Linux
特定主機/動態 dns 的 UFW 規則
如何設置 UFW(簡單防火牆)為特定主機添加規則?例如。我只想允許來自 yourpc.no-ip.org 的 SSH?
我在這個部落格中發現了一個非常有用的腳本,它可以為特定主機動態創建規則。該腳本需要與 cron 一起執行,因此它可以查找主機名並添加/刪除規則以防 IP 更改。
#!/bin/bash HOSTS_ALLOW=/etc/ufw-dynamic-hosts.allow IPS_ALLOW=/var/tmp/ufw-dynamic-ips.allow add_rule() { local proto=$1 local port=$2 local ip=$3 local regex="${port}\/${proto}.*ALLOW.*IN.*${ip}" local rule=$(ufw status numbered | grep $regex) if [ -z "$rule" ]; then ufw allow proto ${proto} from ${ip} to any port ${port} else echo "rule already exists. nothing to do." fi } delete_rule() { local proto=$1 local port=$2 local ip=$3 local regex="${port}\/${proto}.*ALLOW.*IN.*${ip}" local rule=$(ufw status numbered | grep $regex) if [ -n "$rule" ]; then ufw delete allow proto ${proto} from ${ip} to any port ${port} else echo "rule does not exist. nothing to do." fi } sed '/^[[:space:]]*$/d' ${HOSTS_ALLOW} | sed '/^[[:space:]]*#/d' | while read line do proto=$(echo ${line} | cut -d: -f1) port=$(echo ${line} | cut -d: -f2) host=$(echo ${line} | cut -d: -f3) if [ -f ${IPS_ALLOW} ]; then old_ip=$(cat ${IPS_ALLOW} | grep ${host} | cut -d: -f2) fi ip=$(dig +short $host | tail -n 1) if [ -z ${ip} ]; then if [ -n "${old_ip}" ]; then delete_rule $proto $port $old_ip fi echo "Failed to resolve the ip address of ${host}." 1>&2 exit 1 fi if [ -n "${old_ip}" ]; then if [ ${ip} != ${old_ip} ]; then delete_rule $proto $port $old_ip fi fi add_rule $proto $port $ip if [ -f ${IPS_ALLOW} ]; then sed -i.bak /^${host}*/d ${IPS_ALLOW} fi echo "${host}:${ip}" >> ${IPS_ALLOW} done的內容
/etc/ufw-dynamic-hosts.allow可能如下所示:tcp:22:yourpc.no-ip.org每五分鐘執行一次腳本的 crontab 條目可能如下所示:
*/5 * * * * /usr/local/sbin/ufw-dynamic-host-update > /dev/null