执行脚本和命令来更新防火墙配置
需求:zabbix-agent服务需调整防火墙,增加端口10050 [root@master salt]# cat firewall/init.sls /home/ops/bin/firewall_add_dport.sh: file.managed: - source: salt://firewall/bin/firewall_add_dport.sh - mode: 755 iptables-add-dport: cmd.run: - require: - file: /home/ops/bin/firewall_add_dport.sh - name: /bin/bash /home/ops/bin/firewall_add_dport.sh [root@master salt]# cat firewall/bin/firewall_add_dport.sh #!/bin/bash # # 2015/4/10 s_port=10050 echo "[-] add dport ${s_port}" cd /home/ops/conf/ iptables-save >rc.firewall.txt grep "dport ${s_port} -j" rc.firewall.txt || sed -i "/-A INPUT -j REJECT --reject-with icmp-host-prohibited/i\-A INPUT -p tcp -m state --state NEW -m tcp --dport ${s_port} -j ACCEPT" rc.firewall.txt iptables-restore rc.firewall.txt echo "[-] iptables status:" iptables -nL echo "[-] check it before running ‘service iptables save‘" 在其中一台上测试执行这个sls: [root@master salt]# salt ‘test1.company.com‘ state.sls firewall test1.company.com: ---------- ID: /home/ops/bin/firewall_add_dport.sh Function: file.managed Result: True Comment: File /home/ops/bin/firewall_add_dport.sh is in the correct state Started: 17:49:51.332723 Duration: 326.191 ms Changes: ---------- ID: iptables-add-dport Function: cmd.run Name: /bin/bash /home/ops/bin/firewall_add_dport.sh Result: True Comment: Command "/bin/bash /home/ops/bin/firewall_add_dport.sh" run Started: 17:49:51.659900 Duration: 30.57 ms Changes: ---------- pid: 3945 retcode: 0 stderr: stdout: [-] add dport 10050 -A INPUT -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT [-] iptables status: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:10050 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination [-] check it before running ‘service iptables save‘ Summary ------------ Succeeded: 2 (changed=1) Failed: 0 ------------ Total states run: 2 确认无误后,批量执行: [root@master salt]# salt ‘*.company.com‘ state.sls firewall 确认无误,保存防火墙配置: [root@master salt]# salt ‘*.company.com‘ cmd.run ‘service iptables save‘ test1.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ] test2.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ] test3.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ] test4.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ] test5.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ] test6.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ] test7.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ] test8.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ] test9.company.com: iptables: Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
原文地址:http://nosmoking.blog.51cto.com/3263888/1631029