通过防火墙iptables做隔离端口的脚本
vi iptables_fix.sh
#!/bin/bash
#备份旧的规则
iptables-save > “/opt/firewall-“date "+%Y-%m-%d-%H:%M:%S"
”.txt”
获取集群内hosts的ip,空格分隔
clusters=cat /etc/hosts | grep -v ::1 | grep -v "^$" | awk '{print $1}'
配置集群外的ip,空格分隔,格式如下
business=“127.0.0.1 172.17.0.1/16”
配置需要隔离的端口,空格分隔,以22为例:
block_ports=“22”
echo “FireWall fix…”
新建chain
iptables -t filter -N BIGDATA_BLOCK_PORTS
添加集群内ip白名单
for block_port in $block_ports;
do
for chost in $clusters;
do
#echo $ahost
iptables -I BIGDATA_BLOCK_PORTS -s $chost -p tcp --dport $block_port -j ACCEPT
iptables -I BIGDATA_BLOCK_PORTS -s $chost -p udp --dport $block_port -j ACCEPT
done
done
添加集群外ip白名单
for block_port in $block_ports;
do
for bhost in $business;
do
#echo $ahost
iptables -I BIGDATA_BLOCK_PORTS -s $bhost -p tcp --dport $block_port -j ACCEPT
iptables -I BIGDATA_BLOCK_PORTS -s $bhost -p udp --dport $block_port -j ACCEPT
done
done
最后隔离端口
for block_port in $block_ports;
do
iptables -A BIGDATA_BLOCK_PORTS -p tcp --dport $block_port -j DROP
iptables -A BIGDATA_BLOCK_PORTS -p udp --dport $block_port -j DROP
done
将BIGDATA_BLOCK_PORTS加入INPUT和FORWARD
iptables -I INPUT -j BIGDATA_BLOCK_PORTS
iptables -I FORWARD -j BIGDATA_BLOCK_PORTS
echo "fix finished