linux中ipset命令的使用方法详解
<p><span><strong>ipset介绍</strong></span></p>
<p>
iptables是在linux内核里配置防火墙规则的用户空间工具,它实际上是netfilter框架的一部分.可能因为iptables是netfilter框架里最常见的部分,所以这个框架通常被称为iptables,iptables是linux从2.4版本引入的防火墙解决方案.</p>
<p>
ipset是iptables的扩展,它允许你创建 匹配整个地址sets(地址集合) 的规则。而不像普通的iptables链是线性的存储和过滤,ip集合存储在带索引的数据结构中,这种结构即时集合比较大也可以进行高效的查找.</p>
<p>
除了一些常用的情况,比如阻止一些危险主机访问本机,从而减少系统资源占用或网络拥塞,IPsets也具备一些新防火墙设计方法,并简化了配置.</p>
<p>
官网:http://ipset.netfilter.org/</p>
<p>
<span><strong>安装</strong></span></p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_895912">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">rpm -ivh libmnl-devel-1.0.2-3.el6.x86_64.rpm libmnl-1.0.2-3.el6.x86_64.rpm</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash functions">tar</code> <code class="bash plain">xvf ipset-6.24.</code><code class="bash functions">tar</code><code class="bash plain">.bz2</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash functions">cd</code> <code class="bash plain">ipset-6.24</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">.</code><code class="bash plain">/configure</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash functions">make</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash functions">make</code> <code class="bash functions">install</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>#注意:</strong></span></p>
<p>
如果在centos6.6或其他情况下安装时候,configure报错如下</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterxhtml" id="highlighter_481258">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="xhtml plain">configure: error: Invalid kernel source directory /lib/modules/2.6.32-358.el6.x86_64/source</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
解决:需要安装内核源码包kernel-devel-2.6.32-358.el6.x86_64.rpm</p>
<p>
<span><strong>创建ipset</strong></span></p>
<p>
ipset -n或者ipset create:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_531741">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">n, create SETNAME TYPENAME [ CREATE-OPTIONS ]</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
SETNAME是创建的ipset的名称,TYPENAME是ipset的类型:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_532920">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">TYPENAME := method:datatype[,datatype[,datatype]]</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
method指定ipset中的entry存放的方式,随后的datatype约定了每个entry的格式。</p>
<p>
可以使用的method:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_554669">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">bitmap, </code><code class="bash functions">hash</code><code class="bash plain">, list</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
可以使用的datatype:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_616382">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">ip, net, mac, port, iface</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>添加记录</strong></span></p>
<p>
ipset add用于在ipset中添加记录:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_776486">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">add SETNAME ADD-ENTRY [ ADD-OPTIONS ]</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
向ipset中添加entry的时候,加入的entry的格式必须与创建ipset是指定的格式匹配。</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_644674">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">$ipset creat foo </code><code class="bash functions">hash</code><code class="bash plain">:ip,port,ip</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">$ipset add foo ipaddr,portnum,ipaddr</code>
</div>
<div class="line number3 index2 alt2">
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">$ipset list foo</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash plain">Name: foo</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash plain">Type: </code><code class="bash functions">hash</code><code class="bash plain">:ip,port,ip</code>
</div>
<div class="line number7 index6 alt2">
<code class="bash plain">Revision: 2</code>
</div>
<div class="line number8 index7 alt1">
<code class="bash plain">Header: family inet hashsize 1024 maxelem 65536</code>
</div>
<div class="line number9 index8 alt2">
<code class="bash plain">Size </code><code class="bash keyword">in</code> <code class="bash plain">memory: 16584</code>
</div>
<div class="line number10 index9 alt1">
<code class="bash plain">References: 0</code>
</div>
<div class="line number11 index10 alt2">
<code class="bash plain">Members:</code>
</div>
<div class="line number12 index11 alt1">
<code class="bash plain">192.168.1.2,tcp:80,192.168.1.3</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>删除记录</strong></span></p>
<p>
ipset del用于从ipset中删除记录:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_775389">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">del SETNAME DEL-ENTRY [ DEL-OPTIONS ]</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>查询记录</strong></span></p>
<p>
ipset test可以检查目标entry是否在ipset中:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_450662">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash functions">test</code> <code class="bash plain">SETNAME TEST-ENTRY [ TEST-OPTIONS ]</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
ipset list可以查看ipset的所有内容:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_614332">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">list [ SETNAME ] [ OPTIONS ]</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>导出导入</strong></span></p>
<p>
ipset save可以导出所有的ipset:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_596904">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">save [ SETNAME ]</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
ipset restore则用于将导出的内容导入。</p>
<p>
<span><strong>其它</strong></span></p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_453277">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">flush [ SETNAME ]</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash spaces"> </code><code class="bash plain">Flush all entries from the specified </code><code class="bash functions">set</code> <code class="bash plain">or flush all sets </code><code class="bash keyword">if</code> <code class="bash plain">none is given.</code>
</div>
<div class="line number3 index2 alt2">
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">e, rename SETNAME-FROM SETNAME-TO</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash spaces"> </code><code class="bash plain">Rename a </code><code class="bash functions">set</code><code class="bash plain">. Set identified by SETNAME-TO must not exist.</code>
</div>
<div class="line number6 index5 alt1">
</div>
<div class="line number7 index6 alt2">
<code class="bash plain">w, swap SETNAME-FROM SETNAME-TO</code>
</div>
<div class="line number8 index7 alt1">
<code class="bash spaces"> </code><code class="bash plain">Swap the content of two sets, or </code><code class="bash keyword">in</code> <code class="bash plain">another words, exchange the name of two sets. The referred sets must exist and identical </code><code class="bash functions">type</code> <code class="bash plain">of sets can be swapped only.</code>
</div>
<div class="line number9 index8 alt2">
</div>
<div class="line number10 index9 alt1">
<code class="bash plain">help [ TYPENAME ]</code>
</div>
<div class="line number11 index10 alt2">
<code class="bash spaces"> </code><code class="bash plain">Print help and </code><code class="bash functions">set</code> <code class="bash functions">type</code> <code class="bash plain">specific help </code><code class="bash keyword">if</code> <code class="bash plain">TYPENAME is specified.</code>
</div>
<div class="line number12 index11 alt1">
</div>
<div class="line number13 index12 alt2">
<code class="bash plain">version</code>
</div>
<div class="line number14 index13 alt1">
<code class="bash spaces"> </code><code class="bash plain">Print program version.</code>
</div>
<div class="line number15 index14 alt2">
</div>
<div class="line number16 index15 alt1">
<code class="bash plain">- If a dash is specified as </code><code class="bash functions">command</code><code class="bash plain">, </code><code class="bash keyword">then</code> <code class="bash plain">ipset enters a simple interactive mode and the commands are </code><code class="bash functions">read</code> <code class="bash plain">from the standard input. The interactive mode can be finished by entering the</code>
</div>
<div class="line number17 index16 alt2">
<code class="bash spaces"> </code><code class="bash plain">pseudo-</code><code class="bash functions">command</code> <code class="bash plain">quit.</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>在iptables中使用ipset</strong></span></p>
<p>
在iptables中可以使用<code>-m set</code>启用ipset模块,例如。</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterplain" id="highlighter_198911">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="plain plain">-A POSTROUTING -m set --match-set felix-masq-ipam-pools src -m set ! --match-set felix-all-ipam-pools dst -j MASQUERADE</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
iptables的set模块:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_302939">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash functions">set</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">This module matches IP sets </code><code class="bash functions">which</code> <code class="bash plain">can be defined by ipset(8).</code>
</div>
<div class="line number3 index2 alt2">
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">[!] --match-</code><code class="bash functions">set</code> <code class="bash plain">setname flag[,flag]...</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash spaces"> </code><code class="bash plain">where flags are the comma separated list of src and</code><code class="bash plain">/or</code> <code class="bash plain">dst specifications and there can be no </code><code class="bash functions">more</code> <code class="bash plain">than six of them. Hence the </code><code class="bash functions">command</code>
</div>
<div class="line number6 index5 alt1">
</div>
<div class="line number7 index6 alt2">
<code class="bash spaces"> </code><code class="bash plain">iptables -A FORWARD -m </code><code class="bash functions">set</code> <code class="bash plain">--match-</code><code class="bash functions">set</code> <code class="bash functions">test</code> <code class="bash plain">src,dst</code>
</div>
<div class="line number8 index7 alt1">
<code class="bash plain">...</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
在TARGET中也可以操作ipset:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_314571">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">SET</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">This module adds and</code><code class="bash plain">/or</code> <code class="bash plain">deletes entries from IP sets </code><code class="bash functions">which</code> <code class="bash plain">can be defined by ipset(8).</code>
</div>
<div class="line number3 index2 alt2">
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">--add-</code><code class="bash functions">set</code> <code class="bash plain">setname flag[,flag...]</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash spaces"> </code><code class="bash plain">add the address(es)</code><code class="bash plain">/port</code><code class="bash plain">(s) of the packet to the </code><code class="bash functions">set</code>
</div>
<div class="line number6 index5 alt1">
</div>
<div class="line number7 index6 alt2">
<code class="bash plain">--del-</code><code class="bash functions">set</code> <code class="bash plain">setname flag[,flag...]</code>
</div>
<div class="line number8 index7 alt1">
<code class="bash spaces"> </code><code class="bash plain">delete the address(es)</code><code class="bash plain">/port</code><code class="bash plain">(s) of the packet from the </code><code class="bash functions">set</code>
</div>
<div class="line number9 index8 alt2">
</div>
<div class="line number10 index9 alt1">
<code class="bash spaces"> </code><code class="bash plain">where flag(s) are src and</code><code class="bash plain">/or</code> <code class="bash plain">dst specifications and there can be no </code><code class="bash functions">more</code> <code class="bash plain">than six of them.</code>
</div>
<div class="line number11 index10 alt2">
<code class="bash plain">...</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
在<code>man iptables-extensions</code>中可以找到<code>set module</code>和<code>SET TARGET</code>的所有选项。</p>
<p>
<span><strong>总结</strong></span></p>
<p>
以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作具有一定的参考学习价值,如果有疑问大家可以留言交流,谢谢大家对的支持。</p>
<p>
原文链接:http://www.lijiaocn.com/%E6%8A%80%E5%B7%A7/2017/08/06/linux-net-ipset.html</p>
頁:
[1]