DHCP绑定IP，IPtables限制IP用户访问的SHELL脚本。

colderhua

因工作需要，写了几个脚本，请兄弟们批评指教。

##########下面主要是起备份作用########
#!/bin/sh
rq=`date +%dd%Hh%Mm`
MPATH=/home/test/mac
export        MPATH
BAKPATH=/home/test/bak
export BAKPATH
if [ ! -d "$MPATH" ]
then
        mkdir -pv $MPATH
fi
if [ ! -d "$BAKPATH" ]
then
        mkdir -pv $BAKPATH
fi

if [  -f "$MPATH/ainfo.txt" -a "$MPATH/binfo.txt" ]
then        :        #do nothing
else
        echo "请确定你的目录有文件 ainfo.txt 和 binfo.txt "
fi
if [ -f "$MPATH/aipmac.txt" ]
then
        mv aipmac.txt $BAKPATH/aipmac${rq}.txt
        awk '{print $5,$4}' $MPATH/ainfo.txt>aipmac.txt
        awk '{print $5,$4}' $MPATH/binfo.txt >>aipmac.txt
else
        awk '{print $5,$4}' $MPATH/ainfo.txt>aipmac.txt
        awk '{print $5,$4}' $MPATH/binfo.txt >>aipmac.txt
fi
##########下面是写DHCP.conf配置文件 ##############
if [ -f "/etc/dhcpd.conf" ]
then
        mv /etc/dhcpd.conf $BAKPATH/dhcpd${rq}.txt
        echo "        ddns-update-style none;
        ignore client-updates;

        subnet 192.168.0.0 netmask 255.255.255.0 {
        option routers                  192.168.0.1;
        option subnet-mask              255.255.255.0;
        option domain-name              \"test001.cn\";
        option domain-name-servers      192.168.0.2,192.168.0.3;

        range dynamic-bootp 192.168.0.32 192.168.0.96;
        max-lease-time 86400; " > /etc/dhcpd.conf
        awk '{print("host " $6 "{ hardware ethernet " $4";"," fixed-address " $5";}"}' $MPATH/ainfo.txt >> /etc/dhcpd.conf
        echo "}" >> /etc/dhcpd.conf
######input the oneclass mac ip info##############       
        echo " subnet 192.168.1.0 netmask 255.255.255.0 {
        option routers                  192.168.1.1;
        option subnet-mask              255.255.255.0;
        option domain-name              \"test002.cn\";
        option domain-name-servers      192.168.0.2,192.168.0.3;
        range dynamic-bootp 192.168.1.16 192.168.1.31;
        max-lease-time 86400; " >>/etc/dhcpd.conf
        awk '{print("host " $6 "{ hardware ethernet " $4";"," fixed-address " $5";}"}' $MPATH/binfo.txt >> /etc/dhcpd.conf
        echo "}" >> /etc/dhcpd.conf
fi

#######重启相关应用#########
/etc/init.d/network restart
if [ -z "`ifconfig|grep eth0`" ]
then /sbin/ifup eth0
fi
sleep 10s
if [ -z "`ifconfig|grep eth1`" ]
then /sbin/ifup eth1
fi
if [ -z "`ifconfig|grep eth2`" ]
then /sbin/ifup eth2
fi
/etc/init.d/dhcpd restart
arp -f $MPATH/aipmac.txt
$MPATH/fw.sh


##############fw.sh如下#######

#!/bin/sh

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -Z

iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -t nat -P POSTROUTING ACCEPT

iptables -A INPUT -p ICMP -j ACCEPT
iptables -A INPUT -p UDP -j ACCEPT
iptables -A INPUT -p TCP --dport 53 -j ACCEPT

for mac in $(awk '{print $4}' /home/test/mac/ainfo.txt);do
        iptables -A FORWARD -m mac --mac-source $mac -j ACCEPT
        done
        iptables -A POSTROUTING -t nat -s 192.168.0.0/255.255.255.0 -j SNAT -o eth0 --to-source 210.132.75.49
for mac in $(awk '{print $4}' /home/test/mac/binfo.txt);do
        iptables -A FORWARD -m mac --mac-source $mac -j ACCEPT
        done
        iptables -A POSTROUTING -t nat -s 192.168.1.0/255.255.255.0 -j SNAT -o eth0 --to-source 210.132.75.50
iptables -A FORWARD -p TCP -j ACCEPT

##########ainfo.txt文件格式如下#####
aaa        0001        a        000:df:39:3e:F5        192.168.0.88        a
bbb        0002        b        00:ab:6A9:8c:29        192.168.0.180        b
ccc        0003        c        00:00:EB:83:0f:01        192.168.0.181        c
ddd        0004        d        00:00:C8:E4:44:26        192.168.0.183        d

########binfo.tst文件格式如下#########
eee        1001         e        00:4A:8B:5D:f70        192.168.1.18        e
fff        1002         f        00:6A:5B:5D:c7:F2        192.168.1.19        f
ggg        1003         g        00:2A:3B:5D:d7:F5        192.168.1.20        g

[ 本帖最后由 colderhua 于 2010-1-4 09:34 编辑 ]

Shell_HAT

感谢分享

colderhua

客气客气,感觉不够精短，还请指教。

dgww

学习了，顺便mark一下~

colderhua

仅供参考