Linux ipset 使用介绍

发布时间: 更新时间: 总字数:744 阅读时间:2m 作者: 分享 复制网址
专栏文章
  1. Linux Netfilter 介绍
  2. Linux iptables 规则
  3. Linux ipset 使用介绍(当前)
  4. Linux nftables 使用介绍

ipsetiptalbes 的扩展,它允许用户创建匹配整个地址 sets 的规则,一般配合 iptables 使用,iptablesebtablesarptables 等是在 用户空间 控制 Netfilter 的工具

安装

yum install ipset -y

help

$ ipset --help
ipset v7.1

Usage: ipset [options] COMMAND

Commands:
create SETNAME TYPENAME [type-specific-options]
        Create a new set
add SETNAME ENTRY
        Add entry to the named set
del SETNAME ENTRY
        Delete entry from the named set
test SETNAME ENTRY
        Test entry in the named set
destroy [SETNAME]
        Destroy a named set or all sets
list [SETNAME]
        List the entries of a named set or all sets
save [SETNAME]
        Save the named set or all sets to stdout
restore
        Restore a saved state
flush [SETNAME]
        Flush a named set or all sets
rename FROM-SETNAME TO-SETNAME
        Rename two sets
swap FROM-SETNAME TO-SETNAME
        Swap the contect of two existing sets
help [TYPENAME]
        Print help, and settype specific help
version
        Print version information
quit
        Quit interactive mode

使用

创建

ipset create <SETNAME> <TYPENAME> [<OPTIONS>]
  • SETNAME是新创建ipset的名称
  • TYPENAMEipset的类型,TYPENAME := method:datatype[,datatype[,datatype]]
    • method指定ipset中的entry存放的方式,支持的方式有:bitmap, hash, list
    • datatype指定每个entry的格式,支持的格式有:ip, net, mac, port, iface

添加记录

ipset add <SETNAME> <ADD-ENTRY> [<OPTIONS>]
  • ADD-ENTRY 的格式必须与创建ipset时指定的格式匹配

查看

  • 查看ipset的内容
ipset list [<SETNAME>] [<OPTIONS>]
  • 检查目标entry是否在指定ipset
ipset test <SETNAME> <TEST-ENTRY> [<OPTIONS>]

删除entry

ipset del <SETNAME> <DEL-ENTRY> [<OPTIONS>]

删除ipset

ipset destroy <SETNAME>

导出

ipset save [<SETNAME>] > file

导入

ipset restore < file

demo

$ ipset creat bar hash:ip,port
$ ipset list
Name: bar
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 88
References: 0
Number of entries: 0
Members:
$ ipset add bar 192.168.0.2,tcp:22
$ ipset list
Name: bar
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 152
References: 0
Number of entries: 1
Members:
192.168.0.2,tcp:22
$ ipset list bar
Name: bar
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 152
References: 0
Number of entries: 1
Members:
192.168.0.2,tcp:22
$ ipset save > file
$ cat file
create bar hash:ip,port family inet hashsize 1024 maxelem 65536
add bar 192.168.0.2,tcp:22
$ ipset del bar 192.168.0.2,tcp:22
$ ipset list
Name: bar
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 88
References: 0
Number of entries: 0
Members:
$ ipset destroy bar
$ ipset restore < file
$ ipset list
Name: bar
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 152
References: 0
Number of entries: 1
Members:
192.168.0.2,tcp:22

与 iptables 结合

屏蔽一组地址

iptables -I INPUT -m set --match-set bar src -j DROP

OpenStack Neutron 安全组

$ sudo iptables -nvL neutron-openvswi-i52241a87-c
Chain neutron-openvswi-i52241a87-c (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   168 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set NIPv46e28e3c1-6959-4dfb-99b1- src

该示例是为 port 添加 allowed_address_pairsiptables新增的规则,表示从 source: 0.0.0.0/0destination: 0.0.0.0/0,并且匹配 ipset: NIPv46e28e3c1-6959-4dfb-99b1- 的流量都会被放行(target: RETURN

专栏文章
  1. Linux Netfilter 介绍
  2. Linux iptables 规则
  3. Linux ipset 使用介绍(当前)
  4. Linux nftables 使用介绍
最新评论
加载中...
Home Archives Categories Tags Statistics