Ipset之使用详解
1. 什么是Ipset?
ipset是通过IP集合的方式管理iptables
2. Ipset安装
yum install ipset -y
3. Ipset使用参数
create SETNAME TYPENAME [type-specific-options]
Create a new set
add SETNAME ENTRY
Add entry to the named set
del SETNAME ENTRY
Delete entry from the named set
test SETNAME ENTRY
Test entry in the named set
destroy [SETNAME]
Destroy a named set or all sets
list [SETNAME]
List the entries of a named set or all sets
save [SETNAME]
Save the named set or all sets to stdout
restore
Restore a saved state
flush [SETNAME]
Flush a named set or all sets
rename FROM-SETNAME TO-SETNAME
Rename two sets
swap FROM-SETNAME TO-SETNAME
Swap the contect of two existing sets
help [TYPENAME]
Print help, and settype specific help
version
Print version information
quit
Quit interactive mode
Options:
-o plain|save|xml
Specify output mode for listing sets.
Default value for "list" command is mode "plain"
and for "save" command is mode "save".
-s
Print elements sorted (if supported by the set type).
-q
Suppress any notice or warning message.
-r
Try to resolve IP addresses in the output (slow!)
-!
Ignore errors when creating or adding sets or
elements that do exist or when deleting elements
that don't exist.
-n
When listing, just list setnames from the kernel.
-t
When listing, list setnames and set headers
from kernel only.
-f
Read from the given file instead of standard
input (restore) or write to given file instead
of standard output (list/save).
4. Ipset支持的类型
list:set 3 skbinfo support
list:set 2 comment support
list:set 1 counters support
list:set 0 Initial revision
hash:mac 0 Initial revision
hash:net,iface 6 skbinfo support
hash:net,iface 5 forceadd support
hash:net,iface 4 comment support
hash:net,iface 3 counters support
hash:net,iface 2 /0 network support
hash:net,iface 1 nomatch flag support
hash:net,iface 0 Initial revision
hash:net,port 7 skbinfo support
hash:net,port 6 forceadd support
hash:net,port 5 comment support
hash:net,port 4 counters support
hash:net,port 3 nomatch flag support
hash:net,port 2 Add/del range support
hash:net,port 1 SCTP and UDPLITE support
hash:net,port,net 2 skbinfo support
hash:net,port,net 1 forceadd support
hash:net,port,net 0 initial revision
hash:net,net 2 skbinfo support
hash:net,net 1 forceadd support
hash:net,net 0 initial revision
hash:net 6 skbinfo support
hash:net 5 forceadd support
hash:net 4 comment support
hash:net 3 counters support
hash:net 2 nomatch flag support
hash:net 1 Add/del range support
hash:net 0 Initial revision
hash:ip,port,net 7 skbinfo support
hash:ip,port,net 6 forceadd support
hash:ip,port,net 5 comment support
hash:ip,port,net 4 counters support
hash:ip,port,net 3 nomatch flag support
hash:ip,port,net 2 Add/del range support
hash:ip,port,net 1 SCTP and UDPLITE support
hash:ip,port,ip 5 skbinfo support
hash:ip,port,ip 4 forceadd support
hash:ip,port,ip 3 comment support
hash:ip,port,ip 2 counters support
hash:ip,port,ip 1 SCTP and UDPLITE support
hash:ip,mark 2 sbkinfo support
hash:ip,mark 1 forceadd support
hash:ip,mark 0 initial revision
hash:ip,port 5 skbinfo support
hash:ip,port 4 forceadd support
hash:ip,port 3 comment support
hash:ip,port 2 counters support
hash:ip,port 1 SCTP and UDPLITE support
hash:ip 4 skbinfo support
hash:ip 3 forceadd support
hash:ip 2 comment support
hash:ip 1 counters support
hash:ip 0 Initial revision
bitmap:port 3 skbinfo support
bitmap:port 2 comment support
bitmap:port 1 counters support
bitmap:port 0 Initial revision
bitmap:ip,mac 3 skbinfo support
bitmap:ip,mac 2 comment support
bitmap:ip,mac 1 counters support
bitmap:ip,mac 0 Initial revision
bitmap:ip 3 skbinfo support
bitmap:ip 2 comment support
bitmap:ip 1 counters support
bitmap:ip 0 Initial revision
net: 表示网段
ip: 表示单个ip地址
mac: 表示mac地址
port: 表示端口
bitmap和list: 使用固定大小的存储
hash: 使用hash表来存储元素
5. Ipset使用
1. 示例: 屏蔽IP地址段
1. 创建一个新的ipset集合
ipset create myset hash:net
ipset -N myset hash:net
2. 将希望屏蔽的IP地址添加到集合中
ipset add myset 10.0.0.0/24 添加某个网段
ipset add myset 10.0.0.0/24 timeout 3600 限制某个网段的超时时间
ipset -exist add myset 10.0.0.0/24 timeout 4800 修改已存在的条目
3. 把新建的ipset集合应用到指定的iptables规则
iptables -I INPUT -m set --match-set myset src -j DROP
2. 在一个集合中添加条目
ipset add myset 1.2.3.4
3. 在一个集合中删除条目
ipset del myset 1.2.3.4
4. ipset持久化
创建的ipset存在于内存中,重启会消失,要持久化,需要把它保存到一个文件中
ipset save > /etc/ipset.conf
ipset save myset -f /etc/ipset_myset.txt
导入规则
ipset restore -f /etc/ipset_myset.txt
5. 删除集合
ipset destroy myset 删除某个集合
ipset destroy 删除所有集合
6. Ipset其他选项
1. timeout 超时时间、生效时间
2. counters,packets,bytes 计数器的设置
ipset create myset hash:net counters
ipset add myset 1.2.3.4 packets 10 bytes 20
[root@test-gateway-55 ~]# ipset list Name: myset Type: hash:net Revision: 3 Header: family inet hashsize 1024 maxelem 65536 counters Size in memory: 16880 References: 0 Members: 1.2.3.4 packets 10 bytes 20
3. comment备注
7. ipset和iptables结合
1. 目的地使用ipset
iptables -I INPUT -s 192.168.100.36 -m set --match-set bbb dst -j DROP
2. 源ip使用ipset
iptables -I INPUT -m set --match-set aaa src -d 192.168.100.36 -j DROP
3. 源和目的都使用ipset
iptables -I INPUT -m set --match-set aaa src -m set --match-set bbb dst -j DROP
浙公网安备 33010602011771号