CentOS 7 – Firewalld allow all traffic from a Server

I hate the default firewall in CentOS. 😀

Its so unneeded complicated that a simple Access-Rule seems to be as hard as climbing up the mount everest.

So, my problem was i wanted to configure a CentOS-Server for our backup system. Backup client was installed but the CentOS-Firwall was blocking the traffic.

Our backup-system needs several ports (in range) and communication comes from multiple servers.

But i didnt wanted to allow a port range because of security. So open up traffic for our backup-subnet was the way to go.

Here is the command:

firewall-cmd --permanent --zone=public --direct --add-rule ipv4 filter IN_public_allow 0 -s xx.x.xx.x/xx -j ACCEPT

firewall-cmd --reload

Have fun 😀

Remote Backup eines Linux-Servers mit SSH

  • Lege auf dem Server, auf dem du die Backups des entsprechenden Servers ablegegen willst, den User “backupid” an.
  • der User muss per public/private Key Authentifizierung auf die zu backupende Server kommen.
  • unter dem home-Verzeichnis von backupid einen ordner für die script anlegen, zb bin.

eine Datei mit dem Namen backup-dirs.sh erstellen und folgenden Inhalt einfügen:


#!/bin/bash
HOSTNAME=$1
CONFIGDIR=`echo $(dirname $0)`
BACKUPDIR_LOCAL=/home/backupid/backupdir
DATE=`date +%d-%m-%Y`


if [ "$HOSTNAME" == "" ]
then
echo error: please enter a hostname
exit 1
else
echo hostname ok > /dev/null
fi


PORTACCESSIBLE=`nmap -p 22 $HOSTNAME | grep "22/tcp open ssh" | wc -l`


if [ "$PORTACCESSIBLE" -eq 0 ]
then
echo "error: ssh port not accessible on $HOSTNAME"
exit 1
else
echo "ssh port is reachable on $HOSTNAME" > /dev/null
fi


if [ -e "$CONFIGDIR"/"$HOSTNAME".cfg ]
then
echo "config file for $HOSTNAME found" > /dev/null
else
echo "error: no config file for $HOSTNAME found"
exit 1
fi


CONFIGLINES=`cat "$CONFIGDIR"/"$HOSTNAME".cfg | wc -l`


if [ "$CONFIGLINES" -eq 0 ]
then
echo "error: config file is empty for $HOSTNAME"
exit 1
else
echo "config file is ok for $HOSTNAME" >/dev/null
fi


mkdir -p "$BACKUPDIR_LOCAL"/$HOSTNAME


rm -rf /tmp/"$HOSTNAME"-ssh-script.sh 1>/dev/null 2>&1
rm -rf /tmp/"$HOSTNAME"-filelist 1>/dev/null 2>&1
echo "#!/bin/bash" > /tmp/"$HOSTNAME"-ssh-script.sh
touch /tmp/"$HOSTNAME"-filelist


if [ -e /tmp/"$HOSTNAME"-ssh-script.sh ]
then
echo "temporary ssh backup script for $HOSTNAME successfully created" > /dev/null
else
echo "error: creation of temporary ssh backup script for $HOSTNAME failed"
exit 1
fi


while read line
do
LINE2=`echo $line | sed 's/\//-/g'`
echo "ssh root@"$HOSTNAME" "tar -cz \"$line\"" | dd of="$BACKUPDIR_LOCAL"/"$HOSTNAME"/"$HOSTNAME"-"$DATE""$LINE2".tar.gz" >> /tmp/"$HOSTNAME"-ssh-script.sh
echo "$BACKUPDIR_LOCAL"/"$HOSTNAME"/"$HOSTNAME"-"$DATE""$LINE2".tar.gz >> /tmp/"$HOSTNAME"-filelist
done < "$CONFIGDIR"/"$HOSTNAME".cfg chmod 750 /tmp/"$HOSTNAME"-ssh-script.sh /tmp/"$HOSTNAME"-ssh-script.sh 1>/dev/null 2>/dev/null


while read line
do
TARLINECOUNT=0
TARLINECOUNT=`tar -tf $line | wc -l`


if [ "$TARLINECOUNT" -eq 0 ]
then
echo "error: $line seems to be empty"
else
echo "$line is ok" > /dev/null
LINE_TO_DEL=`echo $line | sed 's/..-..-....-/*/' | sed 's/backupdir/backupdir.backupsrv/'`
rm $LINE_TO_DEL
cp $line /home/backupid/backupdir.backupsrv/$HOSTNAME
fi


done < /tmp/"$HOSTNAME"-filelist


exit 0

 

  • danach legt man im gleichen Ordner eine Config Datei an, welche entweder der Hostname oder die Ip-Addresse des zu backupenden Hosts als Namen besitzt.

z.b 192.168.1.10.cfg

dort schreibt man die zu sichernden Verzeichnisse hinein.

zb.

/home
/etc
/var
/root

wenn man das Script automatisch einmal pro Tag ausführen will ruft man es unter dem User backupid folgendermaßen auf:


crontab -e


0 5 * * * /home/backupid/bin/backup-dirs.sh