Linux ipset 使用介绍-谢先斌的博客

Linux ipset 使用介绍

发布时间： 2015-04-19 更新时间： 2024-04-14 总字数：744 阅读时间：2m 作者：谢先斌 IP上海

ipset 是 iptalbes 的扩展，它允许用户创建匹配整个地址 sets 的规则，一般配合 iptables 使用，iptables、ebtables 和 arptables 等是在 用户空间 控制 Netfilter 的工具

安装

yum install ipset -y

help

$ ipset --help
ipset v7.1

Usage: ipset [options] COMMAND

Commands:
create SETNAME TYPENAME [type-specific-options]
        Create a new set
add SETNAME ENTRY
        Add entry to the named set
del SETNAME ENTRY
        Delete entry from the named set
test SETNAME ENTRY
        Test entry in the named set
destroy [SETNAME]
        Destroy a named set or all sets
list [SETNAME]
        List the entries of a named set or all sets
save [SETNAME]
        Save the named set or all sets to stdout
restore
        Restore a saved state
flush [SETNAME]
        Flush a named set or all sets
rename FROM-SETNAME TO-SETNAME
        Rename two sets
swap FROM-SETNAME TO-SETNAME
        Swap the contect of two existing sets
help [TYPENAME]
        Print help, and settype specific help
version
        Print version information
quit
        Quit interactive mode

使用

创建

ipset create <SETNAME> <TYPENAME> [<OPTIONS>]

SETNAME是新创建ipset的名称
TYPENAME是ipset的类型，TYPENAME := method:datatype[,datatype[,datatype]]
- method指定ipset中的entry存放的方式，支持的方式有：bitmap, hash, list
- datatype指定每个entry的格式，支持的格式有：ip, net, mac, port, iface

添加记录

ipset add <SETNAME> <ADD-ENTRY> [<OPTIONS>]

ADD-ENTRY 的格式必须与创建ipset时指定的格式匹配

查看

查看ipset的内容

ipset list [<SETNAME>] [<OPTIONS>]

检查目标entry是否在指定ipset中

ipset test <SETNAME> <TEST-ENTRY> [<OPTIONS>]

删除entry

ipset del <SETNAME> <DEL-ENTRY> [<OPTIONS>]

删除ipset

ipset destroy <SETNAME>

导出

ipset save [<SETNAME>] > file

导入

ipset restore < file

demo

$ ipset creat bar hash:ip,port
$ ipset list
Name: bar
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 88
References: 0
Number of entries: 0
Members:
$ ipset add bar 192.168.0.2,tcp:22
$ ipset list
Name: bar
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 152
References: 0
Number of entries: 1
Members:
192.168.0.2,tcp:22
$ ipset list bar
Name: bar
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 152
References: 0
Number of entries: 1
Members:
192.168.0.2,tcp:22
$ ipset save > file
$ cat file
create bar hash:ip,port family inet hashsize 1024 maxelem 65536
add bar 192.168.0.2,tcp:22
$ ipset del bar 192.168.0.2,tcp:22
$ ipset list
Name: bar
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 88
References: 0
Number of entries: 0
Members:
$ ipset destroy bar
$ ipset restore < file
$ ipset list
Name: bar
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 152
References: 0
Number of entries: 1
Members:
192.168.0.2,tcp:22

与 iptables 结合

屏蔽一组地址

iptables -I INPUT -m set --match-set bar src -j DROP

OpenStack Neutron 安全组

$ sudo iptables -nvL neutron-openvswi-i52241a87-c
Chain neutron-openvswi-i52241a87-c (1 references)
 pkts bytes target     prot opt in     out     source               destination
    2   168 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set NIPv46e28e3c1-6959-4dfb-99b1- src

该示例是为 port 添加 allowed_address_pairs 后 iptables新增的规则，表示从 source: 0.0.0.0/0 到 destination: 0.0.0.0/0，并且匹配 ipset: NIPv46e28e3c1-6959-4dfb-99b1- 的流量都会被放行（target: RETURN）