简介:
IP sets are a framework inside the Linux kernel, which can be administered by the ipset utility. Depending on the type, an IP set may store IP addresses, networks, (TCP/UDP) port numbers, MAC addresses, interface names or combinations of them in a way, which ensures lightning speed when matching an entry against a set.
If you want to
- store multiple IP addresses or port numbers and match against the collection by iptables at one swoop;
- dynamically update iptables rules against IP addresses or ports without performance penalty;
- express complex IP address and ports based rulesets with one single iptables rule and benefit from the speed of IP sets
then ipset may be the proper tool for you.
IP sets was written by Jozsef Kadlecsik and it is based on ippool by Joakim Axelsson, Patrick Schaaf and Martin Josefsson.Many thanks to them for their wonderful work!
文档链接:https://ipset.netfilter.org/
安装:
源码安装:(官网下载http://ipset.netfilter.org/install.html)
使用:
① 创建ipset集合:
② 加入/删除一个条目
③ 创建防火墙规则
④ 备份(可选)
备注:
1)hash:ip集合添加方式
ipset add aa 1.1.1.1
ipset add aa 1.1.1.2-1.1.1.5
2)hash:net集合添加方式
ipset add bb 1.1.1.1-1.1.1.10
ipset add bb 10.0.0.0-10.255.255.255
ipset add bb 10.0.0.0/8
ipset add bb 1.1.1.1
3)hash:ip,port集合添加方式
ipset add cc 1.1.1.1,80
ipset add cc 1.1.1.2-1.1.1.4,8080 ##默认端口都是tcp
4)hash:ip,port,net集合添加方式
ipset add dd 1.1.1.1,80,1.1.1.2-1.1.1.4
