#!/bin/bash # Vor dem Start des Skripts sind zwei Umgebungsvariablen zu setzen # $ export SSHUSER=netzwerk_admin_username # $ export SSHPASS=netzwerk_admin_passwort # Laufende Nummer, bleibt meist auf 1 sollten aber mehrere Durchläufe nötig sein, kann hier hochgezählt werden LFDNR=2 # Definition der Netze/IPs die in die ACL aufgenommern werden sollen # Jeder Eintrage ist in der CIDR Notation einzutragen, die wird bei Bedarf automatisch konvertiert # Die Hosts werden aus rancid Konfig Files ausgelesen # ACL für SNMP readonly ROACL="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 195.20.133.0/24 149.13.94.0/24 92.50.110.208/29" # ACL für SNMP readwrite RWACL="10.0.0.0/8" # ACL für SSH Zugriffe SSHACL="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" DATUM=`date +"%y.%m.%d"` ACLV=${DATUM}.${LFDNR} cidr2wildcard () { # 10.0.0.0/8 CIDR=$1 IP=`echo $CIDR | cut -d "/" -f 1` MASK=`echo $CIDR | cut -d "/" -f 2` case $MASK in 0) WC="255.255.255.255" ;; 1) WC="127.255.255.255" ;; 2) WC="63.255.255.255" ;; 3) WC="31.255.255.255" ;; 4) WC="15.255.255.255" ;; 5) WC="7.255.255.255" ;; 6) WC="3.255.255.255" ;; 7) WC="1.255.255.255" ;; 8) WC="0.255.255.255" ;; 9) WC="0.127.255.255" ;; 10) WC="0.63.255.255" ;; 11) WC="0.31.255.255" ;; 12) WC="0.15.255.255" ;; 13) WC="0.7.255.255" ;; 14) WC="0.3.255.255" ;; 15) WC="0.1.255.255" ;; 16) WC="0.0.255.255" ;; 17) WC="0.0.127.255" ;; 18) WC="0.0.63.255" ;; 19) WC="0.0.31.255" ;; 20) WC="0.0.15.255" ;; 21) WC="0.0.7.255" ;; 22) WC="0.0.3.255" ;; 23) WC="0.0.1.255" ;; 24) WC="0.0.0.255" ;; 25) WC="0.0.0.127" ;; 26) WC="0.0.0.63" ;; 27) WC="0.0.0.31" ;; 28) WC="0.0.0.15" ;; 29) WC="0.0.0.7" ;; 30) WC="0.0.0.3" ;; 31) WC="0.0.0.1" ;; 32) WC="0.0.0.0" ;; esac #WC="10.0.0.0 0.0.0.255" echo "$IP $WC" } generate_acl () { ACLV=$1 TYP=$2 ACL=$3 ACE="$4" LOG=$5 if [ "$TYP" == "default" ] then echo "conf t" echo "no ip access-list standard ansible__acl_v_nr" echo "ip access-list standard ansible__acl_v_nr" echo " permit host $ACLV" echo " exit" echo echo "no ip access-list standard $ACL" echo "ip access-list standard $ACL" for A in `echo $ACE` do WILDCARD=`cidr2wildcard $A` echo " permit $WILDCARD $LOG" done echo " deny any log" echo " end" echo fi if [ "$TYP" == "fibre" ] then echo "conf t" echo "no ip access-list ansible__acl_v_nr" echo " ip access-list ansible__acl_v_nr permit ip $ACLV 0.0.0.0 any" echo echo "no ip access-list $ACL" for A in `echo $ACE` do WILDCARD=`cidr2wildcard $A` echo " ip access-list $ACL permit ip $WILDCARD any" done echo " ip access-list $ACL deny ip any any log-deny" echo " end" echo fi if [ "$TYP" == "nexus" ] then echo "conf t" echo "no ip access-list ansible__acl_v_nr" echo "ip access-list ansible__acl_v_nr" echo " permit ip host $ACLV any" echo " exit" echo echo "no ip access-list $ACL" echo "ip access-list $ACL" for A in `echo $ACE` do echo " permit ip $A any $LOG" done echo " deny ip any any log" echo " end" echo fi } cd /home/rancid/var/rancid/network/configs/ for DEV in `ls | egrep "switch|router"` do echo echo echo "Press to continue with $DEV" read TYP="" egrep "ip access-list standard.*ansible" $DEV > /dev/null if [ "$?" == "0" ] then TYP=default fi egrep "ip access-list.*ansible.*permit" $DEV > /dev/null if [ "$?" == "0" ] && [ "$TYP" == "" ] then TYP=fibre fi egrep "ip access-list.*ansible" $DEV > /dev/null if [ "$?" == "0" ] && [ "$TYP" == "" ] then TYP=nexus fi if [ ! "$TYP" == "" ] then echo "~~~~~~~~~~~ $DEV ~~~~~~~~~~~" generate_acl $ACLV $TYP ansible__snmp_ro_acl "$ROACL" > /tmp/acls.txt generate_acl $ACLV $TYP ansible__snmp_rw_acl "$RWACL" >> /tmp/acls.txt generate_acl $ACLV $TYP ansible__system_acl "$SSHACL" log >> /tmp/acls.txt clogin -u $SSHUSER -p $SSHPASS -x /tmp/acls.txt $DEV echo echo echo echo "Test with" echo " clogin -u \$SSHUSER -p \$SSHPASS -c exit $DEV" echo fi done