nc结合iptables

#!/bin/bash

#############################################################

#

#  全局定义部分

#到网关的主目录

cd /ssl/bin

#定义一个null的变量

NULL=/dev/null

#使网关开启路由转发功能

echo 1 > /proc/sys/net/ipv4/ip_forward

#卸载cp的别名，程序拷贝文件时，不需要交互。

alias cp='cp -i'

unalias cp

#创建nc脚本使用的目录

  if [ ! -d /ssl/bin/.nc ] ; then

    mkdir .nc

  fi

#创建文件，用于比较是否相同

touch .nc/ipaddandport3

touch .nc/ipaddandport4

touch .nc/dnsipaddport2

touch .nc/awk.txt2

#判断程序是否能开机启动

START=`grep /ssl/bin/nc.sh /etc/rc.local >$NULL ; echo $? `

  if [ $START -eq 1 ] ; then

echo "nohup /ssl/bin/nc.sh &" >>/etc/rc.local

#创建数据库脚本文件

  if [ ! -e /ssl/bin/.nc/derby.sql ] ; then

    #创建数据查询语句

    echo "connect 'jdbc:derby:/ssl/bin/.nc/Server.Box.Derby2';" > .nc/derby.sql

    echo "select * from NCMAPTABLE ;" >> .nc/derby.sql

#更新数据库文件，可以让开机再加载一次NC的配置

DIFFFILE=`grep "touch /ssl/bin/.nc/Server.Box.Derby2/diff" /etc/rc.local >$NULL; echo $?`

  if [ $DIFFFILE -eq 1 ] ; then

    echo " touch /ssl/bin/.nc/Server.Box.Derby2/diff " >> /etc/rc.local

#  脚本循环执行部分

while [ 1 ] 

do

#比较俩个目录是否相同，用来确定是否需要重新复制数据库

DIRFC=`diff -r Server.Box.Derby .nc/Server.Box.Derby2/ &>$NULL ; echo $?`

  if [ ! $DIRFC -eq 0 ] ; then

    #复制数据库文件

    rm -rf .nc/Server.Box.Derby2

    cp /ssl/bin/Server.Box.Derby/ /ssl/bin/.nc/Server.Box.Derby2 -r

    logger  "cp /ssl/bin/Server.Box.Derby/ /ssl/bin/.nc/Server.Box.Derby2 -r"

#运行数据库程序，提取NC数据库文件

java -jar /ssl/tomcat/webapps/SSL/WEB-INF/lib/derbyrun.jar ij /ssl/bin/.nc/derby.sql > .nc/ncmap

#判断NC服务是否启动，定义一个值。

NCSTAT=`ifconfig | grep t[trap.tun0] >$NULL ; echo $?`

#获取NC服务的原地址段，就是客户机启动虚拟地址段。

SNATSADD=`cat NcServ.config | grep Client |awk -F'<Client>' '{print $2}' |awk -F'</Client>' '{print $1}' `

#提取nc服务的配置信息，提取目的服务器ip地址，端口信息。

cat .nc/ncmap |egrep -v '^-|rows|ij|MAPID' |column -t |awk '{print $2"  "$3}'  |awk -F'|' '{print $2 $3 $5}' |egrep ^[a-z] > .nc/dnsipaddport

cat .nc/ncmap |egrep -v 'ij|'^-'|rows|MAPID' |column -t |awk '{print $2"  "$3}'|awk -F'|' '{print $2 $3 $5}' |egrep -v ^[a-z] | grep -v - > .nc/ipaddandport

cat .nc/ncmap |egrep -v 'ij|'^-'|rows|MAPID' |column -t |awk '{print $2"  "$3}'|awk -F'|' '{print $2 $3 $5}' |egrep -v  ^[a-z]|grep - | sed s/-/:/g >.nc/ipaddandport2    

cat .nc/ncmap |egrep -v '^-|rows|ij|MAPID' |column -t |grep ';TCP' |awk -F'|' '{print $2" "$3}' |awk -F';' '{print $1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" "$10" "$11" "$12" "$13" "$14" "$15" "$16" "$17" "$18 }'  | awk -F: '{print $1" "$3" "$5" "$7" "$9" "$11" "$13" "$15" "$17" "$19" "$21""$23" "$25" "$27" "$29" "$31" "$33" "$35" "$37 }' |sed s/-/:/g > .nc/awk.txt

#比较俩个文件是否相同，生成值。

diff .nc/ipaddandport .nc/ipaddandport3 >$NULL; echo $?  > .nc/FC

diff .nc/ipaddandport2 .nc/ipaddandport4 >$NULL; echo $? >>.nc/FC

diff .nc/dnsipaddport .nc/dnsipaddport2 >$NULL; echo $? >>.nc/FC

diff .nc/awk.txt .nc/awk.txt2 >$NULL; echo $? >>.nc/FC

#判断ipaddandport文件是否更改过，定义一个值

FCSTAT=`grep 1 .nc/FC >$NULL ; echo $?`

  if [ $NCSTAT -eq 0 ] ;then

    #判断ipaddandport文件是否更改过，更改过就执行下面的配置。

    if [ $FCSTAT -eq 0 ] ; then                     

      #复制一个nc服务的配置文件，作为旧的与新的做比较

      cp .nc/ipaddandport .nc/ipaddandport3

      cp .nc/ipaddandport2 .nc/ipaddandport4

      cp .nc/dnsipaddport .nc/dnsipaddport2

      cp .nc/awk.txt .nc/awk.txt2

      #清空iptables脚本文件

      > .nc/iptables.sh

      #清空用DNS解析得到的ip地址文件

      >.nc/dnsip

      #清空存放网关地址的文件

      >.nc/gatewayadd

      #清空存放目的服务地址的文件

      >.nc/targetadd

      #定义每个文件的行数。

      IPADDLINE=`wc -l .nc/ipaddandport |awk '{print $1}'`

      IPADDLINE2=`wc -l .nc/ipaddandport2 |awk '{print $1}'`

      IPADDLINE3=`wc -l .nc/dnsipaddport |awk '{print $1}'`

      AWKFILELINE=`wc -l .nc/awk.txt |awk '{print $1}'`

      ##用于生成iptables.sh脚本文件

      #定义循环的次数，根据配置文件ip地址的行数判断

      for ((i=1;i<=$IPADDLINE;i++)) 

      do

        #提取目标服务器的ip地址

        for i1 in `cat .nc/ipaddandport |awk '{print $1}' | head -n $i | tail -n 1 `

        do

          #提取目标地址到文件 

          echo $i1 >> .nc/targetadd

          #提取到达目标服务器的网关地址

          for i2 in `tracepath -n $i1 | head -n 1 |awk '{print $2}'`

          do

           logger tracepath -n $i1 route address $i2  

           #提取网关地址到文件

           echo $i2 >> .nc/gatewayadd

           #生成iptables脚本文件

           cat .nc/ipaddandport |awk -F: '{print $1" "$2"   "$3}' | awk -vSNAT="$SNATSADD" '{print "iptables -t nat -I POSTROUTING -s"" "SNAT" ""-d"" "$1" ""-p"" "$2" ""--dport"" "$4" ""-j SNAT --to"}' |  awk -vSNATTOADD="$i2" '{print $1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" "$10" "$11" "$12" "$13" "$14" "$15" "$16" "$17" " SNATTOADD}' |head -n $i |tail -n 1 >> .nc/iptables.sh 

          done

        done

      done 

      #用于生成iptables.sh脚本文件

      for ((i=1;i<=$IPADDLINE2;i++))

        TIME=`date +%s`

        echo $TIME > .nc/time

        sh -x .nc/while &>$NULL &

        for i2 in `cat .nc/ipaddandport2 |awk '{print $1}' | head -n $i | tail -n 1 `

          echo $i2 >> .nc/targetadd

          for i3 in `tracepath -n $i2 | head -n 1 |awk '{print $2}'`

          do 

            logger tracepath $i2 route address $i3

            #提取网关地址到文件

            echo $i3 >> .nc/gatewayadd

            #生成iptables脚本文件

            cat .nc/ipaddandport2 |cut -d : -f 1,3-4 | awk -F: '{print $1"  "$2" "$3$4}' | awk -vSNAT="$SNATSADD" '{print "iptables -t nat -I POSTROUTING -s"" "SNAT" ""-d"" "$1" ""-p"" "$2" ""--dport"" "$3":"$4" ""-j SNAT --to"}' | grep -v ': -j' |grep -v ';' |  awk -vSNATTOADD="$i3" '{print $1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" "$10" "$11" "$12" "$13" "$14" "$15" "$16" "$17" " SNATTOADD}' |head -n $i |tail -n 1 >>.nc/iptables.sh

      done

      ##用于生成iptables.sh脚本文件 

      #定义循环的次数，根据配置文件ip地址的行数判断   

      for ((i=1;i<=$IPADDLINE3;i++))

        #提取目标服务的域名地址

        for i2 in `cat .nc/dnsipaddport |awk '{print $1}' | head -n $i |tail -n 1 `

          #将域解析成iP地址

          nslookup $i2 |tail -n 2 |awk '{print $2}' |head -n 1 |head -n $i |tail -n 1 >> .nc/dnsip

          #提取解析完成的iP地址

          for i5 in `cat .nc/dnsip | head -n $i | tail -n 1 `

            #提取目标地址到文件 

            echo $i5 >> .nc/targetadd

            #提取到达目标服务器的网关地址

            for i3 in `tracepath -n $i5 | head -n 1 |awk '{print $2}'`  

            do

               logger tracepath $i5 route address $i3

              #提取网关地址到文件

              echo $i3 >> .nc/gatewayadd

              #生成iptables的脚本文件

              cat .nc/dnsipaddport | cut -d : -f 1,3-4 | awk -vIPADD="$i5" -F: '{print IPADD" "$1"  "$2 }'|awk '{print $1" "$3" "$4}'   | awk -vSNAT="$SNATSADD" '{print "iptables -t nat -I POSTROUTING -s"" "SNAT" ""-d"" " $1 " ""-p"" "$2" ""--dport"" "$3" "$4" ""-j SNAT --to"}' |  awk -vSNATTOADD="$i3" '{print $1 " "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" "$10" "$11" "$12" "$13" "$14" "$15" "$16" "$17" " SNATTOADD}' |head -n $i |tail -n 1 >> .nc/iptables.sh 

            done

      for ((i=0;i<=$AWKFILELINE;i++))

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$2" "$3}' >>.nc/awkaddre.txt

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$4" "$5}' >>.nc/awkaddre.txt

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$6" "$7}' >>.nc/awkaddre.txt

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$8" "$9}' >>.nc/awkaddre.txt

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$10" "$11}' >>.nc/awkaddre.txt

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$12" "$13}' >>.nc/awkaddre.txt

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$14" "$15}' >>.nc/awkaddre.txt

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$16" "$17}' >>.nc/awkaddre.txt

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$18" "$19}' >>.nc/awkaddre.txt

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$20" "$21}' >>.nc/awkaddre.txt

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$22" "$23}' >>.nc/awkaddre.txt

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$24" "$25}' >>.nc/awkaddre.txt

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$26" "$27}' >>.nc/awkaddre.txt

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$28" "$29}' >>.nc/awkaddre.txt

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$30" "$31}' >>.nc/awkaddre.txt

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$32" "$33}' >>.nc/awkaddre.txt

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$34" "$35}' >>.nc/awkaddre.txt

        cat .nc/awk.txt |head -n $i |tail -n 1 | awk '{print $1" "$36" "$37}' >>.nc/awkaddre.txt

        cat .nc/awkaddre.txt  |sort -u | grep TCP  > .nc/awkadd ; cat .nc/awkadd >> .nc/awkaddress.txt

        cat .nc/awkaddre.txt  |sort -u | grep UDP  > .nc/awkadd ; cat .nc/awkadd >> .nc/awkaddress.txt

       done 

       #生成包含一次配置很多条目的iptables脚本

       AWKFILELINE=`wc -l .nc/awkaddress.txt |awk '{print $1}'`

       for ((i=1;i<=$AWKFILELINE;i++))

       do

         for i2 in `cat .nc/awkaddress.txt |awk '{print $1}' | head -n $i | tail -n 1 ` 

         do

           #提取目标地址到文件 

           echo $i2 >> .nc/targetadd

           #提取到达目标服务器的网关地址

           for i3 in `tracepath -n $i2 | head -n 1 |awk '{print $2}'`

           do 

             logger tracepath $i2 route address $i3

             #提取网关地址到文件

             echo $i3 >> .nc/gatewayadd

             #生成iptables脚本文件

             filestatus=`grep ':' .nc/awkaddress.txt > $NULL ; echo $?`

             #当filestatus等于0时，说明包含多个有同个ip地址有多个端口的条目

               if [ $filestatus -eq 0 ] ; then

               cat .nc/awkaddress.txt | grep -v ':' > .nc/awkadd ; cat .nc/awkadd > .nc/awkaddress2.txt  

               cat .nc/awkaddress2.txt | awk -vSNAT="$SNATSADD" '{print "iptables -t nat -I POSTROUTING -s"" "SNAT" ""-d"" "$1" ""-p"" "$2" ""--dport"" "$3" ""-j SNAT --to"}' | awk -vSNATTOADD="$i3" '{print $1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" "$10" "$11" "$12" "$13" "$14" "$15" "$16" "$17" " SNATTOADD}' |head -n $i |tail -n 1 >>.nc/iptables.sh

               cat .nc/awkaddress.txt | grep ':' > .nc/awkadd ; cat .nc/awkadd > .nc/awkaddress3.txt

               cat .nc/awkaddress3.txt | awk -vSNAT="$SNATSADD" '{print "iptables -t nat -I POSTROUTING -s"" "SNAT" ""-d"" "$1" ""-p"" "$2" ""--dport"" "$3":"$4}' | cut -d : -f 1,2  |  awk -vSNATTOADD="$i3" '{print $1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" "$10" "$11" "$12" "$13" "$14" "$15" "$16" "$17 "-j SNAT --to"" " SNATTOADD}' |  head -n $i |tail -n 1 >>.nc/iptables.sh              

             else

               cat .nc/awkaddress.txt | awk -vSNAT="$SNATSADD" '{print "iptables -t nat -I POSTROUTING -s"" "SNAT" ""-d"" "$1" ""-p"" "$2" ""--dport"" "$3" ""-j SNAT --to"}' | awk -vSNATTOADD="$i3" '{print $1" "$2" "$3" "$4" "$5" "$6" "$7" "$8" "$9" "$10" "$11" "$12" "$13" "$14" "$15" "$16" "$17" " SNATTOADD}' |head -n $i |tail -n 1 >>.nc/iptables.sh

             fi

           done

         done

       done

      #配置icmp的iptables，允许ping。

      ICMPFILELINE=`wc -l .nc/gatewayadd |awk '{print $1}'`

      for ((i=1;i<=$ICMPFILELINE;i++))

        for i2 in `cat .nc/gatewayadd |head -n $i |tail -n 1 `

          for i3 in `cat .nc/targetadd |head -n $i |tail -n 1 `

            echo "iptables -t nat -I POSTROUTING -s $SNATSADD -p icmp -d $i3 -j SNAT --to $i2" >> .nc/iptables.sh

      #清空之前配置的iptables，并执行iptables.sh脚本

      cat .nc/iptables.sh |sort -u > .nc/awkipadd ; cat .nc/awkipadd > .nc/iptables.sh

      iptables -t nat -F

      iptables -t nat -X

      chmod a+x .nc/iptables.sh

      ./.nc/iptables.sh

    fi

sleep 5

done

本文转自zhaoyun00 51CTO博客，原文链接:http://blog.51cto.com/zhaoyun/717052