Linux屏蔽大量IP访问

答案是可以滴。

ipset从6.13版本加入了对于规则导入、导出文件的支持:

ipset_changelog

CentOS7自带的版本高于此,支持此功能:

[root@test ~]# cat /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core) 
[root@test ~]# ipset -v
ipset v6.19, protocol version: 6

CentOS6.5自带版本低于此:

[root@test ~]# cat /etc/redhat-release                                   
CentOS release 6.5 (Final)
[root@test ~]# ipset -v
ipset v6.11, protocol version: 6

先讲怎么操作吧

将配置导出成文件:

[root@test ~]# ipset save blocklist -f blocklist.txt
[root@test ~]# cat blocklist.txt 
create blocklist hash:net family inet hashsize 1024 maxelem 65536
add blocklist 2.2.2.0/24
add blocklist 1.1.1.1

导入须在系统没有此规则的情况下方可:

[root@test ~]# ipset destroy blocklist
ipset v6.19: Set cannot be destroyed: it is in use by a kernel component
[root@test ~]# firewall-cmd --direct --remove-rule ipv4 filter INPUT 1 -m set --match-set blocklist src -j DROP 
success
[root@test ~]# ipset destroy blocklist
[root@test ~]# ipset restore -f blocklist.txt
[root@test ~]# ipset list
Name: blocklist
Type: hash:net
Revision: 3
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16848
References: 0
Members:
2.2.2.0/24
1.1.1.1

经历了上面的操作过程,我们就可以制作一个脚本,在集合文件更改后以更新系统规则:

#!/bin/bash
#Author:Chris

Red='\033[31m\033[1m'
Green='\033[32m\033[1m'
Blue='\033[94m'
Null='\033[0m'
#----Configure Start----
bfile=blocklist.txt
ips=/usr/sbin/ipset
#----Configure End------
echo -e "${Green}This Script Will Reload ipset's Rule From ${bfile}${Null}"
if [ ! -x $ips ];then
	echo -e ${Red}Detected ipset is not install,begining install...${Null}
	yum install -y ipset > /dev/null 2>&1
	RETVAL=$?
	if [ $RETVAL != 0 ];then
		echo -e ${Red}Install Faild,Please chkeck your network!${Null}
		exit
	fi
fi
if [ ! -f $bfile ];then 
	echo -e ${Red}blockfile ${bfile} is not exist.${Null}
	exit
fi
ver=$($ips -v | awk -F 'v|,' '{print $2}')
if [[ $(echo "$ver >= 6.13" | bc) -eq 0 ]];then
	echo -e ${Red}ipset Version is Not Support restore From file!At least 6.13,Current Version is ${ver}${Null}
	echo -e "${Red}Please Visit${Null} ${Blue}http://ipset.netfilter.org/install.html${Null} ${Red}to download & install it.${Null}"
exit
fi

bname (){
	Firstfield="$(awk 'NR==1{print $1}' ${bfile})"
	if [ ${Firstfield} != "create" ];then
		echo -e ${Red}File Format is wrong.${Null}
		exit
	fi
	head -1 ${bfile} | awk '{print $2}'
}

checkipt (){
	ipsid=$(iptables -L -v -n --line | grep ${bname} | awk '{print $1}')
	if [ -z $ipsid ];then
		return 0
	fi
	return $ipsid
}

bname=$(bname)
checkipt
ipsid=$?
if [ $ipsid != 0 ];then
	echo -e "${Red}Detected iptables Rule(num $ipsid),deleting it...${Null}"
	iptables -D INPUT $ipsid
fi
$ips list $bname > /dev/null 2>&1
RETVAL=$?
if [ $RETVAL = 0 ];then
	echo -e ${Red}Detected ipset Rule,deleting it...${Null}
	$ips destroy $bname
fi
echo -e "${Green}Importing ipset & Adding iptables Rule...${Null}"
$ips restore -f $bfile
iptables -A INPUT -m set --match-set $bname src -j DROP
if [ $? = 0 ];then
	echo -e ${Green}Operation Complate!${Null}
else
	echo -e ${Red}Operation Faild!${Null}
fi

执行效果:

支持配置导出入:

ipset_run_cos7

不支持:

ipset_run_cos6

不支持的话可以到上面的官网上下载源码编译安装下,过程挻简单,这里就不贴出来了,然后改下脚本中命令的位置即可:

ipset_run_cos6_ok

注意:虽然RHEL6.5/CentOS6.5自带的ipset虽说不支持配置导入导出成文件,但操作系统的开发者们也有给出解决办法,那就是提供了一个init脚本文件,通过这个脚本也可以实现规则的导入导出:

[root@test ~]# service ipset save
ipset: Saving IP sets to /etc/sysconfig/ipset:             [确定]
[root@test ~]# cat /etc/sysconfig/ipset
create blocklist hash:net family inet hashsize 1024 maxelem 65536
add blocklist 2.2.2.0/24
add blocklist 1.1.1.1

可以看到,格式是一样的,所以在有更改的情况下可以将新的配置文件覆盖过来进行导入:

[root@test ~]# service ipset restart
ipset: Current ip*tables configuration requires ipset      [警告]
ipset: Current ip*tables configuration requires ipset      [警告]
ipset: Loading IP sets:                                    [确定]

发表评论

error: Content is protected !!