1, the following I first say iptables basic configuration rules, and then again Ipset
The following uses C7 x86_64 as the experimental environment
CentOS7 The default firewall is not iptables, but Firewalle.
If you do not have Iptables installed, you can use the following command to install
Systemctl Stop Firewalld
Systemctl Disable FIREWALLD
Systemctl Mask Firewalld
The above meaning is to block out the original firewall firewall, the following we began to install iptables, as for why to install iptables I will not say
Yum Install iptables iptables-services-y
Set rule
#查看iptables现有规则
Iptables-l-n
#先允许所有, or you might have a cup with
Iptables-p INPUT ACCEPT
#清空所有默认规则
Iptables-f
#清空所有自定义规则
iptables-x
#所有计数器归0
iptables-z
#允许来自于lo接口的数据包 (local access)
Iptables-a input-i Lo-j Accept
#开放22端口
iptables-a input-p tcp--dport 22-j ACCEPT
#开放21端口 (FTP)
iptables-a input-p TCP--dpo RT 21-j Accept
#开放80端口 (HTTP)
iptables-a input-p TCP--dport 80-j accept
#开放443端口 (HTTPS)
Iptables-a INPUT -P TCP--dport 443-j accept
#允许ping
iptables-a input-p ICMP--icmp-type 8-j ACCEPT
#允许接受本机请求之后的返回数据 related, yes
Iptables-a input-m State--state related,established-j ACCEPT
is set for FTP #其他入站一律丢弃
iptables-p INPUT DROP
#所有 Outbound All Green
iptables-p OUTPUT ACCEPT
#所有转发一律丢弃
iptables-p FORWARD DROP
Other rule settings
#如果要添加内网ip信任 (Accept all of its TCP requests)
Iptables-a input-p tcp-s 45.96.174.68-j ACCEPT
#过滤所有非以上规则的请求
Iptables-p INPUT DROP
#要封停一个IP, use this command:
Iptables-i input-s . . -j DROP
#要解封一个IP, use this command:
Iptables-d input-s . . -j DROP
#保存上述规则
Service Iptables Save
Open Iptables Service
#注册iptables服务
#相当于以前的chkconfig iptables on
Systemctl Enable Iptables.service
#开启服务
Systemctl Start Iptables.service
#查看状态
Systemctl Status Iptables.service
2, now we introduce Ipset
Ipset is an extension of iptables, which allows you to create rules that match the entire set of addresses. And unlike ordinary iptables chain can only single IP matching, IP collection stored in the index of the data structure, the structure of the real-time collection of large or efficient search, in addition to some common situations, such as blocking some dangerous host access to the machine, thereby reducing system resource consumption or network congestion, Ipsets also has a number of new firewall design methods and simplifies configuration. Official website: http://ipset.netfilter.org/
Installation of Ipset
First install the dependent
Yum provides ' */applydeltarpm '
Yum Install Deltarpm-y
Yum Install Ipset-y
Create a Ipset
Ipset Create XXX hash:net (also can be hash:ip, this refers to a single ip,xxx is the Ipset name)
Ipset can store 65,536 elements by default, using Maxelem to specify a number
Ipset Create blacklist hash:net maxelem 1000000 #黑名单
Ipset Create Whitelist hash:net maxelem 1000000 #白名单
View the ipset you have created
Ipset List
Add an IP to the blacklist you created
Ipset Add blacklist 192.168.4.175
Remove blacklist IP
Ipset del blacklist 192.168.4.175
Create a firewall rule, at the same time, Allset IP in this IP set cannot access port 80 (for example: Ccxxx available)
Iptables-i input-m Set--match-set blacklist src-p tcp-j DROP
Iptables-i input-m set--match-set whitelist src-p tcp-j DROP
Iptables-i input-m set--match-set setname src-p tcp--destination-port 80-j DROP
Service Iptables Save
Saving Ipset rules to a file
Ipset Save Blacklist-f Blacklist.txt
Ipset Save Whitelist-f Whitelist.txt
Delete Ipset
Ipset Destroy blacklist
Ipset Destroy Whitelist
Import Ipset Rules
Ipset restore-f Blacklist.txt
Ipset restore-f Whitelist.txt
Note: One of the advantages of Ipset is that the collection can be dynamically modified, even if the ipset iptables rule is currently started, and the newly added Ipset IP is also in effect.
3, Application Scenario
Example: A server is ccxxx, after grasping a packet or a sequence of means to find a number of IP is the source XXXIP, so we need to block these IP, if with iptables a piece of add to the trouble.
#对TIME_WAIT的外部ip以及此对ip出现的次数经行求重排序.
Netstat-ptan | grep time_wait | awk ' {print $} ' | Awk-f: ' {print $} ' |sort |uniq-c | Sort-n-R
#tcpdump Crawl 100 packets, access to the local 80 IP for reordering only show the first 20, a large number of IP may be xxx Source IP, we need to seal it off
TCPDUMP-TNN DST Port 80-c 100 | Awk-f "." ' {print $ '. $ "." $ "." $4} ' | Sort | uniq-c | Sort-n-R |head-20
#新建一个setname. txt files, add these IPs in the following format (how many IPs are the number of lines)
Vim Setname.txt
Add SetName xxx.xxx.xxx.xxx
#导入setname. txt files to Ipset set
Ipset restore-f Setname.txt
#查看是否导入成功 (Success will find a new ipset named Sername, and the members are those XXXIP)
Ipset List
#建立一条iptables规则, intercept these XXXIP access server 80, or you can directly prohibit all access to these IP
Iptables-i input-m set--match-set setname src-p tcp--destination-port 80-j DROP
Linux uses iptables to set the black and white list using the Ipset tool