原創(chuàng) saltstack的探索-執(zhí)行腳本和命令來(lái)更新防火墻配置 “版權(quán)聲明:原創(chuàng)作品��,如需轉(zhuǎn)載,請(qǐng)注明出處�。否則將追究法律責(zé)任 saltstack的探索-執(zhí)行腳本和命令來(lái)更新防火墻配置 需求:zabbix-agent服務(wù)需調(diào)整防火墻,增加端口10050[root@master salt]# cat firewall/init.sls /home/ops/bin/firewall_add_dport.sh: file.managed: - source: salt://firewall/bin/firewall_add_dport.sh - mode: 755iptables-add-dport: cmd.run: - require: - file: /home/ops/bin/firewall_add_dport.sh - name: /bin/bash /home/ops/bin/firewall_add_dport.sh[root@master salt]# cat firewall/bin/firewall_add_dport.sh #!/bin/bash# # 2015/4/10s_port=10050echo '[-] add dport ${s_port}'cd /home/ops/conf/iptables-save >rc.firewall.txtgrep 'dport ${s_port} -j' rc.firewall.txt || sed -i '/-A INPUT -j REJECT --reject-with icmp-host-prohibited/i\-A INPUT -p tcp -m state --state NEW -m tcp --dport ${s_port} -j ACCEPT' rc.firewall.txtiptables-restore rc.firewall.txtecho '[-] iptables status:'iptables -nLecho '[-] check it before running 'service iptables save''在其中一臺(tái)上測(cè)試執(zhí)行這個(gè)sls:[root@master salt]# salt 'test1.company.com' state.sls firewalltest1.company.com:---------- ID: /home/ops/bin/firewall_add_dport.sh Function: file.managed Result: True Comment: File /home/ops/bin/firewall_add_dport.sh is in the correct state Started: 17:49:51.332723 Duration: 326.191 ms Changes: ---------- ID: iptables-add-dport Function: cmd.run Name: /bin/bash /home/ops/bin/firewall_add_dport.sh Result: True Comment: Command '/bin/bash /home/ops/bin/firewall_add_dport.sh' run Started: 17:49:51.659900 Duration: 30.57 ms Changes: ---------- pid: 3945 retcode: 0 stderr: stdout: [-] add dport 10050 -A INPUT -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT [-] iptables status: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10050 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [-] check it before running 'service iptables save'Summary------------Succeeded: 2 (changed=1)Failed: 0------------Total states run: 2確認(rèn)無(wú)誤后����,批量執(zhí)行:[root@master salt]# salt '*.company.com' state.sls firewall確認(rèn)無(wú)誤��,保存防火墻配置:[root@master salt]# salt '*.company.com' cmd.run 'service iptables save' test1.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]test2.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]test3.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]test4.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]test5.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]test6.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]test7.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]test8.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]test9.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
saltstack的探索-執(zhí)行腳本和命令來(lái)更新防火墻配置 需求:zabbix-agent服務(wù)需調(diào)整防火墻�,增加端口10050[root@master salt]# cat firewall/init.sls /home/ops/bin/firewall_add_dport.sh: file.managed: - source: salt://firewall/bin/firewall_add_dport.sh - mode: 755iptables-add-dport: cmd.run: - require: - file: /home/ops/bin/firewall_add_dport.sh - name: /bin/bash /home/ops/bin/firewall_add_dport.sh[root@master salt]# cat firewall/bin/firewall_add_dport.sh #!/bin/bash# # 2015/4/10s_port=10050echo '[-] add dport ${s_port}'cd /home/ops/conf/iptables-save >rc.firewall.txtgrep 'dport ${s_port} -j' rc.firewall.txt || sed -i '/-A INPUT -j REJECT --reject-with icmp-host-prohibited/i\-A INPUT -p tcp -m state --state NEW -m tcp --dport ${s_port} -j ACCEPT' rc.firewall.txtiptables-restore rc.firewall.txtecho '[-] iptables status:'iptables -nLecho '[-] check it before running 'service iptables save''在其中一臺(tái)上測(cè)試執(zhí)行這個(gè)sls:[root@master salt]# salt 'test1.company.com' state.sls firewalltest1.company.com:---------- ID: /home/ops/bin/firewall_add_dport.sh Function: file.managed Result: True Comment: File /home/ops/bin/firewall_add_dport.sh is in the correct state Started: 17:49:51.332723 Duration: 326.191 ms Changes: ---------- ID: iptables-add-dport Function: cmd.run Name: /bin/bash /home/ops/bin/firewall_add_dport.sh Result: True Comment: Command '/bin/bash /home/ops/bin/firewall_add_dport.sh' run Started: 17:49:51.659900 Duration: 30.57 ms Changes: ---------- pid: 3945 retcode: 0 stderr: stdout: [-] add dport 10050 -A INPUT -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT [-] iptables status: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10050 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [-] check it before running 'service iptables save'Summary------------Succeeded: 2 (changed=1)Failed: 0------------Total states run: 2確認(rèn)無(wú)誤后,批量執(zhí)行:[root@master salt]# salt '*.company.com' state.sls firewall確認(rèn)無(wú)誤�����,保存防火墻配置:[root@master salt]# salt '*.company.com' cmd.run 'service iptables save' test1.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]test2.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]test3.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]test4.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]test5.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]test6.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]test7.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]test8.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]test9.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
|
pcnk 
