ipset+iptables 批量管理ip

Posted by ZhangShun Blog on November 11, 2018

1、安装

yum -y install ipset \apt-get -y install ipset

2、创建一个ipset

ipset create whitelist hash:net

3、加入一个名单ip

ipset add whitelist 1.1.1.1

ipset list  查看ipset名单

4.去除名单ip

ipset del whitelist 1.1.1.1

5.创建防火墙规则,与防火墙/kvm联用

无法访问宿主机

iptables -A INPUT -i br1 -p tcp -m state –state NEW,ESTABLISHED –src 1.1.1.0/24 -j DROP

无法访问虚拟机

iptables -A FORWARD -i br1 -p tcp -m state –state NEW,ESTABLISHED –src 1.1.1.0/24 -j DROP

允许ipset名单访问

iptables -I INPUT -i br1 -p tcp -m set –match-set whitelist src -j ACCEPT

iptables -I FORWARD -i br1 -p tcp -m set –match-set whitelist src -j ACCEPT

也可以批量禁止

iptables -I INPUT -m set –match-set whitelist src -p tcp –destination-port 80 -j DROP

6.将ipset规则保存到文件/恢复ipset规则

ipset save whitelist -f ipset.conf

ipset -f /etc/ipset.conf

7.删除ipset

ipset destroy whitelist