ipset

[root@iii~]# ip
ip ip6tables-restore ipcmk ipmicmd iptables-1.4.7 iptables-save
ip6tables ip6tables-restore-1.4.7 ipcrm ipmilan iptables-multi iptables-save-1.4.7
ip6tables-1.4.7 ip6tables-save ipcs ipmish iptables-multi-1.4.7 iptables-xml
ip6tables-multi ip6tables-save-1.4.7 iperf ipmi_ui iptables-restore iptables-xml-1.4.7
ip6tables-multi-1.4.7 ipcalc ipmaddr iptables iptables-restore-1.4.7 iptunnel
[root@iii~]# yum search ipset
Loaded plugins: security
base | 3.7 kB 00:00
epel | 4.4 kB 00:00
epel/primary_db | 6.5 MB 00:01
extras | 3.4 kB 00:00
rpmforge | 1.9 kB 00:00
updates | 3.4 kB 00:00
updates/primary_db | 2.7 MB 00:00
epel/pkgtags | 1.4 MB 00:00
====================================================================== N/S Matched: ipset =======================================================================
ipset-devel.i686 : Development files for ipset
ipset-devel.x86_64 : Development files for ipset
ipset.i686 : Manage Linux IP sets
ipset.x86_64 : Manage Linux IP sets
xorg-x11-drv-nouveau.x86_64 : Xorg X11 nouveau video driver for NVIDIA graphics chipsets
zd1211-firmware.noarch : Firmware for wireless devices based on zd1211 chipset

Name and summary matches only, use "search all" for everything.
[root@iii~]# yum install -y ipset
Loaded plugins: security
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ipset.x86_64 0:6.11-3.el6 will be installed
--> Processing Dependency: libmnl.so.0(LIBMNL_1.0)(64bit) for package: ipset-6.11-3.el6.x86_64
--> Processing Dependency: libmnl.so.0()(64bit) for package: ipset-6.11-3.el6.x86_64
--> Running transaction check
---> Package libmnl.x86_64 0:1.0.2-3.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================================================================================================================
Package Arch Version Repository Size
=================================================================================================================================================================
Installing:
ipset x86_64 6.11-3.el6 base 63 k
Installing for dependencies:
libmnl x86_64 1.0.2-3.el6 base 21 k

Transaction Summary
=================================================================================================================================================================
Install 2 Package(s)

Total download size: 84 k
Installed size: 210 k
Downloading Packages:
(1/2): ipset-6.11-3.el6.x86_64.rpm | 63 kB 00:00
(2/2): libmnl-1.0.2-3.el6.x86_64.rpm | 21 kB 00:00
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
Total 538 kB/s | 84 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : libmnl-1.0.2-3.el6.x86_64 1/2
Installing : ipset-6.11-3.el6.x86_64 2/2
Verifying : ipset-6.11-3.el6.x86_64 1/2
Verifying : libmnl-1.0.2-3.el6.x86_64 2/2

Installed:
ipset.x86_64 0:6.11-3.el6

Dependency Installed:
libmnl.x86_64 0:1.0.2-3.el6

Complete!

 ================

 

[root@confluence ~]# ipset --help
ipset v6.11

Usage: ipset [options] COMMAND

Commands:
create SETNAME TYPENAME [type-specific-options]
Create a new set
add SETNAME ENTRY
Add entry to the named set
del SETNAME ENTRY
Delete entry from the named set
test SETNAME ENTRY
Test entry in the named set
destroy [SETNAME]
Destroy a named set or all sets
list [SETNAME]
List the entries of a named set or all sets
save [SETNAME]
Save the named set or all sets to stdout
restore
Restore a saved state
flush [SETNAME]
Flush a named set or all sets
rename FROM-SETNAME TO-SETNAME
Rename two sets
swap FROM-SETNAME TO-SETNAME
Swap the contect of two existing sets
help [TYPENAME]
Print help, and settype specific help
version
Print version information
quit
Quit interactive mode

Options:
-o plain|save|xml
Specify output mode for listing sets.
Default value for "list" command is mode "plain"
and for "save" command is mode "save".
-s
Print elements sorted (if supported by the set type).
-q
Suppress any notice or warning message.
-r
Try to resolve IP addresses in the output (slow!)
-!
Ignore errors when creating already created sets,
when adding already existing elements
or when deleting non-existing elements.
-n
When listing, list just setnames from kernel.

-t
When listing, list setnames and set headers
from kernel only.

Supported set types:
list:set
hash:ip,port,net
hash:ip,port,net
hash:ip,port,net
hash:ip,port,ip
hash:ip,port
hash:net,iface
hash:net,iface
hash:net,port
hash:net,port
hash:net,port
hash:net
hash:net
hash:net
hash:ip
bitmap:port
bitmap:ip,mac
bitmap:ip
[root@confluence ~]#

========================================

http://ipset.netfilter.org/install.html

Download and Install

In order to use IP sets, you need the following sources

  • For the new branch
  • For the old branch
You can download the source of ipset from git as well: git://git.netfilter.org/ipset.git

 

Please note, the ipset source supports kernels released by kernel.org. It may or may not work on distribution-specific kernel sources.

Read the ipset and iptables man pages before exploring the world of IP sets.

 

 

 

http://www.linuxjournal.com/content/advanced-firewall-configurations-ipset

Advanced Firewall Configurations with ipset

Mar 19, 2012  By Henry Van Styn
 in

iptables is the user-space tool for configuring firewall rules in the Linux kernel. It is actually a part of the larger netfilter framework. Perhaps because iptables is the most visible part of the netfilter framework, the framework is commonly referred to collectively as iptables. iptables has been the Linux firewall solution since the 2.4 kernel.

ipset is an extension to iptables that allows you to create firewall rules that match entire "sets" of addresses at once. Unlike normal iptables chains, which are stored and traversed linearly, IP sets are stored in indexed data structures, making lookups very efficient, even when dealing with large sets.

Besides the obvious situations where you might imagine this would be useful, such as blocking long lists of "bad" hosts without worry of killing system resources or causing network congestion, IP sets also open up new ways of approaching certain aspects of firewall design and simplify many configuration scenarios.

In this article, after quickly discussing ipset's installation requirements, I spend a bit of time on iptables' core fundamentals and concepts. Then, I cover ipset usage and syntax and show how it integrates with iptables to accomplish various configurations. Finally, I provide some detailed and fairly advanced real-world examples of how ipsets can be used to solve all sorts of problems.

With significant performance gains and powerful extra features—like the ability to apply single firewall rules to entire groups of hosts and networks at once—ipset may be iptables' perfect match.

Because ipset is just an extension to iptables, this article is as much about iptables as it is about ipset, although the focus is those features relevant to understanding and using ipset.

Getting ipset

ipset is a simple package option in many distributions, and since plenty of other installation resources are available, I don't spend a whole lot of time on that here.

The important thing to understand is that like iptables, ipset consists of both a user-space tool and a kernel module, so you need both for it to work properly. You also need an "ipset-aware" iptables binary to be able to add rules that match against sets.

Start by simply doing a search for "ipset" in your distribution's package management tool. There is a good chance you'll be able to find an easy procedure to install ipset in a turn-key way. In Ubuntu (and probably Debian), install the ipset and xtables-addons-source packages. Then, run module-assistant auto-install xtables-addons, and ipset is ready to go in less than 30 seconds.

If your distro doesn't have built-in support, follow the manual installation procedure listed on the ipset home page (see Resources) to build from source and patch your kernel and iptables.

The versions used in this article are ipset v4.3 and iptables v1.4.9.

iptables Overview

In a nutshell, an iptables firewall configuration consists of a set of built-in "chains" (grouped into four "tables") that each comprise a list of "rules". For every packet, and at each stage of processing, the kernel consults the appropriate chain to determine the fate of the packet.

Chains are consulted in order, based on the "direction" of the packet (remote-to-local, remote-to-remote or local-to-remote) and its current "stage" of processing (before or after "routing"). See Figure 1.

Figure 1. iptables Built-in Chains Traversal Order

When consulting a chain, the packet is compared to each and every one of the chain's rules, in order, until it matches a rule. Once the first match is found, the action specified in the rule's target is taken. If the end of the chain is reached without finding a match, the action of the chain's default target, or policy, is taken.

A chain is nothing more than an ordered list of rules, and a rule is nothing more than a match/target combination. A simple example of a match is "TCP destination port 80". A simple example of a target is "accept the packet". Targets also can redirect to other user-defined chains, which provide a mechanism for the grouping and subdividing of rules, and cascading through multiple matches and chains to arrive finally at an action to be taken on the packet.

Every iptables command for defining rules, from the very short to the very long, is composed of three basic parts that specify the table/chain (and order), the match and the target (Figure 2).

Figure 2. Anatomy of an iptables Command

To configure all these options and create a complete firewall configuration, you run a series of iptables commands in a specific order.

iptables is incredibly powerful and extensible. Besides its many built-in features, iptables also provides an API for custom "match extensions" (modules for classifying packets) and "target extensions" (modules for what actions to take when packets match).

Enter ipset

ipset is a "match extension" for iptables. To use it, you create and populate uniquely named "sets" using the ipset command-line tool, and then separately reference those sets in the match specification of one or more iptables rules.

A set is simply a list of addresses stored efficiently for fast lookup.

Take the following normal iptables commands that would block inbound traffic from 1.1.1.1 and 2.2.2.2:


iptables -A INPUT -s 1.1.1.1 -j DROP
iptables -A INPUT -s 2.2.2.2 -j DROP

 

The match specification syntax -s 1.1.1.1 above means "match packets whose source address is 1.1.1.1". To block both 1.1.1.1 and 2.2.2.2, two separate iptables rules with two separate match specifications (one for 1.1.1.1 and one for 2.2.2.2) are defined above.

Alternatively, the following ipset/iptables commands achieve the same result:


ipset -N myset iphash
ipset -A myset 1.1.1.1
ipset -A myset 2.2.2.2
iptables -A INPUT -m set --set myset src -j DROP

 

The ipset commands above create a new set (myset of type iphash) with two addresses (1.1.1.1 and 2.2.2.2).

The iptables command then references the set with the match specification -m set --set myset src, which means "match packets whose source header matches (that is, is contained within) the set named myset".

The flag src means match on "source". The flag dst would match on "destination", and the flag src,dst would match on both source and destination.

In the second version above, only one iptables command is required, regardless of how many additional IP addresses are contained within the set. Although this example uses only two addresses, you could just as easily define 1,000 addresses, and the ipset-based config still would require only a single iptables rule, while the previous approach, without the benefit of ipset, would require 1,000 iptables rules.

Set Types

Each set is of a specific type, which defines what kind of values can be stored in it (IP addresses, networks, ports and so on) as well as how packets are matched (that is, what part of the packet should be checked and how it's compared to the set). Besides the most common set types, which check the IP address, additional set types are available that check the port, the IP address and port together, MAC address and IP address together and so on.

Each set type has its own rules for the type, range and distribution of values it can contain. Different set types also use different types of indexes and are optimized for different scenarios. The best/most efficient set type depends on the situation.

The most flexible set types are iphash, which stores lists of arbitrary IP addresses, and nethash, which stores lists of arbitrary networks (IP/mask) of varied sizes. Refer to the ipset man page for a listing and description of all the set types (there are 11 in total at the time of this writing).

The special set type setlist also is available, which allows grouping several sets together into one. This is required if you want to have a single set that contains both single IP addresses and networks, for example.

Advantages of ipset

Besides the performance gains, ipset also allows for more straightforward configurations in many scenarios.

If you want to define a firewall condition that would match everything but packets from 1.1.1.1 or 2.2.2.2 and continue processing in mychain, notice that the following does not work:


iptables -A INPUT -s ! 1.1.1.1 -g mychain
iptables -A INPUT -s ! 2.2.2.2 -g mychain

 

If a packet came in from 1.1.1.1, it would not match the first rule (because the source address is 1.1.1.1), but it would match the second rule (because the source address is not 2.2.2.2). If a packet came in from 2.2.2.2, it would match the first rule (because the source address is not 1.1.1.1). The rules cancel each other out—all packets will match, including 1.1.1.1 and 2.2.2.2.

Although there are other ways to construct the rules properly and achieve the desired result without ipset, none are as intuitive or straightforward:


ipset -N myset iphash
ipset -A myset 1.1.1.1
ipset -A myset 2.2.2.2
iptables -A INPUT -m set ! --set myset src -g mychain

 

In the above, if a packet came in from 1.1.1.1, it would not match the rule (because the source address 1.1.1.1 does match the set myset). If a packet came in from 2.2.2.2, it would not match the rule (because the source address 2.2.2.2 does match the set myset).

Although this is a simplistic example, it illustrates the fundamental benefit associated with fitting a complete condition in a single rule. In many ways, separate iptables rules are autonomous from each other, and it's not always straightforward, intuitive or optimal to get separate rules to coalesce into a single logical condition, especially when it involves mixing normal and inverted tests. ipset just makes life easier in these situations.

Another benefit of ipset is that sets can be manipulated independently of active iptables rules. Adding/changing/removing entries is a trivial matter because the information is simple and order is irrelevant. Editing a flat list doesn't require a whole lot of thought. In iptables, on the other hand, besides the fact that each rule is a significantly more complex object, the order of rules is of fundamental importance, so in-place rule modifications are much heavier and potentially error-prone operations.

Excluding WAN, VPN and Other Routed Networks from the NAT—the Right Way

Outbound NAT (SNAT or IP masquerade) allows hosts within a private LAN to access the Internet. An appropriate iptables NAT rule matches Internet-bound packets originating from the private LAN and replaces the source address with the address of the gateway itself (making the gateway appear to be the source host and hiding the private "real" hosts behind it).

NAT automatically tracks the active connections so it can forward return packets back to the correct internal host (by changing the destination from the address of the gateway back to the address of the original internal host).

Here is an example of a simple outbound NAT rule that does this, where 10.0.0.0/24 is the internal LAN:


iptables -t nat -A POSTROUTING \
         -s 10.0.0.0/24 -j MASQUERADE

 

This rule matches all packets coming from the internal LAN and masquerades them (that is, it applies "NAT" processing). This might be sufficient if the only route is to the Internet, where all through traffic is Internet traffic. If, however, there are routes to other private networks, such as with VPN or physical WAN links, you probably don't want that traffic masqueraded.

One simple way (partially) to overcome this limitation is to base the NAT rule on physical interfaces instead of network numbers (this is one of the most popular NAT rules given in on-line examples and tutorials):


iptables -t nat -A POSTROUTING \
         -o eth0 -j MASQUERADE

 

This rule assumes that eth0 is the external interface and matches all packets that leave on it. Unlike the previous rule, packets bound for other networks that route out through different interfaces won't match this rule (like with OpenVPN links).

Although many network connections may route through separate interfaces, it is not safe to assume that all will. A good example is KAME-based IPsec VPN connections (such as Openswan) that don't use virtual interfaces like other user-space VPNs (such as OpenVPN).

Another situation where the above interface match technique wouldn't work is if the outward facing ("external") interface is connected to an intermediate network with routes to other private networks in addition to a route to the Internet. It is entirely plausible for there to be routes to private networks that are several hops away and on the same path as the route to the Internet.

Designing firewall rules that rely on matching of physical interfaces can place artificial limits and dependencies on network topology, which makes a strong case for it to be avoided if it's not actually necessary.

As it turns out, this is another great application for ipset. Let's say that besides acting as the Internet gateway for the local private LAN (10.0.0.0/24), your box routes directly to four other private networks (10.30.30.0/24, 10.40.40.0/24, 192.168.4.0/23 and 172.22.0.0/22). Run the following commands:


ipset -N routed_nets nethash
ipset -A routed_nets 10.30.30.0/24
ipset -A routed_nets 10.40.40.0/24
ipset -A routed_nets 192.168.4.0/23
ipset -A routed_nets 172.22.0.0/22
iptables -t nat -A POSTROUTING \
         -s 10.0.0.0/24 \
         -m set ! --set routed_nets dst \
         -j MASQUERADE

 

As you can see, ipset makes it easy to zero in on exactly what you want matched and what you don't. This rule would masquerade all traffic passing through the box from your internal LAN (10.0.0.0/24) except those packets bound for any of the networks in your routed_nets set, preserving normal direct IP routing to those networks. Because this configuration is based purely on network addresses, you don't have to worry about the types of connections in place (type of VPNs, number of hops and so on), nor do you have to worry about physical interfaces and topologies.

This is how it should be. Because this is a pure layer-3 (network layer) implementation, the underlying classifications required to achieve it should be pure layer-3 as well.

Limiting Certain PCs to Have Access Only to Certain Public Hosts

Let's say the boss is concerned about certain employees playing on the Internet instead of working and asks you to limit their PCs' access to a specific set of sites they need to be able to get to for their work, but he doesn't want this to affect all PCs (such as his).

To limit three PCs (10.0.0.5, 10.0.0.6 and 10.0.0.7) to have outside access only to worksite1.com, worksite2.com and worksite3.com, run the following commands:


ipset -N limited_hosts iphash
ipset -A limited_hosts 10.0.0.5
ipset -A limited_hosts 10.0.0.6
ipset -A limited_hosts 10.0.0.7
ipset -N allowed_sites iphash
ipset -A allowed_sites worksite1.com
ipset -A allowed_sites worksite2.com
ipset -A allowed_sites worksite3.com
iptables -I FORWARD \
         -m set --set limited_hosts src \
         -m set ! --set allowed_sites dst \
         -j DROP

 

This example matches against two sets in a single rule. If the source matches limited_hosts and the destination does not match allowed_sites, the packet is dropped (because limited_hosts are allowed to communicate only with allowed_sites).

Note that because this rule is in the FORWARD chain, it won't affect communication to and from the firewall itself, nor will it affect internal traffic (because that traffic wouldn't even involve the firewall).

 

Blocking Access to Hosts for All but Certain PCs (Inverse Scenario)

Let's say the boss wants to block access to a set of sites across all hosts on the LAN except his PC and his assistant's PC. For variety, in this example, let's match the boss and assistant PCs by MAC address instead of IP. Let's say the MACs are 11:11:11:11:11:11 and 22:22:22:22:22:22, and the sites to be blocked for everyone else are badsite1.com, badsite2.com and badsite3.com.

In lieu of using a second ipset to match the MACs, let's utilize multiple iptables commands with the MARK target to mark packets for processing in subsequent rules in the same chain:


ipset -N blocked_sites iphash
ipset -A blocked_sites badsite1.com
ipset -A blocked_sites badsite2.com
ipset -A blocked_sites badsite3.com
iptables -I FORWARD -m mark --mark 0x187 -j DROP
iptables -I FORWARD \
         -m mark --mark 0x187 \
         -m mac --mac-source 11:11:11:11:11:11 \
         -j MARK --set-mark 0x0
iptables -I FORWARD \
         -m mark --mark 0x187 \
         -m mac --mac-source 22:22:22:22:22:22 \
         -j MARK --set-mark 0x0
iptables -I FORWARD \
         -m set --set blocked_sites dst \
         -j MARK --set-mark 0x187

 

As you can see, because you're not using ipset to do all the matching work as in the previous example, the commands are quite a bit more involved and complex. Because there are multiple iptables commands, it's necessary to recognize that their order is vitally important.

Notice that these rules are being added with the -I option (insert) instead of -A (append). When a rule is inserted, it is added to the top of the chain, pushing all the existing rules down. Because each of these rules is being inserted, the effective order is reversed, because as each rule is added, it is inserted above the previous one.

The last iptables command above actually becomes the first rule in the FORWARD chain. This rule matches all packets with a destination matching the blocked_sites ipset, and then marks those packets with 0x187 (an arbitrarily chosen hex number). The next two rules match only packets from the hosts to be excluded and that are already marked with 0x187. These two rules then set the marks on those packets to 0x0, which "clears" the 0x187 mark.

Finally, the last iptables rule (which is represented by the first iptables command above) drops all packets with the 0x187 mark. This should match all packets with destinations in the blocked_sites set except those packets coming from either of the excluded MACs, because the mark on those packets is cleared before the DROP rule is reached.

This is just one way to approach the problem. Other than using a second ipset, another way would be to utilize user-defined chains.

If you wanted to use a second ipset instead of the mark technique, you wouldn't be able to achieve the exact outcome as above, because ipset does not have a machash set type. There is a macipmap set type, however, but this requires matching on IP and MACs together, not on MAC alone as above.

Cautionary note: in most practical cases, this solution would not actually work for Web sites, because many of the hosts that might be candidates for the blocked_sites set (like Facebook, MySpace and so on) may have multiple IP addresses, and those IPs may change frequently. A general limitation of iptables/ipset is that hostnames should be specified only if they resolve to a single IP.

Also, hostname lookups happen only at the time the command is run, so if the IP address changes, the firewall rule will not be aware of the change and still will reference the old IP. For this reason, a better way to accomplish these types of Web access policies is with an HTTP proxy solution, such as Squid. That topic is obviously beyond the scope of this article.

Automatically Ban Hosts That Attempt to Access Invalid Services

ipset also provides a "target extension" to iptables that provides a mechanism for dynamically adding and removing set entries based on any iptables rule. Instead of having to add entries manually with the ipset command, you can have iptables add them for you on the fly.

For example, if a remote host tries to connect to port 25, but you aren't running an SMTP server, it probably is up to no good. To deny that host the opportunity to try anything else proactively, use the following rules:


ipset -N banned_hosts iphash
iptables -A INPUT \
         -p tcp --dport 25 \
         -j SET --add-set banned_hosts src
iptables -A INPUT \
         -m set --set banned_hosts src \
         -j DROP

 

If a packet arrives on port 25, say with source address 1.1.1.1, it instantly is added to banned_hosts, just as if this command were run:


ipset -A banned_hosts 1.1.1.1

 

All traffic from 1.1.1.1 is blocked from that moment forward because of the DROP rule.

Note that this also will ban hosts that try to run a port scan unless they somehow know to avoid port 25.

Clearing the Running Config

If you want to clear the ipset and iptables config (sets, rules, entries) and reset to a fresh open firewall state (useful at the top of a firewall script), run the following commands:


iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t filter -F
iptables -t raw -F
iptables -t nat -F
iptables -t mangle -F
ipset -F
ipset -X

 

Sets that are "in use", which means referenced by one or more iptables rules, cannot be destroyed (with ipset -X). So, in order to ensure a complete "reset" from any state, the iptables chains have to be flushed first (as illustrated above).

Conclusion

ipset adds many useful features and capabilities to the already very powerful netfilter/iptables suite. As described in this article, ipset not only provides new firewall configuration possibilities, but it also simplifies many setups that are difficult, awkward or less efficient to construct with iptables alone.

Any time you want to apply firewall rules to groups of hosts or addresses at once, you should be using ipset. As I showed in a few examples, you also can combine ipset with some of the more exotic iptables features, such as packet marking, to accomplish all sorts of designs and network policies.

The next time you're working on your firewall setup, consider adding ipset to the mix. I think you will be surprised at just how useful and flexible it can be.

Resources

Netfilter/iptables Project Home Page: http://www.netfilter.org

ipset Home Page: http://ipset.netfilter.org

 

 

http://blog.chinaunix.net/uid-21706718-id-3561951.html

 

iptables是在linux内核里配置防火墙规则的用户空间工具,它实际上是netfilter框架的一部分.可能因为iptables是netfilter框架里最常见的部分,所以这个框架通常被称为iptables,iptables是linux从2.4版本引入的防火墙解决方案.

ipset是iptables的扩展,它允许你创建 匹配整个地址sets(地址集合) 的规则。而不像普通的iptables链是线性的存储和过滤,ip集合存储在带索引的数据结构中,这种结构即时集合比较大也可以进行高效的查找.

除了一些常用的情况,比如阻止一些危险主机访问本机,从而减少系统资源占用或网络拥塞,IPsets也具备一些新防火墙设计方法,并简化了配置.

在本文中,在快速的讨论ipsets的安装要求后,我会花一点时间来介绍iptables的核心机制和基本概念.然后我会介绍ipset的使用方法和语法,并且演示ipset如何与iptables结合来完成各种不同的配置。最后,我会提供一些细节和较高级的例子来演示如何解决现实中的问题。

ipset比传统的iptables拥有显著的性能提升和扩展特性,比如将单个防火墙规则通过一次配置应用到整个主机所在的组和网络。

由于ipset只是iptables的扩展,所以也会对iptables进行描述。

在许多的linux发布中ipset是一个简单的安装包,大家可以通过自己的linux发行版提供的包管理工具进行安装。

需要理解的重点时,同iptables一样,ipset是由用户空间的工具和内核空间的模块两部分组成,所以你需要将这两部分都准备好。你也需要"ipset-aware"这个iptables 模块,这个模块用来增加 rules that match against sets。(……)

首先我们使用自己的linux发行版的包管理工具对ipset进行搜索。在ubuntu上安装需要安装ipset 和 xtables-addons-source 包,然后,运行module-assistant auto-install xtables-addons,等待大约30秒后ipset就可以使用了。

如果你的linux发行版没有被支持,那就需要根据ipset 首页中的安装步骤构建源码并对内核打补丁。

这篇文章中使用ipset v4.3 和 iptables v1.4.9。

iptables概述

简单来讲,iptables防火墙配置由规则链的集合组成,每一个链包含一个规则。一个数据包,在各个处理阶段,内核商量合适的规则来决定数据报的命运。

规则链按照顺序进行匹配,基于数据包的流向 (remote-to-local, remote-to-remote or local-to-remote)和当前所处的处理阶段(before or after "routing")。参考图1。

当需要匹配规则链时,数据包需要与链中的每个规则按照顺序进行比对,直道找到匹配的规则。一旦找到了匹配的规则,目标规则就会被调用。如果最后一个规则与数据包也不匹配,就会使用默认规则。
一个规则链就是许多规则按顺序排列组成,一个规则就是match/target 的组合。一个简单的match例子是“TCP 目标端口为80”。target的例子是“接受这个包”。target同样可以将数据包重定向到其他的用户自定义的链,用户自定义链提供了一些机制,包括组合和细分规则,将多个链级联来完成一个功能。
每一个用来定义规则的iptables命令,不管是用于简单的规则还是复杂的规则,都有三个基本的部分组成,包括指定table/chain (and order), match 和 target。

Figure 2. 解析iptables 命令
配置所有的这些选项,创建一个完整得防火墙,你需要按照特定的顺序运行一系列的iptables命令。
iptables非常强大并且可扩展。除了许多内部特性,iptables提供了扩展match和target的API。
ipset
ipset是iptables的match扩展。如果要使用它,需要使用ipset命令行工具创建一个集合并指定一个唯一的集和名,然后在iptables规则的match部分分别索引这些集合。
一个集合是一个方便有效快速查询的地址列表。
下面有两个常见的iptables命令,这两个命令阻止从1.1.1.1和2.2.2.2进入主机的数据包:
iptables -A INPUT -s 1.1.1.1 -j DROP
iptables -A INPUT -s 2.2.2.2 -j DROP
match 部分语法 -s 1.1.1.1 表示“匹配源地址是1.1.1.1的数据包”。
下面的ipset/iptables命令同样可以达到上面的目的:
ipset -N myset iphash
ipset -A myset 1.1.1.1
ipset -A myset 2.2.2.2
iptables -A INPUT -m set --set myset src -j DROP
上面的ipset命令创建了一个包含两个地址(1.1.1.1 and 2.2.2.2)的集合(myset of type iphash)。
然后iptables命令通过-m set --set myset src这个match选项使用这个集合,这个匹配规则的意思是“匹配源地址包含在集合myset中的数据包”
src 表示源地址,dst表示目标地址。如果同时使用 src 和 dst 表示既要匹配源地址又要匹配目的地址。
在第二个例子里,只需要一个iptables命令,不管集合里有多少ip地址需要添加。虽然这个例子里只使用了两个地址,但是你可以依据这个例子简单的定义1000个地址,并且仍然只需要一条iptables语句。而如果使用第一个例子的方法,不使用ipset,就需要1000条iptables规则。
Set Types
每一个集合都是特定类型的,它不但定义了什么类型的值可以储存在里面(IP addresses, networks, ports and so on),而且定义了如何匹配数据包(换言之,数据包的那一部分需要被检查和如何检查)。除了一些最通用的集合类型,比如检查ip地址,也提供了一些其他的集合类型,比如检查端口,地址和端口同时检查,mac地址和ip地址同时检查等。
每一种集合类型都有自己的规则,这些规则表示集合的类型,范围,它包含的值得分布。不同的集合类型使用不同的类型索引,并且在不同的情况下被优化。需要根据不同的现实情况选择集合类型。
最灵活的集合类型是iphash,它可以存储任意的ip地址和nethash(IP/mask)。请参考ipset的man手册来了解所有的集合类型。
setlist是一个特别的集合类型,它允许组织多个集合到一个集合里面。比如你需要一个单独的集合既包含ip地址又包含网络信息。
Advantages of ipset
除了性能优势,一些情况下ipset允许更直接的配置方法。
如果你想定义一个防火墙环境,该环境不会处理来自1.1.1.1和2.2.2.2的包,并且处理过程包含在mychain中,注意下面的方法是无效的:
iptables -A INPUT -s ! 1.1.1.1 -g mychain
iptables -A INPUT -s ! 2.2.2.2 -g mychain
如果数据包来自1.1.1.1,它匹配第一条规则失败,但是匹配第二条规则时会成功。如果数据包来自2.2.2.2,匹配第一个规则就会成功。
虽然有有一些其它的方法可以不适用ipset就能达到指定的要求,但是ipset是最直接了当的。
ipset -N myset iphash
ipset -A myset 1.1.1.1
ipset -A myset 2.2.2.2
iptables -A INPUT -m set ! --set myset src -g mychain
用上面的方法,如果数据包来自1.1.1.1,它不会匹配规则(because the source address 1.1.1.1 does match the set myset)。如果数据包来自2.2.2.2,它也不会匹配规则。
这只是一个简单的例子,它说明在一个规则里匹配完整条件的基本优点。其他方面,每个iptables规则与其它规则是独立的,并且将规则逻辑的连接起来是比较难的,特别当它包含混合了正常和反向测试时。ipset只是在这些情况下使配置变简单。
ipset的另一个优势是集合可以动态的修改,即使iptables的规则正在使用这个集合。添加/修改/删除接口使用很简单并且是顺序无关的。另一方面,在iptables里每一条规则都比较复杂,并且规则的顺序也是很重要的元素,所以修改内部规则很困难并且会存在潜在问题。

Excluding WAN, VPN and Other Routed Networks from the NAT—the Right Way

Outbound NAT (SNAT 或 IP 伪装)允许私有局域网内的主机访问internet.iptables NAT规则匹配私网内访问internat的包,并用网关地址替换包的源地址(使数据包看起来像是从网关发送的,从而隐藏网关后面的主机)。

NAT自动跟踪活动的连接,所以它能将返回的包发送给正确的内网主机(通过将数据包的目的地址修改为内部主机地址)。

下面是一个简单的outbound NAT规则,10.0.0.0/24是内部局域网:

iptables -t nat -A POSTROUTING \
         -s 10.0.0.0/24 -j MASQUERADE

该规则匹配所有来自内网的包,并对他们进行伪装。如果只有一个路由连接到internat这种方法是非常有效率的,通过该路有的所有流量都是公网的流量。然而,如果有连接到其它私有网络的路由存在,比如VPN或无力WAN连接,你可能就不会使用地址伪装。

克服这个限制的一个简单方法是基于物理接口建立NAT规则,而不是使用基于网络地址的方式。

iptables -t nat -A POSTROUTING \
         -o eth0 -j MASQUERADE

该规则假设eth0是外部接口,该规则会匹配所有离开这个接口的包。与前面的规则不同的是,其他内网的数据包通过其它接口访问公网时不会匹配这条规则(比如OpenVPN的连接)。

虽然许多连接是通过不同的接口路由,但并不能假设所有的链接都是这样。一个例子是基于KAME的IPsec VPN连接(比如 Openswan)就不是使用虚拟接口。

不适用上面的接口匹配技术的另一种情况是如果向外的接口(连接到Internet的接口)连接 路由到其他私有网络的中间网络,而不是连接到Internet。

通过匹配物理接口来设计的防火墙规则可以使用在一些人为限制方面,并且依赖网络拓扑。

后来发现,ipset还有另一个应用。假设有一个本地LAN (10.0.0.0/24)需要连接到internet,除此之外还有三个本地网络(10.30.30.0/24, 10.40.40.0/24, 192.168.4.0/23 和 172.22.0.0/22),执行下面的命令:


ipset -N routed_nets nethash
ipset -A routed_nets 10.30.30.0/24
ipset -A routed_nets 10.40.40.0/24
ipset -A routed_nets 192.168.4.0/23
ipset -A routed_nets 172.22.0.0/22
iptables -t nat -A POSTROUTING \
         -s 10.0.0.0/24 \
         -m set ! --set routed_nets dst \
         -j MASQUERADE

如我们所见,ipset 简单的实现了精确匹配。该规则伪装所有来自(10.0.0.0/24)的数据包,而不处理其他在routed_nets集合中的网络的包。由于该配置完全基于网络地址,所以你完全不用担心其他特殊的网络连接(比如VPN),也不用担心物理接口和网络拓扑。

Limiting Certain PCs to Have Access Only to Certain Public Hosts

假设老板较关心员工上班时间上网问题,请你限制员工的PC只能访问指定的几个网站,但是不想所有的内部PC都受到限制。

限制3台PC (10.0.0.5, 10.0.0.6 and 10.0.0.7)只能访问worksite1.com,worksite2.com 和 worksite3.com。执行下面的命令:
ipset -N limited_hosts iphash
ipset -A limited_hosts 10.0.0.5
ipset -A limited_hosts 10.0.0.6
ipset -A limited_hosts 10.0.0.7
ipset -N allowed_sites iphash
ipset -A allowed_sites worksite1.com
ipset -A allowed_sites worksite2.com
ipset -A allowed_sites worksite3.com
iptables -I FORWARD \
         -m set --set limited_hosts src \
         -m set ! --set allowed_sites dst \
         -j DROP

该例子在一条规则里使用了两个集合。如果源地址匹配limited_hosts 目的地址不匹配allowed_sites,数据包就被丢弃。

注意该规则被添加到了FORWARD链,它不会影响防火墙主机自己的通信。

 Blocking Access to Hosts for All but Certain PCs (Inverse Scenario)

假设老板想阻止员工访问几个特定的网站,但是不阻止他自己的PC和他助理的PC。在这个例子里,我们可以匹配老板和助理的PC的MAC地址,而不是匹配IP地址。假设他们的MAC是11:11:11:11:11:11 和 22:22:22:22:22:22,需要组织员工访问的站点是badsite1.com, badsite2.com 和 badsite3.com.

这次我们不使用第二个集合匹配MAC地址,而是使用多个iptables命令,利用MARK target标记数据包,而利用后面的规则处理被标记的数据包。

ipset -N blocked_sites iphash
ipset -A blocked_sites badsite1.com
ipset -A blocked_sites badsite2.com
ipset -A blocked_sites badsite3.com
iptables -I FORWARD -m mark --mark 0x187 -j DROP
iptables -I FORWARD \
         -m mark --mark 0x187 \
         -m mac --mac-source 11:11:11:11:11:11 \
         -j MARK --set-mark 0x0
iptables -I FORWARD \
         -m mark --mark 0x187 \
         -m mac --mac-source 22:22:22:22:22:22 \
         -j MARK --set-mark 0x0
iptables -I FORWARD \
         -m set --set blocked_sites dst \
         -j MARK --set-mark 0x187

上面的例子,由于没有使用ipset完成所有的匹配工作,所以使用的命令比较多,而且比较复杂。由于用到了多个iptables命令,所以各个命令的顺序是非常重要的。

注意这些规则是使用—I (insert)选项而不是使用-A (append)选项。当一个规则被插入,他会被添加的链的顶端,而以前的规则自动下移。因为每一格规则都是被插入德,所以实际的有效顺序是相反的。

最后一个iptables命令实际在FORWARD链的顶端。该规则匹配所有目的地址与blocked_sites集合相匹配的数据包,然后将这些数据标记为0x187.下面的两个规则匹配来自特定MAC地址并且已经标记为0x187的数据包,然后将他们标记为0。

最后,最后的iptables规则丢弃所有的被标记为0x187的数据包。除了来源是两个特定MAC地址的数据包,他将会匹配所有的目标地址在blocked_sites集合里的数据包。

这是解决问题的一种方法。还有一些其他方法,除了使用第二个ipset集合的方法,还可以使用用户自定义链等。

使用第二个ipset集合代替标记的方法是不可能完成上面的要求的,因为ipset没有machash集合类型,只有集合类型,但是他要求同时匹配IP和MAC,而不是只匹配MAC地址。

警告:在大多数实际环境里,这个方法可能不可行,应为大部分你需要屏蔽的网站他们的主机都有多个ip地址(比如 Facebook, MySpace 等等),而且这些ip会频繁的更换。iptables/ipset的一个限制是主机名只有被解析为单个ip地址时才能使用。

而且,主机名lookup只有在命令执行时发生,所以如果ip地址改变了,防火墙是不会意识到的,而是仍然使用以前的ip地址。基于这个原因,一个完成Web访问限制的更好的方法是使用HTTP代理,比如Squid。

Automatically Ban Hosts That Attempt to Access Invalid Services

ipset为iptables提供了目标扩展功能,它提供了一种向集合动态添加和删除目标的机制。不必手动使用ipset命令添加目标,而是在运行时通过iptables自动添加。

比如,如果远程主机尝试连接端口25,但是你并没有运行SMTP服务,我们怀疑对方不怀好意,所以我们在对方还没有干什么坏事前就组织他的其他尝试,使用下面的规则:

ipset -N banned_hosts iphash
iptables -A INPUT \
         -p tcp --dport 25 \
         -j SET --add-set banned_hosts src
iptables -A INPUT \
         -m set --set banned_hosts src \
         -j DROP

如果从端口25接收到数据包,假设来源地址是1.1.1.1,那么该地址马上就被添加到banned_hosts集合,和下面的例子等效:

ipset -A banned_hosts 1.1.1.1

所有的1.1.1.1的连接都会被阻塞。

他同样会阻止其他主机对本设备进行端口扫描,除非他不扫描25号端口。
Clearing the Running Config

如果你想清除ipset和iptables的配置,将防火墙reset,运行下面的命令:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t filter -F
iptables -t raw -F
iptables -t nat -F
iptables -t mangle -F
ipset -F
ipset -X

如果集合正在被使用,意味着其它的iptables规则正在引用该集合,就不能对集合进行销毁(ipset -X),所以为了在任何状态下都完成reset,iptables链必须首先清除。

Conclusion

ipset为netfilter/iptables在增加了很多有用的特性和功能,正如本篇文章描述的 ,ipset不仅提供了新的防火墙配制的可能性,而且他减少了之前只使用iptables来配置防火墙的困难。

任何时候,如果你想将防火墙规则应用到一个组,你应该使用ipset。正如前面的例子,你可以通过将ipset与iptables的其它特性相结合,来完成各种各样的网络配置和策略。

下一次你再进行防火墙配置时,考虑使用ipset。我相信你会被他的可用性和灵活性震惊。
Resources

Netfilter/iptables Project Home Page: http://www.netfilter.org

ipset Home Page: http://ipset.netfilter.org 

原文地址:http://www.linuxjournal.com/content/advanced-firewall-configurations-ipset?page=0,0

初次翻译,可能有不太通顺的地方,同学们可以参考原文。

 
 
https://wiki.archlinux.org/index.php/Ipset

ipset is a companion application for the iptables Linux firewall. It allows you to setup rules to quickly and easily block a set of IP addresses, among other things.

Installation

Install ipset from the official repositories.

Configuration

Blocking a list of addresses

Start by creating a new "set" of network addresses. This creates a new "hash" set of "net" network addresses named "myset".

# ipset create myset hash:net

Add any IP address that you'd like to block to the set.

# ipset add myset 14.144.0.0/12
# ipset add myset 27.8.0.0/13
# ipset add myset 58.16.0.0/15

Finally, configure iptables to block any address in that set. This command will add a rule to the top of the "INPUT" chain to "-m" match the set named "myset" from ipset (--match-set) when it's a "src" packet and "DROP", or block, it.

# iptables -I INPUT -m set --match-set myset src -j DROP

Making ipset persistent

ipset you have created is stored in memory and will be gone after reboot. To make the ipset persistent you have to do the followings:

First save the ipset to /etc/ipset.conf:

# ipset save > /etc/ipset.conf

Then enable ipset.service.

Blocking With PeerGuardian and Other Blocklists

The pg2ipset tool by the author of maeyanie.com, coupled with the ipset-update.sh script can be used with cron to automatically update various blocklists. Currently, by default country blocking, tor exit node blocking, and pg2 list blocking from Bluetack are implemented. Currently these tools aren't available in the AUR, but are easy enough to setup in a location of your choice.

These tools can be found at github: https://github.com/ilikenwf/pg2ipset

Other Commands

To view the sets:

# ipset list

To delete a set named "myset":

# ipset destroy myset

To delete all sets:

# ipset destroy

Please see the man page for ipset for further information.

 

posted @ 2015-04-13 10:24  陳聽溪  阅读(2399)  评论(0编辑  收藏  举报