Centos7中使用ipset

 

1.禁用firewalld

systemctl stop firewalld

systemctl disable firewalld

 

2.安装ipset

yum -y install ipset

 

3. 创建ipset规则

ipset create blocklist hash:ip

ipset create whitelist hash:ip

 

4.控制ip

ipset add blocklist 172.16.200.143 //禁止的ip

ipset add whitelist 172.16.200.109 //允许的ip

 

5.保存ipset 规则

ipset save -f Script/ipset.txt

 

6.关联ipset 和iptables

iptables -I INPUT -i lo -j ACCEPT -m comment --comment "Allow Loopback traffi"

 

iptables -I INPUT 2 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow inbound traffic for established and related connections"

 

iptables -A INPUT -m set --match-set blocklist src -j DROP -m comment --comment "Reject from blocklist"

 

iptables -A INPUT -m set --match-set whitelist src -j ACCEPT -m comment --comment "Allow from whitelist"

 

iptables -P INPUT DROP

 

 

 7.保存iptables信息

    如果服务器重启了，上面的规则会清空

   iptables-save > Script/iptables

 

8.设置开机启动重新应用上述规则

　　cd Script

　　vim use_ipset.sh

　　

#!/bin/bash

# Defined Color
Red='\033[31m\033[1m'
Green='\033[32m\033[1m'
Null='\033[0m'

# <----------------------------Configure Start--------------------------->
BasePath=$(cd `dirname ${BASH_SOURCE}` ; pwd)
iptconf=${BasePath}/iptables
useipset=1
ipsetlist=blocklist
ipsetconf=${BasePath}/blocklist.txt
# <----------------------------Configure  End---------------------------->

if [ ${useipset} -eq 1 ];then
    ipset restore -f ${ipsetconf}
fi
iptables-restore ${iptconf}
echo -e "${Green}Done${Null}"

　　注： iptables-restore -f   将保存的规则生效

 

　　vim /etc/rc.loacl

 

　　/root/Script/use_ipset.sh