; import datetime import os import logging import shutil import commands backupTime = datetime.datetime.now().strftime('%Y%m%d_%T') #ipConfFile示例: #[{"ip":"192.168.1.2"},{"ip":"192.168.1.3"},{"ip":"192.168.1.4"},{"ip":"192.168.1.2"},{"ip":"192.168.1.2"},{"ip":"192.168.1.2"},{"ip":"192.168.1.2"},{"ip":"192.168.1.2"}] ipConfFile = '/root/ips.txt' ipRulesFile = '/etc/sysconfig/iptables' #備份iptables配置檔案 def backup_etc_sysconfig_iptables(): bakDir = '/yourcorp/backup/iptables' bakFile = 'iptables_' + backupTime absFile = os.path.join(bakDir, bakFile) if not os.path.exists(bakDir): os.makedirs(bakDir, mode=0755) shutil.copy('/etc/sysconfig/iptables', absFile) #從openresty的web應用獲取ip列表 def get_iplist(file): #讀取ip地址的配置檔案,並生成列表 with open(file, 'r') as ips: sData = ips.read() oData = eval(sData) return oData #獲取檔案的md5值 def getFileMD5(filename): cmd = "md5sum {0} | cut -d' ' -f1".format(filename) fileMD5 = commands.getoutput(cmd) return fileMD5 #新增規則 def set_rules(ipConfs): newRules = '' #構造新增的新規則內容,資料型別為字串 for i in xrange(len(ipConfs)): ipRule = '-A INPUT -s %s -j ACCEPT' % ipConfs[i]['ip'] + '\n' newRules = newRules + ipRule #拼接iptables檔案的全部,並且寫入到目標檔案中,這裡開啟檔案方式必須是rw with open("/etc/sysconfig/iptables","rw") as nowConf: content = nowConf.read() content_add = newRules startlen = len('#CONF-START') startPos = content.find("#CONF-START") + startlen endPos = content.find("#CONF-END") content =content[:startPos] + '\n' + content_add + content[endPos:] with open("/etc/sysconfig/iptables","w+") as nowConf_new: nowConf_new.write(content) if __name__ == '__main__': if os.path.isfile("/tmp/iptables_md5"): oldMD5 = commands.getoutput("cat /tmp/iptables_md5") newMD5 = getFileMD5(ipConfFile) if oldMD5 != newMD5: with open("/tmp/iptables_md5", "w+") as imd: imd.write(newMD5) backup_etc_sysconfig_iptables() iplist = get_iplist(ipConfFile) set_rules(iplist) commands.getoutput('/usr/sbin/service iptables reload') else: newMD5 = getFileMD5(ipConfFile) with open("/tmp/iptables_md5", "w+") as imd: imd.write(newMD5) with open("/tmp/iptables_md5", "w+") as imd: imd.write(newMD5) backup_etc_sysconfig_iptables() iplist = get_iplist(ipConfFile) set_rules(iplist) commands.getoutput('/usr/sbin/service iptables reload')