Iptables ipset 使用经验

From 清冽之泉
Revision as of 14:25, 30 April 2026 by Mwroot (talk | contribs) (→‎活着)
Jump to navigation Jump to search

iptables 加上 ipset,对大批量地屏蔽恶意 ip,非常有用,本文总结一些有用的 ipset 命令。

查看靠前的链: iptables -L -n | head

白名单

ipset create mw_white hash:ip family inet hashsize 4096 maxelem 131072 -exist
iptables -I INPUT 1 -m set --match-set mw_white src -j ACCEPT
ipset list mw_white
ipset test mw_white 1.2.3.4
ipset add mw_white 1.2.3.4 -exist
ipset del mw_white 1.2.3.4

黑名单

ipset create mw_ban hash:ip family inet hashsize 4096 maxelem 131072 timeout 86400 -exist
iptables -I INPUT 2 -m set --match-set mw_ban src -j DROP
ipset list mw_ban
ipset test mw_ban 1.2.3.4
ipset add mw_ban 1.2.3.4 -exist
ipset add banhash 1.2.3.0/24
ipset del mw_ban 1.2.3.4

速率

活着

要想 ipset 活着,必须保证以下:

  1. 关机前 ipset 改后的规则已保存 ipset save > /etc/ipset.conf
  2. 关机前 iptables 改后的规则已保存 iptables-save > /etc/iptables/rules.v4
  3. 开机后 ipset 规则已恢复 ipset restore -exist < /etc/ipset.conf
  4. 开机后 iptables 规则已恢复 iptables-restore -exist < /etc/iptables/rules.v4

自动化

以下脚本未经完全测试,暂勿使用。

自动脚本: 因为 iptables-persistent 只管 iptables,不管 ipset,所以要建一个 ipset 的自动恢复脚本。 

# 放进 /etc/systemd/system/ipset-restore.service
[Unit]
Description=Restore IP sets
Before=netfilter-persistent.service

[Service]
Type=oneshot
ExecStart=/usr/sbin/ipset restore
StandardInput=file:/etc/ipset.conf
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

最后重启服务: 

systemctl daemon-reload
systemctl enable ipset-restore
Retrieved from "https://qingliezhiquan.com/index.php?title=Iptables_ipset_使用经验&oldid=10885"