我正在用 bash 编写脚本,我需要检查是否设置了 iptables ......我有这个:
if [ `iptables-save | grep '^\-' | wc -l` > 0 ]
then
echo "Iptables already set, skipping..........!"
else
Here the iptables get set
但它没有按预期工作......
问题:
我做到了iptables-save,它创造了这个:
$iptables-save
# Generated by iptables-save v1.6.0 on Tue Oct 16 02:48:41 2018
*filter
:INPUT ACCEPT [2:266]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2:116]
COMMIT
# Completed on Tue Oct 16 02:48:41 2018
因此,如果我运行测试,它会发现它们已经设置好了......就像这里:
(root@notemDEB78)-(03:12:20)-(/home/something78/Bash_Programming_2018)
$s.sh
Iptables already set....skipping!!!!!
(root@notemDEB78)-(03:12:25)-(/home/something78/Bash_Programming_2018)
$iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
(root@notemDEB78)-(03:16:41)-(/home/something78/Bash_Programming_2018)
$iptables-save | grep '^\-' | wc -l
0
问题:
- 为什么它总是发现 iptables 显然没有设置
你有更好/工作的方法来检查是否
iptables已设置....我的系统是Debian 9bash -version GNU bash,版本 4.4.12(1)-release (x86_64-pc-linux-gnu) 版权所有 (C) 2016 Free Software Foundation, Inc. 许可证 GPLv3+:GNU GPL 版本 3 或更高版本http://gnu。 org/licenses/gpl.html
至于可能的重复:
这个问题还询问是否有人有更好的方法来检查是否为 bash 中的脚本设置了 iptables....
编辑:
通过设置,我的意思是 iptables 已设置如下:
if [[ `iptables-save | grep '^\-' | wc -l` > 0 ]]
then
echo "Iptables already set....skipping!!!!!"
else
if [ "$PORT" = "" ]
then
echo "Port not set for iptables exiting"
echo -n "Setting port now, insert portnumber: "
read port
PORT=$port
fi
if [ ! -f /etc/iptables.test.rules ]
then
touch /etc/iptables.test.rules
else
cat /dev/null > /etc/iptables.test.rules
fi
cat << EOT >> /etc/iptables.test.rules
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inOAUTH_TOKEN=d6637f7ccf109a0171a2f55d21b6ca43ff053616bound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allows SSH connections
# The --dport number is the same as in /etc/ssh/sshd_config
-A INPUT -p tcp -m state --state NEW --dport $PORT -j ACCEPT
# Now you should read up on iptables rules and consider whether ssh access
# for everyone is really desired. Most likely you will only allow access from certain IPs.
# Allow ping
# note that blocking other types of icmp packets is considered a bad idea by some
# remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
# https://security.stackexchange.com/questions/22711
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via dmesg command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
EOT
sed "s/^[ \t]*//" -i /etc/iptables.test.rules ## remove tabs and spaces
/sbin/iptables-restore < /etc/iptables.test.rules || echo "iptables-restore failed"; exit 127
/sbin/iptables-save > /etc/iptables.up.rules || echo "iptables-save failed"; exit 127
printf "#!/bin/bash\n/sbin/iptables-restore < /etc/iptables.up.rules" > /etc/network/if-pre-up.d/iptables ## create a script to run iptables on startup
chmod +x /etc/network/if-pre-up.d/iptables || echo "cmod +x failed"; exit 127
fi
一种可能的简化是使用
grep自身的返回作为条件,grep仅当存在匹配时才会以代码 0(表示“成功”)退出。由于您正在寻找任何匹配项,因此无需计算行数。此外,您不需要
-用 a转义\,因为它不是 grep 正则表达式的元字符。您可以传递
grep一个-q参数,因此它不会打印匹配的行(仅使用适当的退出代码退出,具体取决于是否有任何行匹配。)我认为检查输出
iptables-save以检查是否设置了任何规则是可以的,我想不出另一种可靠或更简单的方法。该
iptables命令有自己的方式来检查是否存在带有-C选项的特定规则:例子:
您当前的脚本检查表中是否有任何规则,但如果您想编写可靠的脚本,您可能希望/需要一一检查所有规则,因为其他程序也可以与之交互
iptables。