学习shell脚本之余,编写了一个自认为比较全面的服务器安装配置脚本,在此与大家分享。
该脚本集合了网卡设置、安全设置、防火墙设置(包括DHCP/HTTP/FTP)、yum源配置、DHCP/HTTP/FTP/DNS服务器安装及配置文件设置等功能。同时兼容CentOS6与CentOS7版本。
脚本中全部通过功能选择进行配置,可让完全不懂服务器配置的人员也能进行简单的服务器搭建!
本脚本包括主脚本auto.sh,分脚本dnsset.sh、ftpset.sh、iptableset.sh、firewall.sh共五个脚本,分脚本用于主脚本部分功能的调用,也可单独使用。
主脚本(auto.sh)
#!/bin/bash
#This shell can help you to set the IP/selinux/iptables/hostname/DHCP/HTTP/FTP/DNS
#This shell is write by Robin
#全局变量:
#sys:0为7版本,1为6版本
echo -e "\033[1;32m##########################\033[31m欢迎使用自动配置脚本\033[32m##########################\033[0m"
echo -e "\033[1;32m# 该脚本由罗斌编写,用于帮助配置新装服务器 #\033[0m"
echo -e "\033[1;32m# 功能包括:网卡设置 #\033[0m"
echo -e "\033[1;32m# 安全防护、防火墙及selinux配置 #\033[0m"
echo -e "\033[1;32m# yum源配置 #\033[0m"
echo -e "\033[1;32m# DHCP服务安装及配置 #\033[0m"
echo -e "\033[1;32m# HTTP服务安装及配置 #\033[0m"
echo -e "\033[1;32m# FTP服务安装及配置 #\033[0m"
echo -e "\033[1;32m# dns服务安装及配置 #\033[0m"
echo -e "\033[1;32m########################################################################\033[0m"
echo ""
#主菜单(Main menu)
main(){
echo -e "\033[1;32m#################################\033[31m主菜单\033[32m#################################\033[0m"
echo -e "\033[1;32m1、网卡设置\033[0m"
echo -e "\033[1;32m2、安全防护\033[0m"
echo -e "\033[1;30m3、selinux设置\033[0m"
echo -e "\033[1;32m4、防火墙设置\033[0m"
echo -e "\033[1;32m5、yum源配置\033[0m"
echo -e "\033[1;32m6、DHCP服务安装及配置\033[0m"
echo -e "\033[1;32m7、HTTP服务安装及配置\033[0m"
echo -e "\033[1;32m8、FTP服务安装及配置\033[0m"
echo -e "\033[1;32m9、DNS服务安装及配置\033[0m"
echo -e "\033[1;31m10、按任意键退出程序\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
echo $choose | grep [1-9] &> /dev/null
if [ $? -eq 0 ]
then
root
fi
syscheck
case $choose in
1)
echo -e "\033[1;32m################################\033[31m网卡设置\033[32m################################\033[0m"
network
;;
2)
echo -e "\033[1;32m################################\033[31m安全设置\033[32m################################\033[0m"
security
;;
3)
echo -e "\033[1;31m尚未编写\033[0m"
main
;;
4)
echo -e "\033[1;32m###############################\033[31m防火墙设置\033[32m###############################\033[0m"
if [ $sys -ne 0 ]
then
sh iptableset.sh $sys
else
sh firewall.sh
fi
main
;;
5)
echo -e "\033[1;32m###############################\033[31myum源配置\033[32m################################\033[0m"
yumset
main
;;
6)
echo -e "\033[1;32m####################\033[0m\033[1;31m欢迎使用DHCP自动安装配置脚本\033[0m\033[1;32m########################\033[0m"
check
;;
7)
echo -e "\033[1;32m##########################\033[31mHTTP服务安装及配置\033[32m############################\033[0m"
html
;;
8)
echo -e "\033[1;32m###########################\033[31mFTP服务安装及配置\033[32m############################\033[0m"
softset "vsftpd-*"
;;
9)
echo -e "\033[1;32m###########################\033[31mDNS服务安装及配置\033[32m############################\033[0m"
softset "bind-9*" "bind-libs-*" "bind-utils-*" "bind-chroot-*"
;;
*)
echo -e "\033[1;31m退出程序……\033[0m"
exit
esac
}
#DNS自动安装配置
softset(){
echo -e "\033[1;32m1、rpm包安装\033[0m"
echo -e "\033[1;32m2、yum安装\033[0m"
echo -e "\033[1;32m3、一键配置\033[0m"
echo -e "\033[1;31m4、按任意键返回主菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
for name in $*
do
if [ $# -gt 1 ]
then
echo -e "\033[1;32m开始安装$name\033[0m"
fi
rpm -q $name &> /dev/null
if [ $? -eq 0 ]
then
echo -e "\033[1;31m该软件已安装!"
echo ""
softset $*
else
rpminstall $name
if [ $? -ne 0 ]
then
break
fi
fi
done
echo ""
softset $*
;;
2)
rpm -q $* &> /dev/null
if [ $? -eq 0 ]
then
echo -e "\033[1;31m该软件已安装!"
echo ""
softset $*
else
yuminstall $*
fi
echo ""
softset $*
;;
3)
echo $* | egrep "bind" &> /dev/null
if [ $? -eq 0 ]
then
sh dnsset.sh $sys
else
sh ftpset.sh $sys
fi
echo -e "\033[1;31m配置完成\033[0m"
echo ""
softset $*
;;
*)
main
echo ""
esac
}
#http自动安装配置
html(){
echo -e "\033[1;32m1、rpm包安装\033[0m"
echo -e "\033[1;32m2、yum安装\033[0m"
echo -e "\033[1;30m3、一键配置\033[0m"
echo -e "\033[1;31m4、按任意键返回主菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
rpm -q httpd &> /dev/null
if [ $? -eq 0 ]
then
echo -e "\033[1;31m该软件已安装!"
echo ""
html
else
rpminstall "httpd-2"
fi
echo ""
html
;;
2)
rpm -q httpd &> /dev/null
if [ $? -eq 0 ]
then
echo -e "\033[1;31m该软件已安装!"
echo ""
html
else
yuminstall "httpd"
fi
echo ""
html
;;
3)
html
;;
*)
main
echo ""
esac
}
#yum安装:$1=安装包名称
yuminstall(){
echo -e "\033[1;32m正在检测是否联网,请稍后……\033[0m"
ping -c 4 mirrors.aliyun.com &> /dev/null
if [ $? -eq 0 ]
then
echo -e "\033[1;32m网络正常\033[0m"
yum install -y $*
if [ $? -eq 0 ]
then
echo -e "\033[1;32m安装成功\033[0m"
else
echo -e "\033[1;31m安装失败\033[0m"
fi
else
echo -e "\033[1;31m网络异常\033[0m"
fi
}
#rpm安装:参数$1=安装包名称(非全称可在名称末尾加*,但有可能导致安装多余软件包)
rpminstall(){
while true
do
read -p `echo -e "\033[1;32m安装前请先放入光盘(按任意键继续)\033[0m"`
umount /dev/cdrom &> /dev/null
mount /dev/cdrom /media/ &> /dev/null
if [ $? -ne 0 ]
then
echo -e "\033[1;32挂载光盘失败,请检查是否放入光盘!\033[0m"
continue
fi
break
done
file="/media/Packages/$1*"
rpm -ivh $file 2> err
if [ $? -ne 0 ]
then
list=`awk '/ 需要/||/needed by/{print $1}' err | sed 's/(.*)//g'`
if [ -z "$list" ]
then
echo -e "\033[1;31m安装失败!失败原因请查看本目录下的err文件\033[0m"
return 1
else
echo -e "\033[1;31m有依赖软件未安装,尝试打包安装\033[0m"
pn="$file"
for name in $list
do
pn="$pn /media/Packages/$name*"
done
pn2=`echo $pn | sed 's/\\n//g' | sed 's/\/media\/Packages\///g'`
echo -e "\033[1;31m$pn2\033[0m"
rpm -ivh $pn 2> err
if [ $? -ne 0 ]
then
echo -e "\033[1;31m安装失败!\033[0m"
return 1
else
echo -e "\033[1;32m安装成功!\033[0m"
return 0
fi
fi
else
echo -e "\033[1;32m安装成功!\033[0m"
return 0
fi
}
#防火墙设置
iptableset(){
echo -e "\033[1;32m1、SNAT设置\033[0m"
echo -e "\033[1;32m2、DNAT设置\033[0m"
echo -e "\033[1;31m3、按任意键返回主菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
iptableset
;;
2)
iptableset
;;
*)
main
esac
}
#yum源设置
yumset(){
echo -e "\033[1;32m1、阿里云yum源\033[0m"
echo -e "\033[1;32m2、本地yum源\033[0m"
echo -e "\033[1;31m3、按任意键返回主菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
aliyum
echo ""
yumset
;;
2)
localyum
echo ""
yumset
;;
*)
echo -e "\033[1;31m返回上级菜单\033[0m"
main
esac
}
#本地源
localyum(){
while true
do
read -p `echo -e "\033[1;32m安装前请先放入光盘(按任意键继续)\033[0m"`
umount /dev/cdrom &> /dev/null
mount /dev/cdrom /media/ &> /dev/null
if [ $? -ne 0 ]
then
echo -e "\033[1;31m挂载光盘失败,请检查是否放入光盘!\033[0m"
continue
fi
break
done
echo -e "\033[1;31m光盘挂载成功,开始配置yum仓库\033[0m"
mkdir /etc/yum.repos.d/bak &> /dev/null
mv -f /etc/yum.repos.d/* /etc/yum.repos.d/bak/ &> /dev/null
echo "[local]" > /etc/yum.repos.d/CentOS-Base.repo
echo "name=local" >> /etc/yum.repos.d/CentOS-Base.repo
echo "baseurl=file:///media/" >> /etc/yum.repos.d/CentOS-Base.repo
echo "gpgcheck=0" >> /etc/yum.repos.d/CentOS-Base.repo
echo "enabled=1" >> /etc/yum.repos.d/CentOS-Base.repo
echo -e "\033[1;31m配置成功\033[0m"
}
#aliyun源
aliyum(){
rpm -q wget &> /dev/null
if [ $? -ne 0 ]
then
echo -e "\033[1;31mwget未安装,自动安装wget\033[0m"
while true
do
read -p `echo -e "\033[1;32m安装前请先放入光盘(按任意键继续)\033[0m"`
umount /dev/cdrom &> /dev/null
mount /dev/cdrom /media/ &> /dev/null
if [ $? -ne 0 ]
then
echo -e "\033[1;32挂载光盘失败,请检查是否放入光盘!\033[0m"
continue
fi
break
done
rpm -ivh /media/Packages/wget*
echo -e "\033[1;32m安装完成,开始更新yum源\033[0m"
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
cc="Centos-7.repo"
ccc="epel-7.repo"
if [ $sys -ne 0 ]
then
cc="Centos-6.repo"
ccc="epel-6.repo"
fi
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/$cc
wget -O /etc/yum.repos.d/CentOS-Epel.repo http://mirrors.aliyun.com/repo/$ccc
echo -e "\033[1;32m更新完成\033[0m"
else
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
cc="Centos-7.repo"
ccc="epel-7.repo"
if [ $sys -ne 0 ]
then
cc="Centos-6.repo"
ccc="epel-6.repo"
fi
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/$cc
wget -O /etc/yum.repos.d/CentOS-Epel.repo http://mirrors.aliyun.com/repo/$ccc
echo -e "\033[1;32m更新完成\033[0m"
fi
}
#账号检测(root check)
root(){
user=`whoami`
if [ $user != "root" ]
then
echo -e "\033[1;31m登录用户并非管理用户,无法进行后续配置,请更换账号后重试……\\033[0m"
echo ""
main
fi
}
#系统版本检测(system check)
sys=0 #系统版本变量:0表示Centos7,1表示Centos6
netfile="ifcfg-ens33" #网络配置文件名
syscheck(){
uname -r | grep "^3.10" &> /dev/null
if [ $? -eq 0 ]
then
sys=0
netfile="ifcfg-ens33"
else
sys=1
netfile="ifcfg-eth0"
fi
}
############################################################安全设置##############################################
#2、安全设置(security settings)
security(){
echo -e "\033[1;32m1、账号管理\033[0m"
echo -e "\033[1;32m2、权限管理\033[0m"
echo -e "\033[1;32m3、grub加密\033[0m"
echo -e "\033[1;32m4、终端设置\033[0m"
echo -e "\033[1;30m5、端口及弱密码扫描\033[0m"
echo -e "\033[1;31m6、按任意键返回主菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
userset
;;
2)
authorization
;;
3)
grub
;;
4)
ttyset
;;
5)
echo ""
security
;;
*)
echo -e "\033[1;31m返回上级菜单\033[0m"
main
esac
}
#4)终端设置
ttyset(){
echo -e "\033[1;32m--------------------------------\033[31m终端设置\033[32m--------------------------------\033[0m"
echo -e "\033[1;32m1、终端数量限制\033[0m"
echo -e "\033[1;32m2、一键设置root登录终端(保留1-4)\033[0m"
echo -e "\033[1;31m3、按任意键返回上级菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
if [ $sys -ne 0 ]
then
read -p `echo -e "\033[1;31m请输入开放终端(如1-3或123):\033[1;31m"` xx
echo -e "\033[0m"
zd="ACTIVE_CONSOLES=/dev/tty[$xx]"
sed -i "/ACTIVE_CONSOLES=\/dev\/tty/d" /etc/sysconfig/init
sed -i '$a'$zd /etc/sysconfig/init
else
echo "Centos7版本尚未支持"
fi
echo -e "\033[1;31m修改成功\033[0m"
echo ""
ttyset
;;
2)
sed -i 's/#//' /etc/securetty
sed -i 's/tty/#&/' /etc/securetty
sed -i 's/#tty1/tty1/' /etc/securetty
sed -i 's/#tty2/tty2/' /etc/securetty
sed -i 's/#tty3/tty3/' /etc/securetty
sed -i 's/#tty4/tty4/' /etc/securetty
echo -e "\033[1;31m修改成功\033[0m"
echo ""
ttyset
;;
*)
security
esac
}
#3)grub加密
grub(){
# read -p `echo -e "\033[1;32m请设置密码:\033[0m"` psd
if [ $sys -eq 0 ]
then
echo -e "\033[1;32m请设置密码:\033[0m"
grub2-setpassword
echo -e "\033[1;31m设置成功\033[0m"
else
echo -e "\033[1;31m请输入密码(连续两次,每次以回车结束):\033[0m"
grub-md5-crypt > pss
if [ $? -ne 0 ]
then
echo -e "\033[1;31m设置失败,请确保两次输入密码相同,且每次以回车结束\033[0m"
grub
exit
fi
psd=`tail -1 pss`
sed -i "/password/d" /boot/grub/grub.conf
sed -i "/title/ipassword --md5 $psd" /boot/grub/grub.conf
rm -f pss
echo -e "\033[1;31m设置成功\033[0m"
fi
echo ""
security
}
#2)权限管理
authorization(){
echo -e "\033[1;32m--------------------------------\033[31m权限管理\033[32m--------------------------------\033[0m"
echo -e "\033[1;32m1、ssh一键设置\033[0m"
echo -e "\033[1;32m2、su限制\033[0m"
echo -e "\033[1;32m3、sudo授权\033[0m"
echo -e "\033[1;31m4、按任意键返回上级菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
sshset
authorization
;;
2)
suset
authorization
;;
3)
vim /etc/sudoers
authorization
;;
*)
security
esac
}
#su设置
suset(){
echo -e "\033[1;32m1、启用pam_wheel认证模块\033[0m"
echo -e "\033[1;32m2、添加认证用户\033[0m"
echo -e "\033[1;32m3、删除认证用户\033[0m"
echo -e "\033[1;31m3、按任意键返回上级菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
sed -i '/required.*pam_wheel/d' /etc/pam.d/su &> /dev/null
sed -i '$aauth required pam_wheel.so use_uid' /etc/pam.d/su &> /dev/null
echo -e "\033[1;31m修改成功\033[0m"
echo ""
suset
;;
2)
read -p `echo -e "\033[1;32m请输入需要添加的用户名:\033[1;31m"` uname
echo -e "\033[0m"
grep $uname /etc/passwd &> /dev/null
if [ $? -eq 0 ]
then
gpasswd -a $uname wheel
echo -e "\033[1;31m添加成功\033[0m"
else
echo -e "\033[1;31m没有该用户\033[0m"
fi
echo ""
suset
;;
3)
read -p `echo -e "\033[1;32m请输入需要删除的用户名:\033[1;31m"` uname
echo -e "\033[0m"
grep $uname /etc/passwd &> /dev/null
if [ $? -eq 0 ]
then
gpasswd -d $uname wheel
echo -e "\033[1;31m添加成功\033[0m"
else
echo -e "\033[1;31m没有该用户\033[0m"
fi
echo ""
suset
;;
*)
authorization
;;
esac
}
#ssh一键设置
sshset(){
echo -e "\033[1;32m1、禁止root用户登录\033[0m"
echo -e "\033[1;32m2、禁止密码登录\033[0m"
echo -e "\033[1;32m3、开启秘钥验证\033[0m"
echo -e "\033[1;31m4、按任意键返回上级菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
# PermitRootLogin yes
sed -i '/PermitRootLogin/d' /etc/ssh/sshd_config &> /dev/null
sed -i '$aPermitRootLogin no' /etc/ssh/sshd_config &> /dev/null
echo -e "\033[1;31m修改成功,请手动重启服务\033[0m"
sshset
;;
2)
# PasswordAuthentication yes
sed -i '/PasswordAuthentication/d' /etc/ssh/sshd_config &> /dev/null
sed -i '$aPasswordAuthentication no' /etc/ssh/sshd_config &> /dev/null
echo -e "\033[1;31m修改成功,请手动重启服务\033[0m"
sshset
;;
3)
# PubkeyAuthentication yes
sed -i '/PubkeyAuthentication/d' /etc/ssh/sshd_config &> /dev/null
sed -i '$aPubkeyAuthentication yes' /etc/ssh/sshd_config &> /dev/null
ssh-keygen -t rsa -P '111111' -f ~/.ssh/id_rsa &> /dev/null
mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
echo -e "\033[1;31m修改成功,并以生成pubkey文件(.ssh目录内),请手动重启服务\033[0m"
sshset
;;
*)
authorization
esac
}
#1)账号设置
userset(){
echo -e "\033[1;32m--------------------------------\033[31m账号设置\033[32m--------------------------------\033[0m"
echo -e "\033[1;32m1、禁止登陆(nologin)\033[0m"
echo -e "\033[1;32m2、账号锁定\033[0m"
echo -e "\033[1;32m3、文件锁定\033[0m"
echo -e "\033[1;32m4、账号删除\033[31m(慎用)\033[0m"
echo -e "\033[1;32m5、密码安全\033[0m"
echo -e "\033[1;32m6、历史命令设置\033[0m"
echo -e "\033[1;32m7、自动注销设置(300秒)\033[0m"
echo -e "\033[1;31m8、按任意键返回上级菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
nologin
;;
2)
userlock
;;
3)
filelock
;;
4)
userd
;;
5)
pass
;;
6)
hist
;;
7)
lout
;;
*)
security
esac
}
#自动注销
lout(){
sed -i '/TMOUT=/d' /etc/profile
sed -i '$aexport TMOUT=300' /etc/profile
echo -e "\033[1;31m修改成功\033[0m"
echo ""
hist
}
#历史命令设置
hist(){
echo -e "\033[1;32m1、设置默认记录条数(100)\033[0m"
echo -e "\033[1;32m2、设置注销删除记录\033[0m"
echo -e "\033[1;31m3、按任意键返回上级菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
sed -i '/HISTSIZE=/d' /etc/profile
sed -i '$aHISTSIZE=100' /etc/profile
echo -e "\033[1;31m修改成功\033[0m"
echo ""
hist
;;
2)
sed -i '/history -c/d' ~/.bash_logout
sed -i '$ahistory -c' ~/.bash_logout
echo -e "\033[1;31m修改成功\033[0m"
echo ""
hist
;;
*)
userset
esac
}
#密码安全
pass(){
echo -e "\033[1;32m1、设置新建密码默认有效期(30天)\033[0m"
echo -e "\033[1;32m2、修改已有用户密码有效期(30天)\033[0m"
echo -e "\033[1;32m3、密码重置及强制登录改密\033[0m"
echo -e "\033[1;31m3、按任意键返回上级菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
sed -i '/PASS_MAX_DAYS/d' /etc/login.defs
sed -i '$aPASS_MAX_DAYS 30' /etc/login.defs
echo -e "\033[1;31m修改成功\033[0m"
echo ""
pass
;;
2)
read -p `echo -e "\033[1;32m请输入需要修改的用户名:\033[1;31m"` uname
echo -e "\033[0m"
grep $uname /etc/passwd &> /dev/null
if [ $? -eq 0 ]
then
chage -M 30 $uname
echo -e "\033[1;31m修改成功\033[0m"
else
echo -e "\033[1;31m没有该用户\033[0m"
fi
echo ""
pass
;;
3)
read -p `echo -e "\033[1;32m请输入需要修改的用户名:\033[1;31m"` uname
echo -e "\033[0m"
grep $uname /etc/passwd &> /dev/null
if [ $? -eq 0 ]
then
echo "111111" | passwd --stdin $uname &> /dev/null
chage -d 0 $uname
echo -e "\033[1;31m修改成功,初始密码111111\033[0m"
else
echo -e "\033[1;31m没有该用户\033[0m"
fi
echo ""
pass
;;
*)
userset
esac
}
#用户删除
userd(){
egrep "/bin/bash" /etc/passwd | egrep -v "root" &> /dev/null
if [ $? -eq 0 ]
then
echo -e "\033[1;32m可登陆普通用户列表:\033[0m"
else
echo -e "\033[1;31m当前无可登陆的普通用户\033[0m"
fi
i=1
xname=""
for name in `awk -F: '($7=="/bin/bash")&&($1!="root"){print "账号名:"$1,"uid:"$3,"宿主目录:"$6}' /etc/passwd`
do
i=`expr $i + 1`
xname="$xname $name"
if [ $(($i%3)) -eq 0 ]
then
echo -e "\033[1;32m$xname\033[0m"
xname=""
fi
i=`expr $i + 1`
done
echo -e "\033[1;32m1、自动删除(直接删除)\033[0m"
echo -e "\033[1;32m2、手动删除(选择删除)\033[0m"
echo -e "\033[1;31m3、按任意键返回上级菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
read -p `echo -e "\033[1;31m是否全部删除\033[32m$xname账号\033[31m(y/n)\033[1;31m"` xx
echo -e "\033[0m"
yn $xx
if [ $ynn -eq 0 ]
then
for name in `awk -F: '($7=="/bin/bash")&&($1!="root"){print $1}' /etc/passwd`
do
userdel -r $name &> /dev/null
done
echo -e "\033[1;31m删除完成,返回菜单\033[0m"
echo ""
userd
else
echo -e "\033[1;31m取消返回\033[0m"
echo ""
userd
fi
;;
2)
for name in `awk -F: '($7=="/bin/bash")&&($1!="root"){print $1}' /etc/passwd`
do
read -p `echo -e "\033[1;31m是否删除\033[32m$name账号\033[31m(y/n)\033[1;31m"` x
echo -e "\033[0m"
yn $x
if [ $ynn -eq 0 ]
then
usermod -s /sbin/nologin $name
echo -e "\033[1;31m已删除$name账号\033[0m"
else
echo -e "\033[1;31m取消成功\033[0m"
continue
fi
done
echo -e "\033[1;31m删除完成,返回菜单\033[0m"
echo ""
userd
;;
*)
userset
esac
}
#文件锁定
filelock(){
read -p `echo -e "\033[1;32m输入\033[31mi\033[32m或\033[31ma\033[32m给passwd及shadow文件加锁\033[31m(n解锁)\033[32m,直接\033[31m回车返回菜单:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
"i")
chattr +i /etc/passwd
chattr +i /etc/shadow
echo -e "\033[1;31m修改成功,返回菜单\033[0m"
echo ""
userset
;;
"a")
chattr +a /etc/passwd
chattr +a /etc/shadow
echo -e "\033[1;31m修改成功,返回菜单\033[0m"
echo ""
userset
;;
"n")
chattr -ai /etc/passwd
chattr -ai /etc/shadow
echo -e "\033[1;31m修改成功,返回菜单\033[0m"
echo ""
userset
;;
*)
echo -e "\033[1;31m取消返回\033[0m"
echo ""
userset
esac
}
#账号锁定
userlock(){
ulock=`grep -v ":\!\!" /etc/shadow | awk -F: '($1!="root"){print $1}'`
egrep -v '\!\!|root' /etc/shadow &> /dev/null
if [ $? -eq 0 ]
then
echo -e "\033[1;32m未锁定账号列表:\033[0m"
else
echo -e "\033[1;31m没有未锁定的账号\033[0m"
fi
for uname in $ulock
do
echo -e "\033[1;32m$uname\033[0m"
done
echo -e "\033[1;32m1、一键锁定(全部锁定)\033[0m"
echo -e "\033[1;32m2、手动锁定(选择锁定)\033[0m"
echo -e "\033[1;31m3、按任意键返回上级菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
read -p `echo -e "\033[1;31m是否全部锁定\033[32m$xname账号\033[31m(y/n)\033[1;31m"` xx
echo -e "\033[0m"
yn $xx
if [ $ynn -eq 0 ]
then
for x in $ulock
do
passwd -l $x &> /dev/null
passwd -u $x
done
echo -e "\033[1;31m锁定完成,返回菜单"
else
echo -e "\033[1;31m取消锁定,返回菜单"
fi
echo ""
userlock
;;
2)
for xname in $ulock
do
read -p `echo -e "\033[1;31m是否锁定\033[32m$xname账号\033[31m(y/n)\033[1;31m"` x
echo -e "\033[0m"
yn $x
if [ $ynn -eq 0 ]
then
passwd -l $xname &> /dev/null
echo -e "\033[1;31m已锁定$xname账号\033[0m"
else
echo -e "\033[1;31m取消成功\033[0m"
continue
fi
done
echo -e "\033[1;31m锁定完成,返回菜单"
echo ""
userlock
;;
*)
userset
esac
}
#修改非登录用户登录shell
nologin(){
egrep "/bin/bash" /etc/passwd | egrep -v "root" &> /dev/null
if [ $? -eq 0 ]
then
echo -e "\033[1;32m可登陆普通用户列表:\033[0m"
else
echo -e "\033[1;31m当前无可登陆的普通用户\033[0m"
fi
i=1
xname=""
for name in `awk -F: '($7=="/bin/bash")&&($1!="root"){print "账号名:"$1,"uid:"$3,"宿主目录:"$6}' /etc/passwd`
do
i=`expr $i + 1`
xname="$xname $name"
if [ $(($i%3)) -eq 0 ]
then
echo -e "\033[1;32m$xname\033[0m"
xname=""
fi
i=`expr $i + 1`
done
echo -e "\033[1;32m1、自动禁止(直接禁止)\033[0m"
echo -e "\033[1;32m2、手动禁止(选择禁止)\033[0m"
echo -e "\033[1;31m3、按任意键返回上级菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
read -p `echo -e "\033[1;31m是否全部锁定\033[32m$xname账号\033[31m(y/n)\033[1;31m"` xx
echo -e "\033[0m"
yn $xx
if [ $ynn -eq 0 ]
then
for name in `awk -F: '($7=="/bin/bash")&&($1!="root"){print $1}' /etc/passwd`
do
usermod -s /sbin/nologin $name
done
echo -e "\033[1;31m禁止完成,返回菜单\033[0m"
echo ""
nologin
else
echo -e "\033[1;31m取消返回\033[0m"
echo ""
nologin
fi
;;
2)
for name in `awk -F: '($7=="/bin/bash")&&($1!="root"){print $1}' /etc/passwd`
do
read -p `echo -e "\033[1;31m是否禁止\033[32m$name账号\033[31m(y/n)\033[1;31m"` x
echo -e "\033[0m"
yn $x
if [ $ynn -eq 0 ]
then
usermod -s /sbin/nologin $name
echo -e "\033[1;31m已禁止$name账号登录\033[0m"
else
echo -e "\033[1;31m取消成功\033[0m"
continue
fi
done
echo -e "\033[1;31m禁止完成,返回菜单\033[0m"
echo ""
nologin
;;
*)
userset
esac
}
#############################################网卡设置###########################################################
#1、网卡设置(Network settings)
network(){
echo -e "\033[1;32m1、自动获取IP\033[0m"
echo -e "\033[1;32m2、手动设置IP\033[0m"
echo -e "\033[1;31m3、任意键返回主菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
auto
;;
2)
ipset
;;
*)
echo -e "\033[1;31m返回上级菜单\033[0m"
echo ""
main
esac
}
#自动获取
auto(){
wkd=`ls /etc/sysconfig/network-scripts/ifcfg-e* | awk -F/ '{print $5}'`
echo -e "\033[1;32m本机网卡文件:\033[0m"
n=1
for x in $wkd
do
echo -e "\033[1;32m$n、$x\033[0m"
n=`expr $n + 1`
done
echo -e "\033[1;31m$n、任意键返上级菜单\033[0m"
read -p `echo -e "\033[1;32m请选择需要修改的网卡:\033[1;31m"` choose
echo -e "\033[0m"
fname=`ls /etc/sysconfig/network-scripts/ifcfg-e* | awk -v vv=$choose -F/ '(NR==vv){print $5}'`
if [ -z $fname ]
then
network
fi
file="/etc/sysconfig/network-scripts/$fname"
sed -i 's/ONBOOT=no/ONBOOT=yes/g' $file &> /dev/null
sed -i 's/BOOTPROTO=static/BOOTPROTO=dhcp/g' $file &> /dev/null
sed -i '/IPADDR/d' $file &> /dev/null
sed -i '/NETMASK/d' $file &> /dev/null
sed -i '/GATEWAY/d' $file &> /dev/null
sed -i '/DNS/d' $file &> /dev/null
echo -e "\033[1;32m配置文件修改完成,准备重启服务!\033[0m" &> /dev/null
service network restart
echo -e "\033[1;31m配置完成返回上级菜单\033[0m"
echo ""
network
}
#手动设置
ipset(){
wkd=`ls /etc/sysconfig/network-scripts/ifcfg-e* | awk -F/ '{print $5}'`
echo -e "\033[1;32m本机网卡文件:\033[0m"
n=1
for x in $wkd
do
echo -e "\033[1;32m$n、$x\033[0m"
n=`expr $n + 1`
done
echo -e "\033[1;31m$n、任意键返回主菜单\033[0m"
read -p `echo -e "\033[1;32m请选择需要修改的网卡:\033[1;31m"` choose
fname=`ls /etc/sysconfig/network-scripts/ifcfg-e* | awk -v vv=$choose -F/ '(NR==vv){print $5}'`
if [ -z $fname ]
then
network
fi
file="/etc/sysconfig/network-scripts/$fname"
while true
do
read -p `echo -e "\033[1;32m请输入IP:\033[1;31m"` ip
echo $ip | egrep "^(([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.){3}([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\b" &> /dev/null
if [ $? -eq 0 ]
then
break
else
echo -e "\033[1;31mIP格式错误,请重新输入!\033[0m"
fi
done
while true
do
read -p `echo -e "\033[1;32m请输入掩码(直接回车输入默认值255.255.255.0):\033[1;31m"` mask
if [ -z $mask ]
then
mask="255.255.255.0"
break
else
echo $mask | egrep "^255.255.255." &> /dev/null
if [ $? -eq 0 ]
then
break
else
echo -e "\033[1;31m掩码格式错误,请重新输入!\033[0m"
fi
fi
done
while true
do
gateway=`echo $ip | awk -F. '{print $1"."$2"."$3".1"}'`
read -p `echo -e "\033[1;32m请输入网关(回车输入默认值$gateway):\033[1;31m"` gatway
if [ -z $gateway ]
then
gateway=`echo $ip | awk -F. '{print $1"."$2"."$3".1"}'`
break
else
echo $gateway | egrep "^(([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.){3}([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\b" &> /dev/null
if [ $? -eq 0 ]
then
break
else
echo -e "\033[1;31m网关格式错误,请重新输入!\033[0m"
fi
fi
done
while true
do
read -p `echo -e "\033[1;32m请输入DNS1(回车输入默认值$gateway):\033[1;31m"` dns
echo -e "\033[0m"
if [ -z $dns ]
then
dns=$gateway
break
else
echo $dns | egrep "^(([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.){3}([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\b" &> /dev/null
if [ $? -eq 0 ]
then
break
else
echo -e "\033[1;31mDNS格式错误,请重新输入!\033[0m"
fi
fi
done
sed -i 's/ONBOOT=no/ONBOOT=yes/g' $file &> /dev/null
sed -i '/BOOTPROTO/d' $file &> /dev/null
sed -i '$aBOOTPROTO=static' $file &> /dev/null
sed -i '/IPADDR/d' $file &> /dev/null
sed -i '$aIPADDR='$ip $file &> /dev/null
sed -i '/NETMASK/d' $file &> /dev/null
sed -i '$aNETMASK='$mask $file &> /dev/null
sed -i '/GATEWAY/d' $file &> /dev/null
sed -i '$aGATEWAY='$gateway $file &> /dev/null
sed -i '/DNS/d' $file &> /dev/null
sed -i '$aDNS1='$dns $file &> /dev/null
echo -e "\033[1;32m配置文件修改完成,准备重启服务!\033[0m"
service network restart
echo -e "\033[1;31m配置完成返回上级菜单\033[0m"
echo ""
network
}
#####################################################################6DHCP开始#######################################################################
########################全局变量########################
wk=$netfile
is76n=$sys #是否为CentOS7,0=7,1=6
isrootn=0 #是否为root用户,0是,1否
isstaticn=0 #是否为固定IP
iptablen=0 #防火墙是否关闭
selinuxn=0 #selinux是否关闭
ynn=0 #yes或no选择判断
installn=0 #安装失败次数
########################################################
##########################函数#########################
#判断系统版本为7或6
is76(){
uname -r | grep "^3.10" &> /dev/null
if [ $? -eq 0 ]
then
wk="ifcfg-ens33"
is76n=0
else
wk="ifcfg-eth0"
is76n=1
fi
}
#判断用户是否为root
isroot(){
who=`whoami`
if [ $who = "root" ]
then
isrootn=0
else
isrootn=1
fi
}
#判断IP获取方式是否为static
isstatic(){
dhcp=`awk -F "=" '/^BOOTPROTO/{print $2}' /etc/sysconfig/network-scripts/$wk | sed 's/"//g' | grep -v "static"`
if [ $? -ne 0 ]
then
isstaticn=0
else
isstaticn=1
fi
}
#判断防火墙是否关闭
iptable(){
if [ $is76n -eq 0 ]
then
systemctl status firewalld | grep "Active: inactive" &> /dev/null
else
service iptables status | egrep "is not running|未运行" &> /dev/null
fi
if [ $? -eq 0 ]
then
iptablen=0
else
iptablen=1
fi
}
#判断seliunx是否关闭
selinux(){
se=`getenforce`
if [ $se == "Disabled" ]
then
selinuxn=0
else
selinuxn=1
fi
}
#判断输入的是y或n
yn(){
echo $1 | egrep "y|Y|yes|Yes|YES" &> /dev/null
if [ $? -eq 0 ]
then
ynn=0
else
ynn=1
fi
}
#修改IP
setip(){
while true
do
read -p `echo -e "\033[1;32m请输入IP:\033[1;31m"` ip
echo -e "\033[0m"
echo $ip | egrep "^(([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.){3}([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\b" &> /dev/null
if [ $? -eq 0 ]
then
break
else
echo -e "\033[1;31mIP格式错误,请重新输入!\033[0m"
fi
done
while true
do
read -p `echo -e "\033[1;32m请输入掩码(直接回车输入默认值255.255.255.0):\033[1;31m"` mask
echo -e "\033[0m"
if [ -z $mask ]
then
mask="255.255.255.0"
break
else
echo $mask | egrep "^255.255.255." &> /dev/null
if [ $? -eq 0 ]
then
break
else
echo -e "\033[1;31m掩码格式错误,请重新输入!\033[0m"
fi
fi
done
while true
do
gateway=`echo $ip | awk -F. '{print $1"."$2"."$3".1"}'`
read -p `echo -e "\033[1;32m请输入网关(直接回车输入默认值$gateway):\033[1;31m"` gateway
echo -e "\033[0m"
if [ -z $gateway ]
then
gateway=`echo $ip | awk -F. '{print $1"."$2"."$3".1"}'`
break
else
echo $gateway | egrep "^(([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.){3}([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\b" &> /dev/null
if [ $? -eq 0 ]
then
break
else
echo -e "\033[1;31m网关格式错误,请重新输入!\033[0m"
fi
fi
done
while true
do
read -p `echo -e "\033[1;32m请输入DNS1(回车输入默认值$gateway):\033[1;31m"` dns
echo -e "\033[0m"
if [ -z $dns ]
then
dns=$gateway
break
else
echo $dns | egrep "^(([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.){3}([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\b" &> /dev/null
if [ $? -eq 0 ]
then
break
else
echo -e "\033[1;31mDNS格式错误,请重新输入!\033[0m"
fi
fi
done
add="/etc/sysconfig/network-scripts/$wk"
sed -i '/BOOTPROTO/d' $add
sed -i '$aBOOTPROTO=static' $add
sed -i '/IPADDR/d' $add
sed -i '$aIPADDR='$ip $add
sed -i '/NETMASK/d' $add
sed -i '$aNETMASK='$mask $add
sed -i '/GATEWAY/d' $add
sed -i '$aGATEWAY='$gateway $add
sed -i '/DNS/d' $add
sed -i '$aDNS1='$dns $add
echo -e "\033[1;32m配置文件修改完成,准备重启服务!\033[0m"
service network restart
}
#关闭防火墙
setiptable(){
if [ $is76n -eq 0 ]
then
systemctl disable firewalld &> /dev/null
systemctl stop firewalld &> /dev/null
else
service iptables stop &> /dev/null
chkconfig iptables off &> /dev/null
fi
}
#关闭selinux
setse(){
setenforce 0 &> /dev/null
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config &> /dev/null
}
###########################环境检测################################
run(){
echo -e "\033[1;32m##########################\033[0m\033[1;31m开始检测安装环境\033[0m\033[1;32m##############################\033[0m"
is76
isroot
isstatic
iptable
selinux
if [ $is76n -eq 0 ]
then
echo -e "\033[1;32m系统版本:CentOS7\033[0m"
else
echo -e "\033[1;32m系统版本:CentOS6\033[0m"
fi
hostname=`hostname`
echo -e "\033[1;32m计算机名称:$hostname\033[0m"
if [ $isrootn -eq 0 ]
then
echo -e "\033[1;32m当前登录用户:root(符合)\033[0m"
else
echo -e "\033[1;31m当前登录用户为非root用户,请切换账户后重试!\033[0m"
exit
fi
if [ $isstaticn -eq 0 ]
then
echo -e "\033[1;32m当前为固定IP(符合)\033[0m"
else
read -p `echo -e "\033[1;31m当前为自动获取IP,请问是否尝试自动修改?(y/n)\033[1;31m"` x
echo -e "\033[0m"
yn $x
if [ $ynn -eq 0 ]
then
setip
echo -e "\033[1;32m修改成功!重新检测状态\033[0m"
run
exit
else
echo -e "\033[1;31m返回主菜单\033[0m"
echo ""
main
fi
fi
if [ $iptablen -eq 0 ]
then
echo -e "\033[1;32m防火墙已关闭(符合)\033[0m"
else
read -p `echo -e "\033[1;31m防火墙未关闭,是否尝试自动关闭?(y/n)\033[1;31m"` x
echo -e "\033[0m"
yn $x
if [ $ynn -eq 0 ]
then
setiptable
echo -e "\033[1;32m修改成功!重新检测状态\033[0m"
run
exit
else
echo -e "\033[1;31m返回主菜单\033[0m"
echo ""
main
fi
fi
if [ $selinuxn -eq 0 ]
then
echo -e "\033[1;32mselinux已关闭(符合)\033[0m"
else
read -p `echo -e "\033[1;31mselinux未关闭,是否尝试自动关闭?(y/n)\033[1;31m"` x
echo -e "\033[0m"
yn $x
if [ $ynn -eq 0 ]
then
setse
read -p `echo -e "\033[1;32m修改成功!需重启生效。是否现在重启(y/n)\033[1;31m"` y
echo -e "\033[0m"
yn $y
if [ $ynn -eq 0 ]
then
reboot
echo -e "\033[1;31m重启\033[0m"
else
echo -e "\033[1;31m返回主菜单,请手动重启后重新运行本脚本!\033[0m"
main
fi
exit
else
echo -e "\033[1;31m返回主菜单\033[0m"
echo ""
main
fi
fi
}
##############################安装相关函数############################
#rpm安装
rpmin(){
while true
do
read -p `echo -e "\033[1;32m安装前请先放入光盘(按任意键继续)\033[0m"`
umount /dev/cdrom &> /dev/null
mount /dev/cdrom /media/ &> /dev/null
if [ $? -ne 0 ]
then
echo -e "\033[1;32挂载光盘失败,请检查是否放入光盘!\033[0m"
continue
fi
break
done
rpm -ivh /media/Packages/dhcp-4* 2> err
if [ $? -ne 0 ]
then
list=`awk '/ 需要/||/needed by/{print $1}' err | sed 's/(.*)//g'`
if [ -z "$list" ]
then
echo -e "\033[1;31m安装失败!失败原因请查看本目录下的err文件\033[0m"
return 1
else
echo -e "\033[1;31m有依赖软件未安装,尝试打包安装\033[0m"
pn='/media/Packages/dhcp-4*'
for name in $list
do
pn="$pn /media/Packages/$name*"
done
pn2=`echo $pn | sed 's/\/media\/Packages\///g'`
echo -e "\033[1;31m$pn2\033[0m"
rpm -ivh $pn 2> err
if [ $? -ne 0 ]
then
echo -e "\033[1;31m安装失败!\033[0m"
return 1
else
echo -e "\033[1;32m安装成功!\033[0m"
fi
fi
else
echo -e "\033[1;32m安装成功!\033[0m"
fi
}
#yum安装
yumin(){
echo -e "\033[1;32m正在检测是否联网,请稍后……\033[0m"
ping -c 4 mirrors.aliyun.com &> /dev/null
if [ $? -eq 0 ]
then
echo -e "\033[1;32m网络正常\033[0m"
read -p `echo -e "\033[1;32m是否更新yum源(y/n)\033[1;31m"` x
echo -e "\033[0m"
yn $x
if [ $ynn -eq 0 ]
then
rpm -q wget &> /dev/null
if [ $? -ne 0 ]
then
echo -e "\033[1;31mwget未安装,自动安装wget\033[0m"
while true
do
read -p `echo -e "\033[1;32m安装前请先放入光盘(按任意键继续)\033[0m"`
umount /dev/cdrom &> /dev/null
mount /dev/cdrom /media/ &> /dev/null
if [ $? -ne 0 ]
then
echo -e "\033[1;32挂载光盘失败,请检查是否放入光盘!\033[0m"
continue
fi
break
done
rpm -ivh /media/Packages/wget*
echo -e "\033[1;32m安装完成,开始更新yum源\033[0m"
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
cc="Centos-7.repo"
if [ $sys -ne 0 ]
then
cc="Centos-6.repo"
fi
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/$cc
echo -e "\033[1;32m更新完成,开始安装dhcp\033[0m"
yum install -y dhcp
else
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
cc="Centos-7.repo"
if [ $sys -ne 0 ]
then
cc="Centos-6.repo"
fi
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/$cc
echo -e "\033[1;32m更新完成,开始安装dhcp\033[0m"
yum install -y dhcp
fi
else
echo -e "\033[1;32m开始安装dhcp\033[0m"
yum install -y dhcp
fi
else
echo -e "\033[1;31m网络异常,退出安装\033[0m"
return 1
fi
}
#开始安装
install(){
echo -e "\033[1;32m##########################\033[0m\033[1;31m开始自动安装程序\033[0m\033[1;32m##############################\033[0m"
while true
do
echo -e "\033[1;31m安装方式:\033[0m"
echo -e "\033[1;31m1、rpm安装\033[0m"
echo -e "\033[1;31m2、yum安装\033[0m"
echo -e "\033[1;31m3、按任意键返回主菜单\033[0m"
read -p `echo -e "\033[1;32m请选择(1/2):\033[1;31m"` choose
echo -e "\033[0m"
choose=`echo $choose | grep [1-2]`
if [ -z $choose ]
then
echo -e "\033[1;31m退出程序\033[0m"
echo ""
main
fi
if [ $choose -eq 1 ]
then
rpmin
if [ $? -ne 0 ]
then
if [ $installn -eq 0 ]
then
echo -e "\033[1;31m请尝试yum安装\033[0m"
echo ""
installn=1
continue
else
echo -e "\033[1;31m安装失败,返回主菜单\033[0m"
echo ""
main
fi
fi
break
else
yumin
if [ $? -ne 0 ]
then
if [ $installn -eq 0 ]
then
echo -e "\033[1;31m安装失败!\033[0m"
echo -e "\033[1;31m请尝试rpm安装\033[0m"
echo ""
installn=1
continue
else
echo -e "\033[1;31m安装失败,返回主菜单\033[0m"
echo ""
main
fi
fi
break
fi
done
}
######################自动配置相关函数#######################
setdhcp(){
echo -e "\033[1;32m###########################\033[0m\033[1;31m开始自动配置程序\033[0m\033[1;32m#############################\033[0m"
while true
do
read -p `echo -e "\033[1;32m请输入搜索域(默认luoxinli.top):\033[1;31m"` name
if [ -z $name ]
then
name="luoxinli.top"
break
else
echo $name | egrep "^.*\..*" &> /dev/null
if [ $? -eq 0 ]
then
break
else
echo -e "\033[1;31m格式错误,请重新输入!\033[0m"
fi
fi
done
while true
do
read -p `echo -e "\033[1;32m请输入DNS服务器(默认192.168.11.1):\033[1;31m"` servers
if [ -z $servers ]
then
servers="192.168.11.1"
break
else
echo $servers | egrep -o "\b(([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.)(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.){2}([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\b" &> /dev/null
if [ $? -eq 0 ]
then
break
else
echo -e "\033[1;31m格式错误,请重新输入!\033[0m"
fi
fi
done
while true
do
read -p `echo -e "\033[1;32m请输入默认租约时间(默认600):\033[1;31m"` default
if [ -z $default ]
then
default="600"
break
else
echo $default | egrep -o "\b[1-9][0-9]*\b" &> /dev/null
if [ $? -eq 0 ]
then
break
else
echo -e "\033[1;31m格式错误,请重新输入!\033[0m"
fi
fi
done
while true
do
read -p `echo -e "\033[1;32m请输入最大租约时间(默认7200):\033[1;31m"` max
if [ -z $max ]
then
max="7200"
break
else
echo $max | egrep -o "\b[1-9][0-9]*\b" &> /dev/null
if [ $? -eq 0 ] && [ $max -ge $default ]
then
break
else
echo -e "\033[1;31m格式错误或小于默认租约时间,请重新输入!\033[0m"
fi
fi
done
while true
do
read -p `echo -e "\033[1;32m请输入网段(默认192.168.11.0):\033[1;31m"` subip
if [ -z $subip ]
then
subip="192.168.11.0"
break
else
echo $subip | egrep -o "\b(([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.)(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.){2}0\b" &> /dev/null
if [ $? -eq 0 ]
then
break
else
echo -e "\033[1;31m格式错误,请重新输入!\033[0m"
fi
fi
done
while true
do
read -p `echo -e "\033[1;32m请输入掩码(默认255.255.255.0):\033[1;31m"` submask
if [ -z $submask ]
then
submask="255.255.255.0"
break
else
echo $submask | egrep -o "\b(([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.)(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.){2}([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\b" &> /dev/null
if [ $? -eq 0 ]
then
break
else
echo -e "\033[1;31m格式错误,请重新输入!\033[0m"
fi
fi
done
while true
do
read -p `echo -e "\033[1;32m请输入地址池最小IP(默认192.168.11.100):\033[1;31m"` range1
if [ -z $range1 ]
then
range1="192.168.11.100"
break
else
echo $range1 | egrep -o "\b(([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.)(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.){2}([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\b" &> /dev/null
if [ $? -eq 0 ]
then
break
else
echo -e "\033[1;31m格式错误,请重新输入!\033[0m"
fi
fi
done
while true
do
read -p `echo -e "\033[1;32m请输入地址池最大IP(默认192.168.11.200):\033[1;31m"` range2
if [ -z $range2 ]
then
range2="192.168.11.200"
break
else
echo $range2 | egrep -o "\b(([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.)(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.){2}([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\b" &> /dev/null
r1=`echo $range1 | awk -F. '{print $4}'`
r2=`echo $range2 | awk -F. '{print $4}'`
if [ $? -eq 0 ] && [ $r2 -gt $r1 ]
then
break
else
echo -e "\033[1;31m格式错误或最大IP小于最小IP,请重新输入!\033[0m"
fi
fi
done
while true
do
read -p `echo -e "\033[1;32m请输入网关地址(默认192.168.11.1):\033[1;31m"` route
if [ -z $route ]
then
route="192.168.11.1"
break
else
echo $route | egrep -o "\b(([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.)(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.){2}([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\b" &> /dev/null
if [ $? -eq 0 ]
then
break
else
echo -e "\033[1;31m格式错误,请重新输入!\033[0m"
fi
fi
done
while true
do
read -p `echo -e "\033[1;32m请输入广播地址(默认192.168.11.255):\033[1;31m"` broad
echo -e "\033[0m"
if [ -z $broad ]
then
broad="192.168.11.255"
break
else
echo $broad | egrep -o "\b(([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.)(([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-4])\.){2}([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\b" &> /dev/null
if [ $? -eq 0 ]
then
break
else
echo -e "\033[1;31m格式错误,请重新输入!\033[0m"
fi
fi
done
####写入配置文件####
echo -e "\033[1;32m开始自动配置\033[0m"
#删除重复配置
sed -i '/option domain-name/d' /etc/dhcp/dhcpd.conf
sed -i '/option domain-name-servers/d' /etc/dhcp/dhcpd.conf
sed -i '/default-lease-time/d' /etc/dhcp/dhcpd.conf
sed -i '/max-lease-time/d' /etc/dhcp/dhcpd.conf
sed -i '/subnet/d' /etc/dhcp/dhcpd.conf
sed -i '/range/d' /etc/dhcp/dhcpd.conf
sed -i '/option routers/d' /etc/dhcp/dhcpd.conf
sed -i '/option broadcast-address/d' /etc/dhcp/dhcpd.conf
sed -i '/}/d' /etc/dhcp/dhcpd.conf
sed -i '/^$/d' /etc/dhcp/dhcpd.conf
sed -i '/^ $/d' /etc/dhcp/dhcpd.conf
#写入配合
sed -i '$G' /etc/dhcp/dhcpd.conf
sed -i '$aoption domain-name "'$name"\";" /etc/dhcp/dhcpd.conf
sed -i '$aoption domain-name-servers '$servers";" /etc/dhcp/dhcpd.conf
sed -i '$adefault-lease-time '$default";" /etc/dhcp/dhcpd.conf
sed -i '$amax-lease-time '$max";" /etc/dhcp/dhcpd.conf
sed -i '$G' /etc/dhcp/dhcpd.conf
sed -i '$asubnet '$subip' netmask '$submask' {' /etc/dhcp/dhcpd.conf
sed -i '$a range '"$range1 $range2;" /etc/dhcp/dhcpd.conf
sed -i '$a option domain-name "'$name"\";" /etc/dhcp/dhcpd.conf
sed -i '$a option domain-name-servers '$servers";" /etc/dhcp/dhcpd.conf
sed -i '$a option routers '$route";" /etc/dhcp/dhcpd.conf
sed -i '$a option broadcast-address '$broad";" /etc/dhcp/dhcpd.conf
sed -i '$a default-lease-time '$default";" /etc/dhcp/dhcpd.conf
sed -i '$a max-lease-time '$max";" /etc/dhcp/dhcpd.conf
sed -i '$a}' /etc/dhcp/dhcpd.conf
echo -e "\033[1;32m写入配置文件\033[0m\033[1;31m/etc/dhcp/dhcpd.conf\033[0m"
echo " "
echo -e "\033[1;32moption domain-name \"$name\";\033[0m"
echo -e "\033[1;32moption domain-name-servers $servers;\033[0m"
echo -e "\033[1;32mdefault-lease-time $default;\033[0m"
echo -e "\033[1;32mmax-lease-time $max;\033[0m"
echo " "
echo -e "\033[1;32msubnet $subip netmask $submask {\033[0m"
echo -e "\033[1;32m range $range1 $range2;\033[0m"
echo -e "\033[1;32m option domain-name \"$name\";\033[0m"
echo -e "\033[1;32m option domain-name-servers $servers;\033[0m"
echo -e "\033[1;32m option routers $route;\033[0m"
echo -e "\033[1;32m option broadcast-address $broad;\033[0m"
echo -e "\033[1;32m default-lease-time $default;\033[0m"
echo -e "\033[1;32m max-lease-time $max;\03[0m"
echo -e "\033[1;32m}\033[0m"
echo " "
echo -e "\033[1;32m配置完成,准备重启服务!\033[0m"
if [ $is76n -eq 0 ]
then
systemctl enable dhcpd
systemctl restart dhcpd
if [ $? -eq 0 ]
then
echo -e "\033[1;32m服务启动成功!\033[0m"
else
echo -e "\033[1;31m服务启动失败!请手动进行配置!\033[0m"
exit
fi
else
chkconfig dhcpd on
service dhcpd restart
if [ $? -eq 0 ]
then
echo -e "\033[1;32m服务启动成功!\033[0m"
else
echo -e "\033[1;31m服务启动失败!请手动进行配置!\033[0m"
exit
fi
fi
}
#######################查询是否安装#######################
check(){
echo ""
echo ""
is76
rpm -q dhcp &> /dev/null
if [ $? -eq 0 ]
then
read -p `echo -e "\033[1;32mDHCP已安装,是否需要自动配置?(y/n)\033[1;31m"` x
echo -e "\033[0m"
echo " "
yn $x
if [ $ynn -eq 0 ]
then
setdhcp
else
echo -e "\033[1;31m返回主菜单\033[0m"
echo ""
main
fi
else
echo -e " \033[1;31m检测到DHCP未安装,进入自动安装配置程序\033[0m"
echo ""
echo ""
run
install
setdhcp
fi
echo -e "\033[1;32m####################\033[0m\033[1;31mDHCP服务安装配置完成,返回主菜单\033[0m\033[1;32m######################\033[0m"
echo ""
main
}
#check
#setdhcp
#rpmin
#####################################################################DHCP开始#######################################################################
#############运行##############
main
#root
DNS配置子脚本(dnsset.sh)
#!/bin/bash
#set dns
file="/etc/named.conf"
yname="luoxinli.top"
dnsname=`uname -n`
dnsip="192.168.11.158"
wwwip="192.168.11.151"
#主函数
run(){
getnum
confset
zoneset
if [ $1 -ne 0 ]
then
service named restart
else
systemctl restart named
fi
}
#变量赋值
getnum(){
read -p `echo -e "\033[1;32m请输入域名:\033[1;31m"` yname
read -p `echo -e "\033[1;32m请输入DNS服务器IP:\033[1;31m"` dnsip
read -p `echo -e "\033[1;32m请输入WEB服务器IP:\033[1;31m"` wwwip
echo -e "\033[0m"
}
#主配置文件
confset(){
sed -i '/\/\//!d' $file
sed -i '$G' $file
sed -i '$aoptions {' $file
sed -i '$a\ directory "/var/named";' $file
sed -i '$a};' $file
sed -i '$G' $file
sed -i '$azone "'$yname'" IN {' $file
sed -i '$a\ type master;' $file
sed -i '$a\ file "'$yname'.zone";' $file
sed -i '$a};' $file
sed -i '$G' $file
}
#区域配置文件
zoneset(){
f="/var/named/$yname.zone"
s=`date +%Y%m%d`01
cp -p /var/named/named.empty $f
# chown named:named $f
sed -i 'a\$TTL 3H' $f
sed -i '2,$d' $f
sed -i '$a@ IN SOA '$yname'. root.'$yname'. (' $f
sed -i '$a\ '$s $f
sed -i '$a\ 1D' $f
sed -i '$a\ 1H' $f
sed -i '$a\ 1W' $f
sed -i '$a\ 3H )' $f
sed -i '$a@ IN NS '$dnsname'.' $f
sed -i '$a'`echo $dnsname | awk -F. '{print $1}'`' IN A '$dnsip $f
sed -i '$awww IN A '$wwwip $f
sed -i '$a@ IN A '$wwwip $f
}
run
FTP配置子脚本(ftpset.sh)
#!/bin/bash
#ftp set
sed -i 's/^anonymous_enable=YES/anonymous_enable=NO/g' /etc/vsftpd/vsftpd.conf &> /dev/null
sed -i 's/^local_enable=NO/local_enable=YES/g' /etc/vsftpd/vsftpd.conf &> /dev/null
if [ $1 -ne 0 ]
then
service vsftpd restart
else
systemctl restart vsftpd
fi
echo -e "\033[1;32m已开启本地用户验证登录\033[0m"
iptables设置子脚本(iptableset.sh)
#!/bin/bash
#iptables/firewalld set
#全局变量及默认值
wan="eth0" #外网接口
lan="eth1" #内网接口
wanip="192.168.11.158" #外网IP
lanip="192.168.1.1" #内网IP
lannet="192.168.1.0/24" #内网网段
lanwww="192.168.1.101" #内网服务器IP
lanport=80 #内网服务器端口
wanport=80 #外网映射端口
ipt="/sbin/iptables" #iptables命令(CentOS6)
mod="/sbin/modprobe" #modprobe命令(CentOS6)
ctl="/sbin/sysctl" #sysctl命令(CentOS6)
add=0 #是否追加,0为追加,1为覆盖
#主函数
iptableset(){
echo -e "\033[1;32m1、主机型防火墙基础设置\033[0m"
echo -e "\033[1;32m2、DNS服务器防火墙设置\033[0m"
echo -e "\033[1;32m3、DHCP服务器防火墙设置\033[0m"
echo -e "\033[1;32m4、FTP服务器防火墙设置\033[0m"
echo -e "\033[1;32m5、WEB服务器防火墙设置\033[0m"
echo -e "\033[1;32m6、NAT服务器防火墙设置\033[0m"
echo -e "\033[1;31m7、按任意键返回主菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
initial
basic
echo -e "\033[1;31m配置完成\033[0m"
echo ""
iptableset
;;
2)
iptdns
echo -e "\033[1;31m配置完成\033[0m"
echo ""
iptableset
;;
3)
iptdhcp
echo -e "\033[1;31m配置完成\033[0m"
echo ""
iptableset
;;
4)
iptftp
echo -e "\033[1;31m配置完成\033[0m"
echo ""
iptableset
;;
5)
ipthttp
echo -e "\033[1;31m配置完成\033[0m"
echo ""
iptableset
;;
6)
iptnat
echo -e "\033[1;31m配置完成\033[0m"
echo ""
iptableset
;;
*)
exit
esac
}
#是否追加
isadd(){
read -p `echo -e "\033[1;32m是否覆盖原有规则(y/n):\033[1;31m"` choose
echo -e "\033[0m"
echo $choose | egrep "\by\b|\bY\b|\byes\b|\bYes\b|\bYES\b"
if [ $? -eq 0 ]
then
add=0
else
add=1
fi
}
#初始化设置
initial(){
$mod ip_tables #iptables基本模块
$mod ip_conntrack #连接跟踪模块
$mod ipt_REJECT #拒绝操作模块
$mod ipt_LOG #日志记录模块
$mod ipt_iprange #支持IP范围匹配
# /sbin/depmod xt_tcpudp
# $mod xt_tcpudp #支持TCP,UDP协议
$mod xt_state #支持状态匹配
$mod xt_multiport #支持多端口匹配
$mod xt_mac #支持MAC地址匹配
$mod ip_nat_ftp #支持FTP地址转换
$mod ip_conntrack_ftp #支持FTP连接跟踪
# $mod nf_conntrack_ftp #允许使用FTP被动模式
$ctl -w net.ipv4.ip_forward=1 &> /dev/null #打开路由转发功能
$ctl -w net.ipv4.ip_default_ttl=128 &> /dev/null #修改ICMP响应超时
# $ctl -w net.ipv4.icmp_echo_ignore_all=1 &> /dev/null #拒绝响应ICMP请求
$ctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 &> /dev/null #拒绝响应ICMP广播
$ctl -w net.ipv4.tcp_syncookies=1 &> /dev/null #启用SYN Cookies机制
$ctl -w net.ipv4.tcp_syn_retries=3 &> /dev/null #最大SYN请求重试次数
$ctl -w net.ipv4.tcp_synack_retries=3 &> /dev/null #最大ACK确认重试次数
$ctl -w net.ipv4.tcp_fin_timeout=60 &> /dev/null #TCP连接等待超时
$ctl -w net.ipv4.tcp_max_syn_backlog=3200 &> /dev/null #SYN请求的队列长度
$ipt -t filter -X #删除自定义链
$ipt -t nat -X
$ipt -t mangle -X
$ipt -t raw -X
$ipt -t filter -F #删除已有规则
$ipt -t nat -F
$ipt -t mangle -F
$ipt -t raw -F
}
#主机防火墙基本设置
basic(){
# $ipt -A INPUT -p tcp -m --multiport --destination-port 22,80 -j ACCEPT
# $ipt -A INPUT -p udp -m --multiport --destination-port 53,67,68 -j ACCEPT
$ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$ipt -A INPUT -p tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$ipt -A INPUT -i lo -j ACCEPT
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
}
#NAT服务器防火墙设置
iptnat(){
echo -e "\033[1;32m1、SNAT\033[0m"
echo -e "\033[1;32m2、DNAT\033[0m"
echo -e "\033[1;31m3、按任意键返回主菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
case $choose in
1)
isadd
if [ $add -eq 0 ]
then
initial
basic
fi
$ctl -w net.ipv4.ip_forward=1 &> /dev/null #打开路由转发功能
snat
echo -e "\033[1;31m配置完成\033[0m"
echo ""
iptnat
;;
2)
isadd
if [ $add -eq 0 ]
then
initial
basic
fi
$ctl -w net.ipv4.ip_forward=1 &> /dev/null #打开路由转发功能
dnat
echo -e "\033[1;31m配置完成\033[0m"
echo ""
iptnat
;;
*)
iptableset
echo ""
esac
}
dnat(){
dipset
$ipt -t nat -A PREROUTING -i $wan -d $wanip -p tcp --dport $wanport -j DNAT --to-destination $lanwww:$lanport
}
#NAT相关变量设置
dipset(){
# read -p `echo -e "\033[1;32m请输入内网接口:\033[1;31m"` lan
read -p `echo -e "\033[1;32m请输入外网接口:\033[1;31m"` wan
# read -p `echo -e "\033[1;32m请输入内网接口IP:"` lanip
read -p `echo -e "\033[1;32m请输入外网接口IP:\033[1;31m"` wanip
read -p `echo -e "\033[1;32m请输入内网网段:\033[1;31m"` lannet
read -p `echo -e "\033[1;32m请输入内网服务器IP:\033[1;31m"` lanwww
read -p `echo -e "\033[1;32m请输入内网服务器端口:\033[1;31m"` lanport
read -p `echo -e "\033[1;32m请输入外网映射端口:\033[1;31m"` wanport
echo -e "\033[1;32m外网接口:\033[31m$wan\033[0m"
echo -e "\033[1;32m外网接口IP:\033[31m$wanip\033[0m"
echo -e "\033[1;32m内网网段:\033[31m$lannet\033[0m"
echo -e "\033[1;32m内网服务器IP:\033[31m$lanwww\033[0m"
echo -e "\033[1;32m内网服务器端口:\033[31m$lanport\033[0m"
echo -e "\033[1;32m外网映射端口:\033[31m$wanport\033[0m"
read -p `echo -e "\033[1;32m请核对参数是否正确(y/n):\033[1;31m"` yn
echo -e "\033[0m"
echo $yn | egrep "y|Y|yes|Yes|YES" &> /dev/null
if [ $? -ne 0 ]
then
echo -e "\033[1;31m开始重新录入参数\033[0m"
dipset
exit
fi
$ipt -A FORWARD -s $lannet -j ACCEPT
$ipt -A FORWARD -d $lannet -j ACCEPT
}
#snat设置
snat(){
sipset
$ipt -t nat -A POSTROUTING -o $wan -s $lannet -j SNAT --to-source $wanip
}
#NAT相关变量设置
sipset(){
# read -p `echo -e "\033[1;32m请输入内网接口:\033[1;31m"` lan
read -p `echo -e "\033[1;32m请输入外网接口:\033[1;31m"` wan
read -p `echo -e "\033[1;32m请输入内网接口IP:\033[1;31m"` lanip
# read -p `echo -e "\033[1;32m请输入外网接口IP:\033[1;31m"` wanip
read -p `echo -e "\033[1;32m请输入内网网段:\033[1;31m"` lannet
# read -p `echo -e "\033[1;32m请输入内网服务器IP:\033[1;31m"` lanwww
# read -p `echo -e "\033[1;32m请输入内网服务器IP:\033[1;31m"` lanport
echo -e "\033[1;32m外网接口:\033[31m$wan\033[0m"
echo -e "\033[1;32m外网接口IP:\033[31m$wanip\033[0m"
echo -e "\033[1;32m内网网段:\033[31m$lannet\033[0m"
read -p `echo -e "\033[1;32m请核对参数是否正确(y/n):\033[1;31m"` yn
echo -e "\033[0m"
echo $yn | egrep "y|Y|yes|Yes|YES" &> /dev/null
if [ $? -ne 0 ]
then
echo -e "\033[1;31m开始重新录入参数\033[0m"
sipset
exit
fi
$ipt -A FORWARD -s $lannet -j ACCEPT
$ipt -A FORWARD -d $lannet -j ACCEPT
}
#WEB服务器防火墙配置
ipthttp(){
isadd
if [ $add -eq 0 ]
then
initial
basic
fi
$ipt -A INPUT -p tcp --dport 80 -j ACCEPT
}
#FTP服务器防火墙配置
iptftp(){
isadd
if [ $add -eq 0 ]
then
initial
basic
fi
$ipt -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
$ipt -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
}
#DHCP服务器防火墙设置
iptdhcp(){
isadd
if [ $add -eq 0 ]
then
initial
basic
fi
$ipt -A INPUT -p tcp --dport 67 -j ACCEPT
$ipt -A INPUT -p udp --dport 67 -j ACCEPT
$ipt -A INPUT -p tcp --dport 68 -j ACCEPT
$ipt -A INPUT -p udp --dport 68 -j ACCEPT
}
#DNS服务器防火墙设置
iptdns(){
isadd
if [ $add -eq 0 ]
then
initial
basic
fi
$ipt -A INPUT -p tcp --dport 53 -j ACCEPT
$ipt -A INPUT -p udp --dport 53 -j ACCEPT
$ipt -A INPUT -p tcp --sport 53 -j ACCEPT
$ipt -A INPUT -p udp --sport 53 -j ACCEPT
}
iptableset
firewall设置子脚本(firewall.sh)
#!/bin/bash
#fireall set
main(){
echo -e "\033[1;32m1、DNS服务器防火墙设置\033[0m"
echo -e "\033[1;32m2、DHCP服务器防火墙设置\033[0m"
echo -e "\033[1;32m3、FTP服务器防火墙设置\033[0m"
echo -e "\033[1;32m4、WEB服务器防火墙设置\033[0m"
echo -e "\033[1;32m5、SNAT\033[0m"
echo -e "\033[1;32m6、DNAT\033[0m"
echo -e "\033[1;31m7、按任意键返回主菜单\033[0m"
read -p `echo -e "\033[1;32m请选择功能:\033[1;31m"` choose
echo -e "\033[0m"
systemctl start firewalld
case $choose in
1)
reset
firewall-cmd --add-service=dns --permanent &> /dev/null
firewall-cmd --reload &> /dev/null
echo -e "\033[1;31m配置完成\033[0m"
echo ""
main
;;
2)
reset
firewall-cmd --add-service=dhcp --permanent &> /dev/null
firewall-cmd --reload &> /dev/null
echo -e "\033[1;31m配置完成\033[0m"
echo ""
main
;;
3)
reset
firewall-cmd --add-service=ftp --permanent &> /dev/null
firewall-cmd --reload &> /dev/null
echo -e "\033[1;31m配置完成\033[0m"
echo ""
main
;;
4)
reset
firewall-cmd --add-service=http --permanent &> /dev/null
firewall-cmd --reload &> /dev/null
echo -e "\033[1;31m配置完成\033[0m"
echo ""
main
;;
5)
reset
snat
echo -e "\033[1;31m配置完成\033[0m"
echo ""
main
;;
6)
reset
dnat
echo -e "\033[1;31m配置完成\033[0m"
echo ""
main
;;
*)
exit
esac
}
dnat(){
echo -e "\033[1;32m`ls /etc/sysconfig/network-scripts/ifcfg-e* | grep -v "\." | awk -F/ '{print $5}' | awk -F- '{print NR"、",$2}'`\033[0m"
read -p `echo -e "\033[1;32m请选择内接口:\033[31m"` x
read -p `echo -e "\033[1;32m请输入内网服务器IP:\033[31m"` webip
echo -e "\033[0m"
jk=`ls /etc/sysconfig/network-scripts/ifcfg-e* | grep -v "\." | awk -F/ '{print $5}' | awk -v vv=$x -F- '(NR==vv){print $2}'`
firewall-cmd --add-service=dns --permanent &> /dev/null
firewall-cmd --add-service=dns --zone=internal --permanent &> /dev/null
firewall-cmd --add-service=http --permanent &> /dev/null
firewall-cmd --add-service=http --zone=internal --permanent &> /dev/null
firewall-cmd --add-interface=$jk --zone=internal --permanent &> /dev/null
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=80:toaddr=$webip --permanent &> /dev/null
firewall-cmd --reload &> /dev/null
}
snat(){
echo -e "\033[1;32m`ls /etc/sysconfig/network-scripts/ifcfg-e* | grep -v "\." | awk -F/ '{print $5}' | awk -F- '{print NR"、",$2}'`\033[0m"
read -p `echo -e "\033[1;32m请选择外网接口:\033[31m"` x
echo -e "\033[0m"
jk=`ls /etc/sysconfig/network-scripts/ifcfg-e* | grep -v "\." | awk -F/ '{print $5}' | awk -v vv=$x -F- '(NR==vv){print $2}'`
firewall-cmd --add-interface=$jk --permanent &> /dev/null
firewall-cmd --add-service=http --permanent &> /dev/null
firewall-cmd --add-service=dns --permanent &> /dev/null
firewall-cmd --add-masquerade --permanent &> /dev/null
firewall-cmd --reload &> /dev/null
}
reset(){
read -p `echo -e "\033[1;32m是否重置防火墙?(y/n)\033[31m"` yn
echo -e "\033[0m"
echo $yn | egrep "\by\b|\bY\b|\byes\b|\bYes\b|\bYES\b" &> /dev/null
if [ $? -eq 0 ]
then
firewall-cmd --set-default-zone=public &> /dev/null
x=`ls /etc/sysconfig/network-scripts/ifcfg-e* | grep -v "\." | awk -F/ '{print $5}' | awk -F- '{print $2}'`
for xx in $x
do
firewall-cmd --change-interface=$xx &> /dev/null
done
\cp /usr/lib/firewalld/zones/* /etc/firewalld/zones/
firewall-cmd --reload &> /dev/null
fi
}
main