利用ip_conntrack表实现封ip的shell脚本,并有简单的web发布

#!/bin/bash
#
#---------------------------------------------------------------------------------------
#Scripname:killip,baseonip_conntrack,writebywwy.
#---------------------------------------------------------------------------------------

cpu=`sar-u11|awk''{print$7}''|tail-1`
#
while["`pidofsleep`"];do
echo"sheisrunning,sorry"
exit1
done
if[!"`lsmod|grepip_conntrack`"];then
modprobeip_conntrack
fi

####################################
##----------------------functions-----------------------------##
####################################

functionmake_clr{
whilereadclr33;do
cat/tmp/tmp111.txt|grep$clr33>>/tmp/tmp33-3-clr.txt
done</tmp/tmp33-3.txt
whilereadclr22;do
cat/tmp/tmp111.txt|grep$clr22>>/tmp/tmp33-2-clr.txt
done</tmp/tmp33-2.txt
whilereadclr11;do
cat/tmp/tmp111.txt|grep$clr11>>/tmp/tmp33-1-clr.txt
done</tmp/tmp33-1.txt
}
functionclr_conns{
S_IP=$1
D_IP=$2
S_PORT=$3
D_PORT=$4
hping2$D_IP-R-s$S_PORT-p$D_PORT-a$S_IP-k-c1>/dev/null2>/dev/null&
}
functionkill(){
SLEEP_TIME=$1
CLR_LIST=$2
BLACK_LIST=$3
whilereadblackip;do
iptables-IFORWARD2-ieth0-s$blackip/32-jDROP
done<$BLACK_LIST
sleep$SLEEP_TIME
#-----------------------------------#
whilereadclr3;do
clr_conns$clr3
done<$CLR_LIST
#-----------------------------------#
sleep1
whilereadreblackip;do
iptables-DFORWARD-ieth0-s$reblackip/32-jDROP
done<$BLACK_LIST

}
#####################################
##---------------Tomakea"blacklist"----------------------##
#####################################

echo>/tmp/tmp11.txt
echo>/tmp/tmp111.txt
echo>/tmp/ip_conntrack.tmp
echo>/tmp/tmp33-3-clr.txt
echo>/tmp/tmp33-2-clr.txt
echo>/tmp/tmp33-1-clr.txt
echo>/tmp/tmp22-3.txt
echo>/tmp/tmp22-2.txt
echo>/tmp/tmp22-1.txt
echo>/tmp/tmp33-3.txt
echo>/tmp/tmp33-2.txt
echo>/tmp/tmp33-1.txt
if[!-e/var/www/html/wwy/index.html];then
mkdir/var/www/html/wwy/
mkdir/var/www/html/wwy/all
mkdir/var/www/html/wwy/drop
5B
touch/var/www/html/wwy/index.html
fi
#----------------------------------------------------------------------------#
echo-e"cp/proc/net/ip_conntrack/tmp/ip_conntrack.tmp......\c"
cp/proc/net/ip_conntrack/tmp/ip_conntrack.tmp
echo-e"done!\n"
sleep1
#----------------------------------------------------------------------------#
wc=`cat/tmp/ip_conntrack.tmp|grepESTABLISHED|awk-F=''{print$2,$3,$4,$5}''|grep^172.|sort|awk''{print$1,$3,$5,$7}''|tee/tmp/tmp111.txt|awk''{print$1}''|uniq-c|tee/tmp/tmp11.txt|wc-l`
date=`date'' m/dH:M''`
cpu2=`sar-u11|awk''{print$7}''|tail-1`
date2=`date'' H''`
#----------------------------------------------------------------------------#
sleep1
#----------------------------------------------------------------------------#
#if["$wc"-gt2500]&&["$date2"-gt10]
if["$wc"-ge0]
then
#------------------------------
awk''{$1}{if($1>30&&$1<50)print$2}''/tmp/tmp11.txt>/tmp/tmp22-1.txt
awk''{$1}{if($1>=50&&$1<100)print$2}''/tmp/tmp11.txt>/tmp/tmp22-2.txt
awk''{$1}{if($1>=100)print$2}''/tmp/tmp11.txt>/tmp/tmp22-3.txt
cut-c1-15/tmp/tmp22-1.txt>/tmp/tmp33-1.txt
cut-c1-15/t