語法:
ipset [ OPTIONS ] COMMAND [ COMMAND-OPTIONS ]
COMMANDS := { create | add | del | test | destroy | list | save | restore | flush | rename | swap | help | version | - }
OPTIONS := { -exist | -output { plain | save | xml } | -quiet | -resolve | -sorted | -name | -terse | -file filename }
ipset create SETNAME TYPENAME [ CREATE-OPTIONS ]
ipset add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
ipset del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
ipset test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
ipset destroy [ SETNAME ]
ipset list [ SETNAME ]
ipset save [ SETNAME ]
ipset restore
ipset flush [ SETNAME ]
ipset rename SETNAME-FROM SETNAME-TO
ipset swap SETNAME-FROM SETNAME-TO
ipset help [ TYPENAME ]
ipset version
TYPENAME := method:datatype[,datatype[,datatype]]
當(dāng)前使用的method方法是bitmap、hash, datatypes的list有 ip, net, mac, port and iface, botmap和list用于一個固定大小的storage,
The bitmap and list types use a fixed sized storage. The hash types use a hash to store the elements. In order to avoid clashes in the hash, a limited number of chaining, and if that is exhausted, the doubling of the hash size is performed when adding entries by the ipset command. When entries added by the SET target of iptables/ip6tables, then the hash size is fixed and the set won't be duplicated, even if the new entry cannot be added to the set.
一般的創(chuàng)建和添加操作:
timeout設(shè)置超時時間,如果設(shè)置為0,表示永久生效,超時時間可以通過 -exist來進(jìn)行修改:
ipset create test hash:ip timeout 300
ipset add test 192.168.0.1 timeout 60
ipset -exist add test 192.168.0.1 timeout 600
counters, packets, bytes:
如果不指定packets和bytes的話,會在初始化的時候變?yōu)?,或者在創(chuàng)建set的時候指定value:
ipset create foo hash:ip counters
ipset add foo 192.168.1.1 packets 42 bytes 1024
comment(擴(kuò)展):
所有的set類型都支持comments,此模塊是用來做注釋,相當(dāng)于git中的-m:
ipset create foo hash:ip comment
ipset add foo 192.168.1.1/24 comment "allow access to SMB share on \\fileserv\"
the above would appear as: "allow access to SMB share on \fileserv"
hashsize:
這個模塊用于創(chuàng)建set時候的命令(適用于所有hash set),默認(rèn)大小為1024,設(shè)置的時候必須是2的冪次方,不對話kernal會四舍五入:
ipset create test hash:ip hashsize 1536
maxelem:
這個模塊用于 所有的hash type sets create動作,這個是用來指定存出來set中最大元素的數(shù)量,默認(rèn)是65535:
ipset create test hash:ip maxelem 2048
family(inet|inet6):
用于所有hash type sets(除了hash:mac)的create動作, It defines the protocol family of the IP addresses to be stored in the set ,對于inet家族,您可以通過在該條目的IP地址部分指定一個范圍或一個IPv4地址網(wǎng)絡(luò)來添加或刪除多個條目。
ipaddr* := { *ip* | *fromaddr*-*toaddr* | *ip*/*cidr* }netaddr* := { *fromaddr*-*toaddr* | *ip*/*cidr* }
Example:
ipset create test hash:ip family inet6
hash:ip:
set type用一個hash存儲ip或者網(wǎng)絡(luò)地址,zero value是不能被存儲到hash:ip類型中的:
CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ netmask cidr ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := ipaddr(要添加的ip地址)
ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := ipaddr(要刪除的ip地址)
TEST-ENTRY := ipaddr
netmask cidr:
當(dāng)選定的netmask被指定的時候, network addresses將代替 IP host addresses存儲在set中,cidr的值對于iPv4是1-32,ipv6是1-128, An IP address will be in the set if the network address, which is resulted by masking the address with the netmask, can be found in the set. Examples:
ipset create foo hash:ip netmask 30
ipset add foo 192.168.1.0/24
ipset test foo 192.168.1.2
nomatch:
The hash set types which can store net type of data (i.e. hash:net) support the optional nomatch option when adding entries. When matching elements in the set, entries marked as nomatch are skipped as if those were not added to the set, which makes possible to build up sets with exceptions. See the example at hash type hash:net below.
When elements are tested by ipset, the nomatch flags are taken into account. If one wants to test the existence of an element marked with nomatch in a set, then the flag must be specified too.
總結(jié)下來就是,這個通常與hash:net搭配使用,用來跳過 hash:net指定的ip netmask address.
hash:net:
** 這個是用一個hash存儲不同大小的** IP network addresses,具有0前綴的的網(wǎng)絡(luò)地址不能被存儲到sets中:
CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := netaddr
ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := netaddr
TEST-ENTRY := netaddr
where netaddr := ip[/cidr]
Example:
ipset create foo hash:net
ipset add foo 192.168.0.0/24
ipset add foo 10.1.0.0/16
ipset add foo 192.168.0/24
ipset add foo 192.168.0/30 nomatch
hash:net,net
** 這種set type是用一個hash存儲成對的不同大小的ip network address,** Bear in mind(記住)第一個參數(shù)比第二個參數(shù)優(yōu)先,加入有明確的第一和第二個參數(shù),很可能 nomatch就不生效了,帶0前綴的地址也是無法存儲的。
CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := netaddr,netaddr
ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := netaddr,netaddr
TEST-ENTRY := netaddr,netaddr
where netaddr := ip[/cidr]
Example:
ipset create foo hash:net,net
ipset add foo 192.168.0.0/24,10.0.1.0/24
ipset add foo 10.1.0.0/16,10.255.0.0/24
ipset add foo 192.168.0/24,192.168.54.0-192.168.54.255
ipset add foo 192.168.0/30,192.168.64/30 nomatch
hash:ip,port
** ** The hash:ip,port set type uses a hash to store IP address and port number pairs. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used.
Examples:
ipset create foo hash:ip,port
ipset add foo 192.168.1.0/24,80-82
ipset add foo 192.168.1.1,udp:53
ipset add foo 192.168.1.1,vrrp:0
ipset test foo 192.168.1.1,80
創(chuàng)建一個集合
ipset create vader hash:ip
這條命令創(chuàng)建了名為 vader 的集合,以 hash 方式存儲,存儲內(nèi)容是 IP 地址。
添加 iptables 規(guī)則
iptables -I INPUT -m set --match-set vader src -j DROP
如果源地址(src)屬于 vader 這個集合,就進(jìn)行 DROP 操作。這條命令中,vader 是作為黑名單的,如果要把某個集合作為白名單,添加一個 ‘!’ 符號就可以。
iptables -I INPUT -m set ! --match-set vader src -j DROP
hash:net,port
The hash:net,port set type uses a hash to store different sized IP network address and port pairs. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. Network address with zero prefix size is not accepted either.
Examples:
ipset create foo hash:net,port
ipset add foo 192.168.0/24,25
ipset add foo 10.1.0.0/16,80
ipset test foo 192.168.0/24,25
hash:ip,port,ip
The hash:ip,port,ip set type uses a hash to store IP address, port number and a second IP address triples. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used.
Examples:
ipset create foo hash:ip,port,ip
ipset add foo 192.168.1.1,80,10.0.0.1
ipset test foo 192.168.1.1,udp:53,10.0.0.1
hash:ip,port,net
The hash:ip,port,net set type uses a hash to store IP address, port number and IP network address triples. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. Network address with zero prefix size cannot be stored either.、
Examples:
ipset create foo hash:ip,port,net
ipset add foo 192.168.1,80,10.0.0/24
ipset add foo 192.168.2,25,10.1.0.0/16
ipset test foo 192.168.1,80.10.0.0/24
hash:ip,mark
The hash:ip,mark set type uses a hash to store IP address and packet mark pairs.
Examples:
ipset create foo hash:ip,mark
ipset add foo 192.168.1.0/24,555
ipset add foo 192.168.1.1,0x63
ipset add foo 192.168.1.1,111236
hash:net,port,net
The hash:net,port,net set type behaves similarly to hash:ip,port,net but accepts a cidr value for both the first and last parameter. Either subnet is permitted to be a /0 should you wish to match port between all destinations.
Examples:
ipset create foo hash:net,port,net
ipset add foo 192.168.1.0/24,0,10.0.0/24
ipset add foo 192.168.2.0/24,25,10.1.0.0/16
ipset test foo 192.168.1.1,80,10.0.0.1
hash:net,iface
The hash:net,iface set type uses a hash to store different sized IP network address and interface name pairs.
Examples:
ipset create foo hash:net,iface
ipset add foo 192.168.0/24,eth0
ipset add foo 10.1.0.0/16,eth1
ipset test foo 192.168.0/24,eth0
list:set
** ** The list:set type uses a simple list in which you can store set names.
By the set match or SET target of netfilter you can test, add or delete entries in the sets added to the list:set type of set. The match will try to find a matching entry in the sets and the target will try to add an entry to the first set to which it can be added. The number of direction options of the match and target are important: sets which require more parameters than specified are skipped, while sets with equal or less parameters are checked, elements added/deleted. For example if a and b are list:set type of sets then in the command
iptables -m set --match-set a src,dst -j SET --add-set b src,dst
iptables想所有人開放9200端口:
[root@centos2 ~]# iptables -A INPUT -p tcp --dport 9200 -j ACCEPT
[root@centos2 ~]# iptables -A OUTPUT -p tcp --sport 9200 -j ACCEPT
添加 iptables 規(guī)則
iptables -I INPUT -m set --match-set vader src -j DROP
如果源地址(src)屬于 vader 這個集合,就進(jìn)行 DROP 操作。這條命令中,vader 是作為黑名單的,如果要把某個集合作為白名單,添加一個 ‘!’ 符號就可以。
iptables -I INPUT -m set ! --match-set yoda src -j DROP
創(chuàng)建一個新的ipset
ipset create openapi hash:net
1、查看已創(chuàng)建的ipset
2、ipset默認(rèn)可以存儲65536個element,使用maxelem指定數(shù)量
ipset create openapi hash:net maxelem 1000000
ipset list
3、加入一個黑名單ip
ipset add openapi 180.156.238.246
4、創(chuàng)建防火墻規(guī)則,與此同時,openapi這個ipset里的ip都無法訪問22端口
iptables -I INPUT -m set --match-set openapi src -p tcp --destination-port 22 -j DROP
service iptables save
5、去除黑名單,與此同時,又可以訪問了
ipset del openapi 180.156.238.246
6、將ipset規(guī)則保存到文件
ipset save openapi -f openapi.txt
7、刪除ipset
ipset destroy openapi
8、導(dǎo)入ipset規(guī)則
ipset restore -f openapi.txt
