1.监控虚拟机跟外部的tcp连接,如果连接数超过阈值,就在FORWARD把ip DROP ,并且发送邮件
root@InternetGateway:~# cat /root/scripts/check_conntrack.sh
#!/bin/bash
script_home=`dirname $0`
script_home=`cd $script_home;pwd`
file_dir=/var/scripts/file
conntrack_source=/proc/net/nf_conntrack
ct_file=`date +%F-%T`
cmd=/usr/sbin/conntrack
num=`$cmd -C`
conntrack_total (){
[ ! -d $file_dir ] && mkdir -p $file_dir
cd $file_dir
cat $conntrack_source > $ct_file && gzip $ct_file
gzip -cd $ct_file.gz|awk '{S[$6" "$7" "$8" "$10]++} END {for(s in S) print S[s],s}'|sort -rn|head > $ct_file.out
}
mail (){
local sendEmail=$script_home/sendEmail
local subject="InternetGateway conntrack State abnormality"
local content="$file_dir/$ct_file.out"
$sendEmail -f nagios@onecloud.cn -t gs@abccloud.cn -s 172.16.0.99 -u "$subject" -xu nagios@abccloud.cn -xp engine@nagios2 -o tls=no -o message-content-type=text -o message-file="$content" -o message-charset=utf8
}
ip_drop (){
local ip=`awk -F '[ =]' 'NR==1 {print $4}' $ct_file.out`
/sbin/iptables -I FORWARD -s $ip -j DROP
}
main (){
if [ "$num" -gt "40000" ]
then
echo "conntrack State abnormality"
conntrack_total
mail
ip_drop
else
echo "conntrack State ok"
fi
}
main