答案是可以滴。
ipset从6.13版本加入了对于规则导入、导出文件的支持:
CentOS7自带的版本高于此,支持此功能:
[root@test ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) [root@test ~]# ipset -v ipset v6.19, protocol version: 6
CentOS6.5自带版本低于此:
[root@test ~]# cat /etc/redhat-release CentOS release 6.5 (Final) [root@test ~]# ipset -v ipset v6.11, protocol version: 6
先讲怎么操作吧
将配置导出成文件:
[root@test ~]# ipset save blocklist -f blocklist.txt [root@test ~]# cat blocklist.txt create blocklist hash:net family inet hashsize 1024 maxelem 65536 add blocklist 2.2.2.0/24 add blocklist 1.1.1.1
导入须在系统没有此规则的情况下方可:
[root@test ~]# ipset destroy blocklist ipset v6.19: Set cannot be destroyed: it is in use by a kernel component [root@test ~]# firewall-cmd --direct --remove-rule ipv4 filter INPUT 1 -m set --match-set blocklist src -j DROP success [root@test ~]# ipset destroy blocklist [root@test ~]# ipset restore -f blocklist.txt [root@test ~]# ipset list Name: blocklist Type: hash:net Revision: 3 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16848 References: 0 Members: 2.2.2.0/24 1.1.1.1
经历了上面的操作过程,我们就可以制作一个脚本,在集合文件更改后以更新系统规则:
#!/bin/bash #Author:Chris Red='\033[31m\033[1m' Green='\033[32m\033[1m' Blue='\033[94m' Null='\033[0m' #----Configure Start---- bfile=blocklist.txt ips=/usr/sbin/ipset #----Configure End------ echo -e "${Green}This Script Will Reload ipset's Rule From ${bfile}${Null}" if [ ! -x $ips ];then echo -e ${Red}Detected ipset is not install,begining install...${Null} yum install -y ipset > /dev/null 2>&1 RETVAL=$? if [ $RETVAL != 0 ];then echo -e ${Red}Install Faild,Please chkeck your network!${Null} exit fi fi if [ ! -f $bfile ];then echo -e ${Red}blockfile ${bfile} is not exist.${Null} exit fi ver=$($ips -v | awk -F 'v|,' '{print $2}') if [[ $(echo "$ver >= 6.13" | bc) -eq 0 ]];then echo -e ${Red}ipset Version is Not Support restore From file!At least 6.13,Current Version is ${ver}${Null} echo -e "${Red}Please Visit${Null} ${Blue}http://ipset.netfilter.org/install.html${Null} ${Red}to download & install it.${Null}" exit fi bname (){ Firstfield="$(awk 'NR==1{print $1}' ${bfile})" if [ ${Firstfield} != "create" ];then echo -e ${Red}File Format is wrong.${Null} exit fi head -1 ${bfile} | awk '{print $2}' } checkipt (){ ipsid=$(iptables -L -v -n --line | grep ${bname} | awk '{print $1}') if [ -z $ipsid ];then return 0 fi return $ipsid } bname=$(bname) checkipt ipsid=$? if [ $ipsid != 0 ];then echo -e "${Red}Detected iptables Rule(num $ipsid),deleting it...${Null}" iptables -D INPUT $ipsid fi $ips list $bname > /dev/null 2>&1 RETVAL=$? if [ $RETVAL = 0 ];then echo -e ${Red}Detected ipset Rule,deleting it...${Null} $ips destroy $bname fi echo -e "${Green}Importing ipset & Adding iptables Rule...${Null}" $ips restore -f $bfile iptables -A INPUT -m set --match-set $bname src -j DROP if [ $? = 0 ];then echo -e ${Green}Operation Complate!${Null} else echo -e ${Red}Operation Faild!${Null} fi
执行效果:
支持配置导出入:
不支持:
不支持的话可以到上面的官网上下载源码编译安装下,过程挻简单,这里就不贴出来了,然后改下脚本中命令的位置即可:
注意:虽然RHEL6.5/CentOS6.5自带的ipset虽说不支持配置导入导出成文件,但操作系统的开发者们也有给出解决办法,那就是提供了一个init脚本文件,通过这个脚本也可以实现规则的导入导出:
[root@test ~]# service ipset save ipset: Saving IP sets to /etc/sysconfig/ipset: [确定] [root@test ~]# cat /etc/sysconfig/ipset create blocklist hash:net family inet hashsize 1024 maxelem 65536 add blocklist 2.2.2.0/24 add blocklist 1.1.1.1
可以看到,格式是一样的,所以在有更改的情况下可以将新的配置文件覆盖过来进行导入:
[root@test ~]# service ipset restart ipset: Current ip*tables configuration requires ipset [警告] ipset: Current ip*tables configuration requires ipset [警告] ipset: Loading IP sets: [确定]