Linux

特定主機/動態 dns 的 UFW 規則

  • September 18, 2013

如何設置 UFW(簡單防火牆)為特定主機添加規則?例如。我只想允許來自 yourpc.no-ip.org 的 SSH?

我在這個部落格中發現了一個非常有用的腳本,它可以為特定主機動態創建規則。該腳本需要與 cron 一起執行,因此它可以查找主機名並添加/刪除規則以防 IP 更改。

#!/bin/bash


HOSTS_ALLOW=/etc/ufw-dynamic-hosts.allow
IPS_ALLOW=/var/tmp/ufw-dynamic-ips.allow

add_rule() {
 local proto=$1
 local port=$2
 local ip=$3
 local regex="${port}\/${proto}.*ALLOW.*IN.*${ip}"
 local rule=$(ufw status numbered | grep $regex)
 if [ -z "$rule" ]; then
     ufw allow proto ${proto} from ${ip} to any port ${port}
 else
     echo "rule already exists. nothing to do."
 fi
}

delete_rule() {
 local proto=$1
 local port=$2
 local ip=$3
 local regex="${port}\/${proto}.*ALLOW.*IN.*${ip}"
 local rule=$(ufw status numbered | grep $regex)
 if [ -n "$rule" ]; then
     ufw delete allow proto ${proto} from ${ip} to any port ${port}
 else
     echo "rule does not exist. nothing to do."
 fi
}


sed '/^[[:space:]]*$/d' ${HOSTS_ALLOW} | sed '/^[[:space:]]*#/d' | while read line
do
   proto=$(echo ${line} | cut -d: -f1)
   port=$(echo ${line} | cut -d: -f2)
   host=$(echo ${line} | cut -d: -f3)

   if [ -f ${IPS_ALLOW} ]; then
     old_ip=$(cat ${IPS_ALLOW} | grep ${host} | cut -d: -f2)
   fi

   ip=$(dig +short $host | tail -n 1)

   if [ -z ${ip} ]; then
       if [ -n "${old_ip}" ]; then
           delete_rule $proto $port $old_ip
       fi
       echo "Failed to resolve the ip address of ${host}." 1>&2
       exit 1
   fi

   if [ -n "${old_ip}" ]; then
       if [ ${ip} != ${old_ip} ]; then
           delete_rule $proto $port $old_ip
       fi
   fi
   add_rule $proto $port $ip
   if [ -f ${IPS_ALLOW} ]; then
     sed -i.bak /^${host}*/d ${IPS_ALLOW}
   fi
   echo "${host}:${ip}" >> ${IPS_ALLOW}
done

的內容/etc/ufw-dynamic-hosts.allow可能如下所示:

tcp:22:yourpc.no-ip.org

每五分鐘執行一次腳本的 crontab 條目可能如下所示:

*/5 * * * * /usr/local/sbin/ufw-dynamic-host-update > /dev/null

引用自:https://serverfault.com/questions/539870