Iptables multiple IPs at once, using the Ipset tool

What is Ipset? Ipset is an extension of iptables, which allows you to create rules that match the entire set of addresses. And unlike ordinary iptables chain can only single IP matching, IP collection stored in the index of the data structure, the structure of the real-time collection of large or efficient search, in addition to some common situations, such as blocking some dangerous host access to the machine, thereby reducing system resource consumption or network congestion, Ipsets also has a number of new firewall design methods and simplifies configuration. Official website: http://ipset.netfilter.org/ 1, Ipset installation

Yum Installation: Yum install Ipset

Source code installation: Download ipset-6.30.tar.bz2 in the official website,

Yum-y Install Libmnl-devel LIBMNL

TAR-JXVF ipset-6.30.tar.bz2 && cd ipset-6.30 &&/configure--prefix=/usr/local/ipset && make &A mp;& Make install Complete installation

2. Create a IpsetIpset Create Allset hash:net (also can be hash:ip, this refers to a single IP) 2.1, view created ipset2.2, ipset default can store 65,536 elements, use Maxelem to specify the number of Ipset create Openapi hash:net Maxelem 1000000ipset List 3. Add a blacklist IPIpset Add Allset 145.201.56.109 4, create firewall rules, at the same time, Allset this IP set of IP will not be able to access 80 ports (such as: CC attacks available)Iptables-i input-m set--match-set allset src-p tcp--destination-port 80-j dropservice iptables Save 5, remove the blacklist, at the same time, can also access theIpset del Allset 145.201.56.109 6. Save the Ipset rule to a fileIpset Save Allset-f Allset.txt 7. Delete IpsetIpset Destroy Allset 8. Import Ipset RulesIpset restore-f Allset.txt  Note:1, an advantage of Ipset is that the set can be dynamically modified, even if the Ipset iptables rules are now started, the new added to the ipset of the IP is also in forceExample Explanation:Example: A server is a CC attack, after grasping the packet or a sequence of means to find a number of IP is the source attack IP, so we need to block these IP, if you use iptables a piece of add a bit more trouble. #对TIME_WAIT的外部ip以及此对ip出现的次数经行求重排序. Netstat-ptan | grep time_wait | awk ' {print $} ' | awk-f: ' {print '} ' |sort |uniq-c | sort-n-R #tcpdump Crawl 100 packets, access to the local 80 IP for reordering only show the first 20, these IP is the attack source IP, we need to seal it offTCPDUMP-TNN DST Port 80-c 100 | Awk-f "." ' {print $ '. $ "." $ "." $4} ' | Sort | uniq-c | Sort-n-R |head-20 #新建一个setname. txt files, add these IPs in the following format (how many IPs are the number of lines)Vim setname.txt Add SetName xxx.xxx.xxx.xxx #导入setname. txt files to Ipset setIpset restore-f Setname.txt #查看是否导入成功 (Success will find a new ipset named Sername, and members are those attacks IP)Ipset List #建立一条iptables规则, intercept these attacks IP Access server 80, or you can directly prohibit all access to these IPIptables-i input-m set--match-set setname src-p tcp--destination-port 80-j DROP

Iptables multiple IPs at once, using the Ipset tool