利用ip_conntrack表实现封ip的shell脚本

　　基本原理:

　　通过过滤ip_conntrack表得到ESTABLISHED状态过多的ip, 然后用iptabels封掉一段时间,同时用hping工具将这些ip从表中清理掉,最后将被封的ip和一些其他信息写到一个html页中,做简单的发布

　　关于hping:

　　下载: http://www.hping.org/download.html

　　安装: ./configure;make;make install

　　相关联接: http://chinaunix.net/jh/4/367999.html

　　默认功能:

　　1, 当一个ip在ip_conntrack表中的ESTABLISHED状态在30-50之间时, 此ip被封10分钟,同时在ip_conntrack表中的记录被清除;50-100之间封15分钟,同时清表;100以上封30分钟,同时清表,

　　2, 然后生成web页

　　/var/www/html/wwy/drop/index.html --- 显示被封的ip, 和cpu状态等信息

　　/var/www/html/wwy/all/index.html --- 每一个ip的连接情况

　　3, 生成简单的日志

　　/tmp/killip/tmp.log.txt

　　使用方法:

　　1, 需要安装hping

　　2, 建议将脚本放到计划任务中

　　3, 建议安装并开启apache, 为支持简单的web发布,默认为 http://127.0.0.1/l/wwy/drop/index.htm

　　4, 如果表的大小大于20mb请慎用

====================================================

　　代码:

#!/bin/bash

#

#---------------------------------------------------------------------------------------

#Scrip name: killip, base on ip_conntrack, write by wwy.

#---------------------------------------------------------------------------------------

cpu=`sar -u 1 1 | awk '{print $7}' | tail -1`%

#

while [ "`pidof sleep`" ];do

echo "she is running, sorry"

exit 1

done

if [ ! "`lsmod | grep ip_conntrack`" ]; then

modprobe ip_conntrack

fi

####################################

##---------------------- functions -----------------------------##

####################################

function make_clr {

while read clr33;do

cat /tmp/tmp111.txt | grep $clr33 >> /tmp/tmp33-3-clr.txt

done < /tmp/tmp33-3.txt

while read clr22;do

cat /tmp/tmp111.txt | grep $clr22 >> /tmp/tmp33-2-clr.txt

done < /tmp/tmp33-2.txt

while read clr11;do

cat /tmp/tmp111.txt | grep $clr11 >> /tmp/tmp33-1-clr.txt

done < /tmp/tmp33-1.txt

}

function clr_conns {

S_IP=$1

D_IP=$2

S_PORT=$3

D_PORT=$4

hping2 $D_IP -R -s $S_PORT -p $D_PORT -a $S_IP -k -c 1 >/dev/null 2>/dev/null &

}

function kill() {

SLEEP_TIME=$1

CLR_LIST=$2

BLACK_LIST=$3

while read blackip;do

iptables -I FORWARD 2 -i eth0 -s $blackip/32 -j DROP

done < $BLACK_LIST

sleep $SLEEP_TIME

#-----------------------------------#

while read clr3;do

clr_conns $clr3

done < $CLR_LIST

#-----------------------------------#

sleep 1

while read reblackip;do

iptables -D FORWARD -i eth0 -s $reblackip/32 -j DROP

done < $BLACK_LIST

}

#####################################

##--------------- To make a "black list" ----------------------##

#####################################

echo > /tmp/tmp11.txt

echo > /tmp/tmp111.txt

echo > /tmp/ip_conntrack.tmp

echo > /tmp/tmp33-3-clr.txt

echo > /tmp/tmp33-2-clr.txt

echo > /tmp/tmp33-1-clr.txt

echo > /tmp/tmp22-3.txt

echo > /tmp/tmp22-2.txt

echo > /tmp/tmp22-1.txt

echo > /tmp/tmp33-3.txt

echo > /tmp/tmp33-2.txt

echo > /tmp/tmp33-1.txt

if [ ! -e /var/www/html/wwy/index.html ];then

mkdir /var/www/html/wwy/

mkdir /var/www/html/wwy/all

mkdir /var/www/html/wwy/drop

5B

touch /var/www/html/wwy/index.html

fi

#----------------------------------------------------------------------------#

echo -e "cp /proc/net/ip_conntrack /tmp/ip_conntrack.tmp ......\c"

cp /proc/net/ip_conntrack /tmp/ip_conntrack.tmp

echo -e "done!\n"

sleep 1

#----------------------------------------------------------------------------#

wc=`cat /tmp/ip_conntrack.tmp|grep ESTABLISHED|awk -F= '{print $2,$3,$4,$5}'|grep ^172. |sort|awk '{print $1,$3,$5,$7}'|tee /tmp/tmp111.txt|awk '{print $1}'|uniq -c|tee /tmp/tmp11.txt|wc -l`

date=`date '+%m/%d %H:%M'`

cpu2=`sar -u 1 1 | awk '{print $7}' | tail -1`%

date2=`date '+%H'`

#----------------------------------------------------------------------------#

sleep 1

#----------------------------------------------------------------------------#

#if [ "$wc" -gt 2500 ] && [ "$date2" -gt 10 ]

if [ "$wc" -ge 0 ]

then

#------------------------------

awk '{$1}{if ($1>30 && $1<50) print $2}' /tmp/tmp11.txt > /tmp/tmp22-1.txt

awk '{$1}{if ($1>=50 && $1<100) print $2}' /tmp/tmp11.txt > /tmp/tmp22-2.txt

awk '{$1}{if ($1>=100) print $2}' /tmp/tmp11.txt > /tmp/tmp22-3.txt

cut -c1-15 /tmp/tmp22-1.txt > /tmp/tmp33-1.txt

cut -c1-15 /tmp/tmp22-2.txt > /tmp/tmp33-2.txt

cut -c1-15 /tmp/tmp22-3.txt > /tmp/tmp33-3.txt

wcblackip1=`cat /tmp/tmp33-1.txt | wc -l`

wcblackip2=`cat /tmp/tmp33-2.txt | wc -l`

wcblackip3=`cat /tmp/tmp33-3.txt | wc -l`

######################################

##---------------- To make a index.html -----------------------##

######################################

echo "If the total IPs >2500 (total $wc at $date) AND if:" > /var/www/html/wwy/drop/index.html

echo "

you connect \">100\", you ip will be killed in 30min.

" >>/var/www/html/wwy/drop/index.html

echo "

you connect \"50-100\", you ip will be killed in 15min.

" >>/var/www/html/wwy/drop/index.html

echo "

you connect \"30-50\", you ip will be killed in 10min.

" >>/var/www/html/wwy/drop/index.html

echo "

---

" >> /var/www/html/wwy/drop/index.html

echo "

These IPs (total $wcblackip3 + $wcblackip2 + $wcblackip1) were killed, at $date (look-up all IPs)

" >> /var/www/html/wwy/drop/index.html

awk '{$1}{if ($1>=100) print $1, $2}' /tmp/tmp11.txt|sort -nr|awk '{print "

"""$1"""\t",""$2"""\t""kill 30min""

"}' >> /var/www/html/wwy/drop/index.html

awk '{$1}{if ($1>=50 && $1<100) print $1, $2}' /tmp/tmp11.txt|sort -nr|awk '{print "

"$1"\t",""$2"""\t""kill 15min""

"}' >> /var/www/html/wwy/drop/index.html

awk '{$1}{if ($1>30 && $1<50) print $1, $2}' /tmp/tmp11.txt|sort -nr|awk '{print "

"$1"\t",""$2"""\t""kill 10min""

"}' >> /var/www/html/wwy/drop/index.html

echo "

You can \"ctrl + F\" to find your ip's connects.(total $wc IPs at $date)

" > /var/www/html/wwy/all/index.html

echo "

<-- back

" >> /var/www/html/wwy/all/index.html

cat /tmp/tmp11.txt | sort -nr | awk '{print "

"$1"\t",$2"\t""

"}' >> /var/www/html/wwy/all/index.html

#####################################

##----------------- Use iptables to DROP ---------------------##

#####################################

make_clr

if [ -s /tmp/tmp33-3.txt ];then

kill 30m /tmp/tmp33-3-clr.txt /tmp/tmp33-3.txt &

sleep 1s

fi

if [ -s /tmp/tmp33-2.txt ];then

kill 15m /tmp/tmp33-2-clr.txt /tmp/tmp33-2.txt &

sleep 1s

fi

if [ -s /tmp/tmp33-1.txt ];then

kill 10m /tmp/tmp33-1-clr.txt /tmp/tmp33-1.txt &

sleep 1s

fi

#-------------------------------

elif [ "$date2" -lt 5 ] && [ "$date2" -gt 3 ]

then

while read clrall;do

clr_conns $clrall

done < /tmp/tmp111.txt

echo "clr at $date " >> /tmp/killip/tmp.log.txt

fi

#####################################

##------------------- make system log ------------------------##

#####################################

if [ ! -e /tmp/killip/tmp.log.txt ]; then

mkdir /tmp/killip

touch /tmp/killip/tmp.log.txt

fi

echo "$wc $date $cpu $cpu2 $wcblackip3 + $wcblackip2 + $wcblackip1" >> /tmp/killip/tmp.log.txt