vim iptables.sh
#!/bin/bash
#effect:iptables configuer
port=`cat /etc/ssh/sshd_config |grep Port|grep -v '#' |grep -v 22|awk -F " " '{print $2}'`
service iptables status
a=$?
if [ $a != 0 ];then
iptables -F
iptables -Z
iptables -X
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p vrrp -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 1.1.0.0/16 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 1.1.0.0/16 -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.60.0.0/16 -m state --state NEW -m tcp -p tcp --dport 10050 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport $port -j ACCEPT
iptables -A INPUT -p udp -m state --state NEW -m udp --dport $port -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
service iptables save
service iptables start
fi
然后通过saltstack实现批量运行
salt-cp '*' /srv/salt/script/iptables.sh /root/bin/iptables.sh
salt '*' cmd.run "chmod o+x /root/bin/iptables.sh;bash /root/bin/iptables.sh"