脚本方式更新iptables和轻量云安全组

iptables -A INPUT -s 123.45.67.89/32 -p tcp -m tcp --sport 80 -j ACCEPT

#!/bin/sh
#从nginx日志查询需要屏蔽的ip并写入临时文件
tail -10 var/log/nginx/error.log|egrep 'svn|php|cgi|txt|robot|text|Gpon|shell'|awk -F'client: ' '{print $2}'|awk -F, '{print $1}'|uniq|sort >/tmp/blockip.txt
tail -10 var/log/nginx/access.log|grep -v i314|awk -F- '{print $1}'|uniq|sort >>/tmp/blockip.txt
#生成查询需要新生成策略ip的语句
echo delete  from t_new\;>/tmp/newip.sql
while read newip
do
echo insert into t_new values\(datetime\(\),\'$newip\'\)\;>>/tmp/newip.sql
done </tmp/blockip.txt
echo .output tmp/iptest.txt>>/tmp/newip.sql
echo select ip from t_new where ip not in \(select ip from t_block\) group by ip\;>>/tmp/newip.sql
#使用sqlite3执行刚生成的sql
sqlite3 -init tmp/newip.sql db/bip.db <<EOF
.quit
EOF
#添加策略
while read blockip
do
iptables -I INPUT -s $blockip -i DENY
done </tmp/iptest.txt
#保存策略
iptables-save>/root/iptables_bak.txt
#使用sqlite3保存新添加的ip
echo insert into t_block select \* from t_new where ip not in \(select ip from t_block\)\;>/tmp/newip.sql
echo delete from t_new\;>>/tmp/newip.sql
sqlite3 -init /tmp/newip.sql /db/bip.db <<EOF
.quit
EOF


#从nginx日志获取ip 添加轻量云策略
#获取temp ip 
for myoff in  cjd-temp wn-temp
do
nsxip=`tail -100 /var/log/nginx/access.log|grep $myoff |awk -F- '{print $1}'|uniq|sort`
if [ ! -z "$nsxip" ]; then
osxip=`tail -1 /root/$myoff.log|awk -F' ' '{print $2}'`


if [ -z "$osxip" ]; then 
osxip='192.168.1.123'
fi


if [ $nsxip != $osxip ] ; then
mytime=`date  +%Y%m%d%H%M`
#将新ip写入策略
echo $mytime $nsxip >> /root/$myoff.log
tccli lighthouse DeleteFirewallRules --cli-unfold-argument  --InstanceId lhins-63xfb9mm --FirewallRules.0.Protocol ALL  --FirewallRules.0.CidrBlock $osxip
tccli lighthouse CreateFirewallRules --cli-unfold-argument --InstanceId lhins-63xfb9mm --FirewallRules.0.Action ACCEPT  --FirewallRules.0.Protocol ALL  --FirewallRules.0.Port ALL  --FirewallRules.0.FirewallRuleDescription $myoff --FirewallRules.0.CidrBlock $nsxip
fi


fi
done
#查询策略 
#tccli lighthouse DescribeFirewallRules --InstanceId lhins-63xfb9mm