使用expect

脚本

将下面内容写入exp文件,给执行权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/usr/bin/expect

# 设置超时时间
set timeout 30

# 启动 Telnet 会话
spawn telnet 192.168.1.1 23

# 等待登录提示
expect "Login:"
send "root\r"

# 等待密码提示
expect "Password:"
send "Zte521\r"

# 等待命令提示符
expect "#"
send "ip6tables -L FORWARD --line-numbers\r"

expect {
    "DROP" {
        # 如果输出包含特定字符串,则退出
        send "exit\r"
    }
    timeout {
        # 如果没有匹配到,发送其他命令
        send "ip6tables -A FORWARD -i br0 -o ppp0 -j ACCEPT\r"
        expect "#"
        send "ip6tables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT\r"
        expect "#"
        send "ip6tables -I FORWARD -p tcp --dport 443 -d ::be24:11ff:fe16:ceb1/::ffff:ffff:ffff:ffff -j ACCEPT\r"
        expect "#"
        send "ip6tables -I FORWARD -p udp --dport 8090 -d ::86a9:3eff:fe70:7209/::ffff:ffff:ffff:ffff -j ACCEPT\r"
        expect "#"
        send "ip6tables -A FORWARD -j DROP\r"
        expect "#"
        send "ip6tables -L FORWARD --line-numbers\r"
        expect "#"
        send "exit\r"
    }
}

定时

可以借助青龙

docker部署示例:

1
2
3
docker exec -it qinglong bash
apk update
apk add expect busybox-extras

使用python

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#!/usr/bin/env python3
import telnetlib
import time
import sys
import logging

# --- 配置区 ---
ROUTER_IP = "192.168.1.1"
TELNET_PORT = 23
USERNAME = "root"          # <-- 修改为您的用户名
PASSWORD = "Zte521"        # <-- 修改为您的密码
PROMPT = b"#"              # 路由器的命令提示符,通常是 '#' 或 '$'
LOG_FILE = "/var/log/apply_iptables_rules.log" # 日志文件

# 需要添加的 ip6tables 命令列表
# 脚本将按顺序执行这些命令
IP6TABLES_COMMANDS = [
    "ip6tables -A FORWARD -i br0 -o ppp0 -j ACCEPT",
    "ip6tables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT",
    "ip6tables -I FORWARD -p tcp --dport 443 -d ::be24:11ff:fe16:ceb1/::ffff:ffff:ffff:ffff -j ACCEPT",
    "ip6tables -I FORWARD -p udp --dport 8090 -d ::86a9:3eff:fe70:7209/::ffff:ffff:ffff:ffff -j ACCEPT",
    "ip6tables -A FORWARD -j DROP" # 最后的默认拒绝规则
]

# --- 脚本主逻辑 ---

# 配置日志
logging.basicConfig(filename=LOG_FILE,
                    level=logging.INFO,
                    format='%(asctime)s - %(levelname)s - %(message)s',
                    datefmt='%Y-%m-%d %H:%M:%S')

def log_and_print(message, level=logging.INFO):
    """打印到控制台并记录日志"""
    print(message)
    if level == logging.INFO:
        logging.info(message)
    elif level == logging.ERROR:
        logging.error(message)

def run_telnet_session():
    """主函数,执行 Telnet 会话和命令"""
    try:
        log_and_print(f"正在连接到路由器 {ROUTER_IP}:{TELNET_PORT}...")
        tn = telnetlib.Telnet(ROUTER_IP, TELNET_PORT, timeout=15)

        # 1. 登录
        tn.read_until(b"Login:", timeout=5)
        tn.write(USERNAME.encode('ascii') + b"\n")
        
        tn.read_until(b"Password:", timeout=5)
        tn.write(PASSWORD.encode('ascii') + b"\n")
        
        # 等待登录成功后的命令提示符
        tn.read_until(PROMPT, timeout=5)
        log_and_print("登录成功。")

        # 2. 检查规则是否存在
        log_and_print("正在检查现有的 ip6tables FORWARD 规则...")
        check_command = "ip6tables -L FORWARD\n"
        tn.write(check_command.encode('ascii'))
        
        # 读取检查命令的输出
        output = tn.read_until(PROMPT, timeout=10).decode('ascii', errors='ignore')
        
        if "DROP" in output:
            # 如果输出中包含 "DROP",说明规则可能已存在
            log_and_print("检测到 'DROP' 规则,假定防火墙已配置。脚本将退出。")
        else:
            # 3. 如果规则不存在,则添加规则
            log_and_print("'DROP' 规则未找到,开始添加防火墙规则...")
            for cmd in IP6TABLES_COMMANDS:
                log_and_print(f"执行命令: {cmd}")
                tn.write(cmd.encode('ascii') + b"\n")
                # 等待命令执行完毕后返回的提示符
                tn.read_until(PROMPT, timeout=5)
                time.sleep(0.2) # 短暂等待,确保命令执行完成
            log_and_print("所有防火墙规则已添加。")
            
            # 4. 验证 (可选,但推荐)
            log_and_print("验证已添加的规则...")
            tn.write(b"ip6tables -L FORWARD --line-numbers\n")
            final_output = tn.read_until(PROMPT, timeout=10).decode('ascii', errors='ignore')
            log_and_print("--- 当前 FORWARD 链规则 ---\n" + final_output)
            log_and_print("----------------------------")

        # 5. 退出
        log_and_print("操作完成,正在退出 Telnet 会话。")
        tn.write(b"exit\n")
        tn.close()

    except Exception as e:
        log_and_print(f"发生错误: {e}", level=logging.ERROR)
        sys.exit(1) # 退出并返回错误码

if __name__ == "__main__":
    run_telnet_session()

注意警告:

1
2
apply_firewall_rules.py:2: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13
  import telnetlib