答案是可以滴。
ipset从6.13版本加入了对于规则导入、导出文件的支持:
CentOS7自带的版本高于此,支持此功能:
[root@test ~]# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) [root@test ~]# ipset -v ipset v6.19, protocol version: 6
CentOS6.5自带版本低于此:
[root@test ~]# cat /etc/redhat-release CentOS release 6.5 (Final) [root@test ~]# ipset -v ipset v6.11, protocol version: 6
先讲怎么操作吧
将配置导出成文件:
[root@test ~]# ipset save blocklist -f blocklist.txt [root@test ~]# cat blocklist.txt create blocklist hash:net family inet hashsize 1024 maxelem 65536 add blocklist 2.2.2.0/24 add blocklist 1.1.1.1
导入须在系统没有此规则的情况下方可:
[root@test ~]# ipset destroy blocklist ipset v6.19: Set cannot be destroyed: it is in use by a kernel component [root@test ~]# firewall-cmd --direct --remove-rule ipv4 filter INPUT 1 -m set --match-set blocklist src -j DROP success [root@test ~]# ipset destroy blocklist [root@test ~]# ipset restore -f blocklist.txt [root@test ~]# ipset list Name: blocklist Type: hash:net Revision: 3 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16848 References: 0 Members: 2.2.2.0/24 1.1.1.1
经历了上面的操作过程,我们就可以制作一个脚本,在集合文件更改后以更新系统规则:
#!/bin/bash
#Author:Chris
Red='\033[31m\033[1m'
Green='\033[32m\033[1m'
Blue='\033[94m'
Null='\033[0m'
#----Configure Start----
bfile=blocklist.txt
ips=/usr/sbin/ipset
#----Configure End------
echo -e "${Green}This Script Will Reload ipset's Rule From ${bfile}${Null}"
if [ ! -x $ips ];then
echo -e ${Red}Detected ipset is not install,begining install...${Null}
yum install -y ipset > /dev/null 2>&1
RETVAL=$?
if [ $RETVAL != 0 ];then
echo -e ${Red}Install Faild,Please chkeck your network!${Null}
exit
fi
fi
if [ ! -f $bfile ];then
echo -e ${Red}blockfile ${bfile} is not exist.${Null}
exit
fi
ver=$($ips -v | awk -F 'v|,' '{print $2}')
if [[ $(echo "$ver >= 6.13" | bc) -eq 0 ]];then
echo -e ${Red}ipset Version is Not Support restore From file!At least 6.13,Current Version is ${ver}${Null}
echo -e "${Red}Please Visit${Null} ${Blue}http://ipset.netfilter.org/install.html${Null} ${Red}to download & install it.${Null}"
exit
fi
bname (){
Firstfield="$(awk 'NR==1{print $1}' ${bfile})"
if [ ${Firstfield} != "create" ];then
echo -e ${Red}File Format is wrong.${Null}
exit
fi
head -1 ${bfile} | awk '{print $2}'
}
checkipt (){
ipsid=$(iptables -L -v -n --line | grep ${bname} | awk '{print $1}')
if [ -z $ipsid ];then
return 0
fi
return $ipsid
}
bname=$(bname)
checkipt
ipsid=$?
if [ $ipsid != 0 ];then
echo -e "${Red}Detected iptables Rule(num $ipsid),deleting it...${Null}"
iptables -D INPUT $ipsid
fi
$ips list $bname > /dev/null 2>&1
RETVAL=$?
if [ $RETVAL = 0 ];then
echo -e ${Red}Detected ipset Rule,deleting it...${Null}
$ips destroy $bname
fi
echo -e "${Green}Importing ipset & Adding iptables Rule...${Null}"
$ips restore -f $bfile
iptables -A INPUT -m set --match-set $bname src -j DROP
if [ $? = 0 ];then
echo -e ${Green}Operation Complate!${Null}
else
echo -e ${Red}Operation Faild!${Null}
fi
执行效果:
支持配置导出入:
不支持:
不支持的话可以到上面的官网上下载源码编译安装下,过程挻简单,这里就不贴出来了,然后改下脚本中命令的位置即可:
注意:虽然RHEL6.5/CentOS6.5自带的ipset虽说不支持配置导入导出成文件,但操作系统的开发者们也有给出解决办法,那就是提供了一个init脚本文件,通过这个脚本也可以实现规则的导入导出:
[root@test ~]# service ipset save ipset: Saving IP sets to /etc/sysconfig/ipset: [确定] [root@test ~]# cat /etc/sysconfig/ipset create blocklist hash:net family inet hashsize 1024 maxelem 65536 add blocklist 2.2.2.0/24 add blocklist 1.1.1.1
可以看到,格式是一样的,所以在有更改的情况下可以将新的配置文件覆盖过来进行导入:
[root@test ~]# service ipset restart ipset: Current ip*tables configuration requires ipset [警告] ipset: Current ip*tables configuration requires ipset [警告] ipset: Loading IP sets: [确定]