Ipset-linux firewall extensions for restricted access to specified IP

Reference: http://blog.csdn.net/dog250/article/details/41123469 on the Linux-2.6.32 kernel to compile ipset-6.23 's bumpy experience

Http://netsecurity.51cto.com/art/201501/463157.htm How to efficiently block malicious IP addresses on Linux?

Extension of the http://blog.csdn.net/opensure/article/details/46047931 Ipset-linux firewall

http://www.xitongzhijia.net/xtjc/20150106/34147_2.html Linux denies foreign IP access

http://blog.chinaunix.net/uid-24683784-id-5020892.html Configuring the Linux firewall with Ipset

Installation:

Official website: http://ipset.netfilter.org/install.html

The simplest method is Yum installation, but the method version is relatively low, missing some of the module parameters used, etc., so it is not recommended;

Yum Install Ipset-y

Compile and install:

1. Environment dependent: Yum install libmnl libmnl-devel kernel-devel libtool-devel-y

(new version of the installation method: Git pull git://git.netfilter.org/libmnl.git run./autogen.sh)

=======================================================================================

(Note: If you install LIBMNL only, the following error will appear:

Checking for libmnl ... configure:error:Package requirements (LIBMNL >= 1) were not met:

No package ' libmnl ' found

Consider adjusting the PKG_CONFIG_PATH environment variable if you

Installed software in a non-standard prefix.

Alternatively, may set the environment variables Libmnl_cflags

and libmnl_libs to avoid the need-to-call pkg-config.

See the Pkg-config Mans page for more details.

)

========================================================================================

may not be able to find/lib/modules/2.6.32-431.el6.x86_64/source at compile time

After investigation, this soft connection/lib/modules/2.6.32-431.el6.x86_64/build-->/usr/src/kernels/2.6.32-431.el6.x86_64 does not exist.

WORKAROUND: Re-establish the soft connection

Ln-sb/usr/src/kernels/2.6.32-573.3.1.el6.x86_64/lib/modules/2.6.32-431.el6.x86_64/build

========================================================================================

In the run./autogen.sh Times wrong:

I can't find the/usr/share/libtool/.

Workaround: Install the Libtool-devel kit to yum install Libtool-devel

========================================================================================

2. Compile and install Ipset (Linux kernel source code (version >= 2.6.32))

Wget-p/usr/local/src http://ipset.netfilter.org/ipset-6.26.tar.bz2

CD/USR/LOCAL/SRC && Tar XF ipset-6.26.tar.bz2 && CD ipset-6.26

./autogen.sh

./configure--prefix=/usr/local/ipset

Make

Make modules

Make install

Make Modules_install

Note: Linux kernel source code (version >= 2.6.16 or >= 2.4.36)

Compile and install:

Wget-p/usr/local/src http://ipset.netfilter.org/ipset-4.5.tar.bz2

CD/USR/LOCAL/SRC && Tar XF ipset-4.5.tar.bz2 && CD ipset-4.5

Make kernel_dir=/lib/modules/$ (Shell uname-r)/build #$ (Shell uname-r) uses the shell command to get

Make kernel_dir=/lib/modules/$ (shell uname-r)/build Install

Common use commands:

Ipset List View IP set listing information

Ipset Create DOS Hash:ip maxelem 1000000 creates an IP set DOS, specifies a type of HASH:IP, sets the IP set to a maximum of 1000000 IP sets

Ipset Add DOS x.x.x.x add an IP address to the IP set DOS

Ipset Add DOS x.x.x.x/24 add a network segment to the IP set DOS

Ipset Dell Dos x.x.x.x Remove IP addresses specified in IP set

Ipset Save Dos-f Dos.txt saves the information in the IP set Dos to the file Dos.txt under the current file directory

Ipset Destroy DOS Delete the specified IP set dos

Ipset Restore dos-f Dos.txt Import the IP set information from the saved Dos.txt file back into the Ipset

Other commands Reference Ipset--help

iptable Command Reference:

Iptables-i input-m set--match-set Dos src-p tcp--destination-port 80-j DROP

Address in #拒绝ipset IP set DOS Access server 80 port

This article is from "Dolphin Watching" blog, please be sure to keep this source http://swht1278.blog.51cto.com/7138082/1693933

Ipset-linux firewall extensions for restricted access to specified IP