saltstack的探索-执行脚本和命令来更新防火墙配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
需求:zabbix-agent服务需调整防火墙,增加端口10050
[root@master salt]
# cat firewall/init.sls
/home/ops/bin/firewall_add_dport
.sh:
file
.managed:
-
source
: salt:
//firewall/bin/firewall_add_dport
.sh
- mode: 755
iptables-add-dport:
cmd.run:
- require:
-
file
:
/home/ops/bin/firewall_add_dport
.sh
- name:
/bin/bash
/home/ops/bin/firewall_add_dport
.sh
[root@master salt]
# cat firewall/bin/firewall_add_dport.sh
#!/bin/bash
#
# 2015/4/10
s_port=10050
echo
"[-] add dport ${s_port}"
cd
/home/ops/conf/
iptables-save >rc.firewall.txt
grep
"dport ${s_port} -j"
rc.firewall.txt ||
sed
-i
"/-A INPUT -j REJECT --reject-with icmp-host-prohibited/i\-A INPUT -p tcp -m state --state NEW -m tcp --dport ${s_port} -j ACCEPT"
rc.firewall.txt
iptables-restore rc.firewall.txt
echo
"[-] iptables status:"
iptables -nL
echo
"[-] check it before running 'service iptables save'"
在其中一台上测试执行这个sls:
[root@master salt]
# salt 'test1.company.com' state.sls firewall
test1.company.com:
----------
ID:
/home/ops/bin/firewall_add_dport
.sh
Function:
file
.managed
Result: True
Comment: File
/home/ops/bin/firewall_add_dport
.sh is
in
the correct state
Started: 17:49:51.332723
Duration: 326.191 ms
Changes:
----------
ID: iptables-add-dport
Function: cmd.run
Name:
/bin/bash
/home/ops/bin/firewall_add_dport
.sh
Result: True
Comment: Command
"/bin/bash /home/ops/bin/firewall_add_dport.sh"
run
Started: 17:49:51.659900
Duration: 30.57 ms
Changes:
----------
pid:
3945
retcode:
0
stderr:
stdout:
[-] add dport 10050
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT
[-] iptables status:
Chain INPUT (policy ACCEPT)
target prot opt
source
destination
ACCEPT all -- 0.0.0.0
/0
0.0.0.0
/0
state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0
/0
0.0.0.0
/0
ACCEPT all -- 0.0.0.0
/0
0.0.0.0
/0
ACCEPT tcp -- 0.0.0.0
/0
0.0.0.0
/0
state NEW tcp dpt:22
ACCEPT tcp -- 0.0.0.0
/0
0.0.0.0
/0
state NEW tcp dpt:10050
REJECT all -- 0.0.0.0
/0
0.0.0.0
/0
reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt
source
destination
REJECT all -- 0.0.0.0
/0
0.0.0.0
/0
reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt
source
destination
[-] check it before running
'service iptables save'
Summary
------------
Succeeded: 2 (changed=1)
Failed: 0
------------
Total states run: 2
确认无误后,批量执行:
[root@master salt]
# salt '*.company.com' state.sls firewall
确认无误,保存防火墙配置:
[root@master salt]
# salt '*.company.com' cmd.run 'service iptables save'
test1.company.com:
iptables: Saving firewall rules to
/etc/sysconfig/iptables
: [ OK ]
test2.company.com:
iptables: Saving firewall rules to
/etc/sysconfig/iptables
: [ OK ]
test3.company.com:
iptables: Saving firewall rules to
/etc/sysconfig/iptables
: [ OK ]
test4.company.com:
iptables: Saving firewall rules to
/etc/sysconfig/iptables
: [ OK ]
test5.company.com:
iptables: Saving firewall rules to
/etc/sysconfig/iptables
: [ OK ]
test6.company.com:
iptables: Saving firewall rules to
/etc/sysconfig/iptables
: [ OK ]
test7.company.com:
iptables: Saving firewall rules to
/etc/sysconfig/iptables
: [ OK ]
test8.company.com:
iptables: Saving firewall rules to
/etc/sysconfig/iptables
: [ OK ]
test9.company.com:
iptables: Saving firewall rules to
/etc/sysconfig/iptables
: [ OK ]
|
本文转自 pcnk 51CTO博客,原文链接:http://blog.51cto.com/nosmoking/1631029,如需转载请自行联系原作者