CentOS/RHEL:为IP集和IPTable安装ipset管理工具
时间:2020-01-09 10:34:16 来源:igfitidea点击:
如何在Red Hat Enterprise Linux/CentOS Linux v6.x上将ipset扩展安装到Netfilter/iptables?
IP集是Linux 2.4.x和2.6.x内核中的一个框架,可以通过ipset实用程序进行管理。
根据类型的不同,当前IP设置可能会以某种方式存储IP地址,(TCP/UDP)端口号或带有MAC地址的IP地址,以确保将条目与该设置匹配时的闪电速度。
如果你想
- 一口气存储多个IP地址或端口号,并与iptables进行匹配;
- 针对IP地址或端口动态更新iptables规则,而不会影响性能;
- 通过一个iptables规则表达复杂的基于IP地址和端口的规则集,并受益于IP集的速度,那么ipset可能是适合您的工具。
安装
首先打开EPEL repo并键入以下yum命令:
# yum install ipset
输出示例:
Loaded plugins: auto-update-debuginfo, protectbase, rhnplugin 0 packages excluded due to repository protections Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package ipset.x86_64 0:6.11-1.el6 will be installed --> Processing Dependency: libmnl.so.0(LIBMNL_1.0)(64bit) for package: ipset-6.11-1.el6.x86_64 --> Processing Dependency: libmnl.so.0()(64bit) for package: ipset-6.11-1.el6.x86_64 --> Running transaction check ---> Package libmnl.x86_64 0:1.0.3-4.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved =================================================================================== Package Arch Version Repository Size =================================================================================== Installing: ipset x86_64 6.11-1.el6 rhel-x86_64-server-6 61 k Installing for dependencies: libmnl x86_64 1.0.3-4.el6 epel 22 k Transaction Summary =================================================================================== Install 2 Package(s) Total download size: 82 k Installed size: 46 k Is this ok [y/N]: y Downloading Packages: (1/2): ipset-6.11-1.el6.x86_64.rpm | 61 kB 00:00 (2/2): libmnl-1.0.3-4.el6.x86_64.rpm | 22 kB 00:00 ---------------------------------------------------------------------------------- Total 172 kB/s | 82 kB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : libmnl-1.0.3-4.el6.x86_64 1/2 Installing : ipset-6.11-1.el6.x86_64 2/2 Verifying : libmnl-1.0.3-4.el6.x86_64 1/2 Verifying : ipset-6.11-1.el6.x86_64 2/2 Installed: ipset.x86_64 0:6.11-1.el6 Dependency Installed: libmnl.x86_64 0:1.0.3-4.el6 Complete!
例子
键入以下命令:
## create ip set called badips (-N) ## ## Uses a hash to store IP host addresses or network ## ## addresses. Zero valued IP address cannot be stored ## ## in a iphashtype of set. ## ipset -N badips iphash ## add IP address ## ipset -A badips 192.54.1.2 ipset -A badips 203.54.1.2 ## drop all ip address stored in ipset called badips ## iptables -A INPUT -m set --set badips src -j DROP
推荐的语法如下:
# ipset create myblacklist hash:ip hashsize 4096 # iptables -A INPUT -m set --set myblacklist src -j DROP
现在,您可以添加IP地址,如下所示:
# ipset add myblacklist 192.168.1.2 # ipset add myblacklist 192.54.1.1 # ipset add myblacklist 192.54.1.3
ipset has command具有更多选项。
有关更多详细信息,请参见手册页:
# man ipsets
