zhangguanzhang's Blog

Linux 上 iptables ipset 白名单

ipset
字数统计: 493阅读时长: 2 min
2017/08/03

关于

Linux 上 ipset 和 iptables 配合做 ip 白名单

安装

1
2
3
4
5
6
7
8
9
# rpm 系列 os
yum install ipset ipset-service -y
sed -ri '/^IPSET_SAVE_ON_STOP=/s#no#yes#' /etc/sysconfig/ipset-config
systemctl enable --now ipset


# apt 系列 os
apt update && apt install -y ipset-persistent iptables-persistent

配置

1
2
3
# 黑白名单
ipset create blackiplist hash:net maxelem 1000000 
ipset create whiteiplist hash:net maxelem 1000000

rpm 系统

注意下面链的默认规则和接口,自行更改成实际情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.change.bak

cat > /etc/sysconfig/iptables << 'EOF'
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:BASE-RULE - [0:0]
-A INPUT -p icmp -j ACCEPT
# 防止本机访问外部的回包被 drop 掉
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 2222 -j ACCEPT
-A INPUT -j BASE-RULE
-A BASE-RULE -i ens160 -m set ! --match-set whiteiplist src  -j DROP
-A BASE-RULE -j RETURN
COMMIT
EOF

apt 系统

工作原理

apt 系统的规则都是存在 /etc/iptables/

1
2
3
4
5
$ ls -l /etc/iptables/
总用量 12
-rw-r----- 1 root root  236  8月 28 14:48 ipsets
-rw-r----- 1 root root 1760  8月 28 14:48 rules.v4
-rw-r----- 1 root root  378  8月 28 14:48 rules.v6

如果手动持久化,执行(有 docker 之类的机器上不推荐执行,直接写下一章节文件即可)

1
2
3
4
5
$ netfilter-persistent save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/10-ipset save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/15-ip4tables save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/25-ip6tables save
run-parts: executing /usr/share/netfilter-persistent/plugins.d/40-ipset save

添加白名单规则:

注意下面链的默认规则和接口,自行更改成实际情况

1
2
3
4
5
6
7
8
9
10
11
12
13
cat > /etc/iptables/rules.v4 << 'EOF'
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:BASE-RULE - [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j BASE-RULE
-A BASE-RULE -i vmbr0 -m set ! --match-set whiteiplist src -j DROP
-A BASE-RULE -j RETURN
COMMIT
EOF

测试

1
2
3
4
5
6
7
8
9
# rpm
systemctl enable iptables
# apt
systemctl enable netfilter-persistent.service

# 测试添加
ipset add whiteiplist xxx

reboot

原文作者:Zhangguanzhang

原文链接:http://zhangguanzhang.github.io/2017/08/03/iptables-whitelist/

发表日期:August 3rd 2017, 6:29:08 pm

更新日期:August 3rd 2017, 6:29:08 pm

版权声明:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. 关于
  2. 2. 安装
  3. 3. 配置
    1. 3.1. rpm 系统
    2. 3.2. apt 系统
      1. 3.2.1. 工作原理
      2. 3.2.2. 添加白名单规则:
  4. 4. 测试
Total : 188
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
linux 微信 diy 8266 总结 ipmi CLP k8s Mismatch Altium Designer ansible consul docker lnmp 安卓 Linux kernel prometheus exporter boot grub cad tcp golang centos6 chromedp chrony kubernetes cni-plugins mips64le kubeconfig swap dlv adguardhome dns Dockerfile e2fsck fsck keepavlied ecs xmrig etcd fio flannel ftp go mod go gobot esp8266 hello world host-gw mqtt 原创 jira confluence kube-controller-manager java springboot vip keepalived ConfigMap PodAffinity kylin arm64 Kylin audit fs nginx microsoft graph onedrive nodeport usb-net overlay kernal preseed Prometheus openstack cloud-init python containerd keepalive shell bash skopeo ssh kubelet systemd dockerhub gcr.io api ubuntu18 initrd tftp uos x86 openwrt zabbix zombie 正则 awk EmuELEC ingress N1 cobra hang cifs http lvs ipvsadm kube-proxy 63s timeout lamp nfc pm3 coredns openshift ocp squashfs timezone rpm rpmbuild segfault suse wireguard raid kubeadm operator exsi redhat8.4 vxlan veth panic supervisor pyinstaller ttf woff hostname qemu binfmt_misc loongarch64 externalIP cgo nfs ipset proxmox non-root containers vmware hung apparmor serviceAccountToken gpu nvidia cri-dockerd pprof trivy redis /etc/resolv.conf hostPort hotplug android headscale derper iptables inotifywait confd net
日志 心得 闲搞 ipmi kubernetes ansible kubelet Linux 心得 prometheus boot Auto cad boot golang kubeconfig grub linux centos6 容器 docker docker 容器 openstack boot vsftp go version panic gobot 闲聊 iptables admission kube-controller-manager keepalived k8s Prometheus Job k8s lua microsoft openwrt preseed Prometheus proxmox 总结 CI Kylin ubuntu18 pxe uos graph 运维 zombie 技巧 travis docker onedrive kickstart consul fstab http vxlan coredns node-cache golang kmem suse wireguard raid kubeadm LVM kickstart prometheus raid