ipset是iptalbes的扩展,它允许用户创建匹配整个地址sets的规则,一般配合iptables使用,iptables、ebtables和arptables等是在用户空间控制Netfilter的工具
安装
yum install ipset -yhelp
$ ipset --help
ipset v7.1
Usage: ipset [options] COMMAND
Commands:
create SETNAME TYPENAME [type-specific-options]
Create a new set
add SETNAME ENTRY
Add entry to the named set
del SETNAME ENTRY
Delete entry from the named set
test SETNAME ENTRY
Test entry in the named set
destroy [SETNAME]
Destroy a named set or all sets
list [SETNAME]
List the entries of a named set or all sets
save [SETNAME]
Save the named set or all sets to stdout
restore
Restore a saved state
flush [SETNAME]
Flush a named set or all sets
rename FROM-SETNAME TO-SETNAME
Rename two sets
swap FROM-SETNAME TO-SETNAME
Swap the contect of two existing sets
help [TYPENAME]
Print help, and settype specific help
version
Print version information
quit
Quit interactive mode使用
创建
ipset create <SETNAME> <TYPENAME> [<OPTIONS>]SETNAME是新创建ipset的名称TYPENAME是ipset的类型,TYPENAME := method:datatype[,datatype[,datatype]]method指定ipset中的entry存放的方式,支持的方式有:bitmap, hash, listdatatype指定每个entry的格式,支持的格式有:ip, net, mac, port, iface
添加记录
ipset add <SETNAME> <ADD-ENTRY> [<OPTIONS>]ADD-ENTRY的格式必须与创建ipset时指定的格式匹配
查看
- 查看
ipset的内容
ipset list [<SETNAME>] [<OPTIONS>]- 检查目标
entry是否在指定ipset中
ipset test <SETNAME> <TEST-ENTRY> [<OPTIONS>]删除entry
ipset del <SETNAME> <DEL-ENTRY> [<OPTIONS>]删除ipset
ipset destroy <SETNAME>导出
ipset save [<SETNAME>] > file导入
ipset restore < filedemo
$ ipset creat bar hash:ip,port
$ ipset list
Name: bar
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 88
References: 0
Number of entries: 0
Members:
$ ipset add bar 192.168.0.2,tcp:22
$ ipset list
Name: bar
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 152
References: 0
Number of entries: 1
Members:
192.168.0.2,tcp:22
$ ipset list bar
Name: bar
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 152
References: 0
Number of entries: 1
Members:
192.168.0.2,tcp:22
$ ipset save > file
$ cat file
create bar hash:ip,port family inet hashsize 1024 maxelem 65536
add bar 192.168.0.2,tcp:22
$ ipset del bar 192.168.0.2,tcp:22
$ ipset list
Name: bar
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 88
References: 0
Number of entries: 0
Members:
$ ipset destroy bar
$ ipset restore < file
$ ipset list
Name: bar
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 152
References: 0
Number of entries: 1
Members:
192.168.0.2,tcp:22与 iptables 结合
屏蔽一组地址
iptables -I INPUT -m set --match-set bar src -j DROPOpenStack Neutron 安全组
$ sudo iptables -nvL neutron-openvswi-i52241a87-c
Chain neutron-openvswi-i52241a87-c (1 references)
pkts bytes target prot opt in out source destination
2 168 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 match-set NIPv46e28e3c1-6959-4dfb-99b1- src该示例是为 port 添加 allowed_address_pairs 后 iptables新增的规则,表示从 source: 0.0.0.0/0 到 destination: 0.0.0.0/0,并且匹配 ipset: NIPv46e28e3c1-6959-4dfb-99b1- 的流量都会被放行(target: RETURN)
最近更新
最新评论