186 lines
4.4 KiB
Bash
Executable File
186 lines
4.4 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Vor dem Start des Skripts sind zwei Umgebungsvariablen zu setzen
|
|
# $ export SSHUSER=netzwerk_admin_username
|
|
# $ export SSHPASS=netzwerk_admin_passwort
|
|
|
|
# Laufende Nummer, bleibt meist auf 1 sollten aber mehrere Durchläufe nötig sein, kann hier hochgezählt werden
|
|
LFDNR=2
|
|
|
|
# Definition der Netze/IPs die in die ACL aufgenommern werden sollen
|
|
# Jeder Eintrage ist in der CIDR Notation einzutragen, die wird bei Bedarf automatisch konvertiert
|
|
# Die Hosts werden aus rancid Konfig Files ausgelesen
|
|
|
|
# ACL für SNMP readonly
|
|
ROACL="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 195.20.133.0/24 149.13.94.0/24 92.50.110.208/29"
|
|
|
|
# ACL für SNMP readwrite
|
|
RWACL="10.0.0.0/8"
|
|
|
|
# ACL für SSH Zugriffe
|
|
SSHACL="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DATUM=`date +"%y.%m.%d"`
|
|
ACLV=${DATUM}.${LFDNR}
|
|
|
|
cidr2wildcard () {
|
|
# 10.0.0.0/8
|
|
CIDR=$1
|
|
IP=`echo $CIDR | cut -d "/" -f 1`
|
|
MASK=`echo $CIDR | cut -d "/" -f 2`
|
|
|
|
case $MASK in
|
|
0) WC="255.255.255.255" ;;
|
|
1) WC="127.255.255.255" ;;
|
|
2) WC="63.255.255.255" ;;
|
|
3) WC="31.255.255.255" ;;
|
|
4) WC="15.255.255.255" ;;
|
|
5) WC="7.255.255.255" ;;
|
|
6) WC="3.255.255.255" ;;
|
|
7) WC="1.255.255.255" ;;
|
|
8) WC="0.255.255.255" ;;
|
|
9) WC="0.127.255.255" ;;
|
|
10) WC="0.63.255.255" ;;
|
|
11) WC="0.31.255.255" ;;
|
|
12) WC="0.15.255.255" ;;
|
|
13) WC="0.7.255.255" ;;
|
|
14) WC="0.3.255.255" ;;
|
|
15) WC="0.1.255.255" ;;
|
|
16) WC="0.0.255.255" ;;
|
|
17) WC="0.0.127.255" ;;
|
|
18) WC="0.0.63.255" ;;
|
|
19) WC="0.0.31.255" ;;
|
|
20) WC="0.0.15.255" ;;
|
|
21) WC="0.0.7.255" ;;
|
|
22) WC="0.0.3.255" ;;
|
|
23) WC="0.0.1.255" ;;
|
|
24) WC="0.0.0.255" ;;
|
|
25) WC="0.0.0.127" ;;
|
|
26) WC="0.0.0.63" ;;
|
|
27) WC="0.0.0.31" ;;
|
|
28) WC="0.0.0.15" ;;
|
|
29) WC="0.0.0.7" ;;
|
|
30) WC="0.0.0.3" ;;
|
|
31) WC="0.0.0.1" ;;
|
|
32) WC="0.0.0.0" ;;
|
|
esac
|
|
#WC="10.0.0.0 0.0.0.255"
|
|
echo "$IP $WC"
|
|
}
|
|
generate_acl () {
|
|
ACLV=$1
|
|
TYP=$2
|
|
ACL=$3
|
|
ACE="$4"
|
|
LOG=$5
|
|
|
|
if [ "$TYP" == "default" ]
|
|
then
|
|
echo "conf t"
|
|
echo "no ip access-list standard ansible__acl_v_nr"
|
|
echo "ip access-list standard ansible__acl_v_nr"
|
|
echo " permit host $ACLV"
|
|
echo " exit"
|
|
echo
|
|
echo "no ip access-list standard $ACL"
|
|
echo "ip access-list standard $ACL"
|
|
for A in `echo $ACE`
|
|
do
|
|
WILDCARD=`cidr2wildcard $A`
|
|
echo " permit $WILDCARD $LOG"
|
|
done
|
|
echo " deny any log"
|
|
echo " end"
|
|
echo
|
|
fi
|
|
|
|
if [ "$TYP" == "fibre" ]
|
|
then
|
|
echo "conf t"
|
|
echo "no ip access-list ansible__acl_v_nr"
|
|
echo " ip access-list ansible__acl_v_nr permit ip $ACLV 0.0.0.0 any"
|
|
echo
|
|
echo "no ip access-list $ACL"
|
|
for A in `echo $ACE`
|
|
do
|
|
WILDCARD=`cidr2wildcard $A`
|
|
echo " ip access-list $ACL permit ip $WILDCARD any"
|
|
done
|
|
echo " ip access-list $ACL deny ip any any log-deny"
|
|
echo " end"
|
|
echo
|
|
fi
|
|
|
|
if [ "$TYP" == "nexus" ]
|
|
then
|
|
echo "conf t"
|
|
echo "no ip access-list ansible__acl_v_nr"
|
|
echo "ip access-list ansible__acl_v_nr"
|
|
echo " permit ip host $ACLV any"
|
|
echo " exit"
|
|
echo
|
|
echo "no ip access-list $ACL"
|
|
echo "ip access-list $ACL"
|
|
for A in `echo $ACE`
|
|
do
|
|
echo " permit ip $A any $LOG"
|
|
done
|
|
echo " deny ip any any log"
|
|
echo " end"
|
|
echo
|
|
fi
|
|
}
|
|
|
|
|
|
|
|
cd /home/rancid/var/rancid/network/configs/
|
|
for DEV in `ls | egrep "switch|router"`
|
|
do
|
|
echo
|
|
echo
|
|
echo "Press <ENTER> to continue with $DEV"
|
|
read
|
|
TYP=""
|
|
egrep "ip access-list standard.*ansible" $DEV > /dev/null
|
|
if [ "$?" == "0" ]
|
|
then
|
|
TYP=default
|
|
fi
|
|
|
|
egrep "ip access-list.*ansible.*permit" $DEV > /dev/null
|
|
if [ "$?" == "0" ] && [ "$TYP" == "" ]
|
|
then
|
|
TYP=fibre
|
|
fi
|
|
|
|
egrep "ip access-list.*ansible" $DEV > /dev/null
|
|
if [ "$?" == "0" ] && [ "$TYP" == "" ]
|
|
then
|
|
TYP=nexus
|
|
fi
|
|
|
|
if [ ! "$TYP" == "" ]
|
|
then
|
|
echo "~~~~~~~~~~~ $DEV ~~~~~~~~~~~"
|
|
|
|
generate_acl $ACLV $TYP ansible__snmp_ro_acl "$ROACL" > /tmp/acls.txt
|
|
generate_acl $ACLV $TYP ansible__snmp_rw_acl "$RWACL" >> /tmp/acls.txt
|
|
generate_acl $ACLV $TYP ansible__system_acl "$SSHACL" log >> /tmp/acls.txt
|
|
|
|
clogin -u $SSHUSER -p $SSHPASS -x /tmp/acls.txt $DEV
|
|
echo
|
|
echo
|
|
echo
|
|
echo "Test with"
|
|
echo " clogin -u \$SSHUSER -p \$SSHPASS -c exit $DEV"
|
|
echo
|
|
fi
|
|
done
|
|
|
|
|