linux使用ipset禁止国外IP访问

一、安装ipset

yum install ipset -y

二、禁止firewalld

systemctl stop firewalld
systemctl disable firewalld

三、设置iptables默认允许规则

iptables -P INPUT ACCEPT

四、清空其他规则

[root@hlcc ~]# iptables -F

五、查看规则

[root@hlcc ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

六、创建cnip规则

ipset -N cnip hash:net

七、下载国内IP地址段文件

mkdir -p /root/cnip
cd /root/cnip/
wget -P . http://www.ipdeny.com/ipblocks/data/countries/cn.zone

八、将IP段添加到cnip规则中

for i in $(cat cn.zone ); do ipset -A cnip $i; done

九、查看数据

ipset list | wc -l

十、允许cnip里的IP段访问

iptables -A INPUT -m set --match-set cnip src -j ACCEPT

十一、允许局域网地址访问

[root@hlcc ipset]# ipset -A cnip 10.0.0.0/8
[root@hlcc ipset]# ipset -A cnip 172.0.0.0/8
[root@hlcc ipset]# ipset -A cnip 192.168.0.0/16

十二、设置默认规则为禁止

iptables -P INPUT DROP

[root@hlcc ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             match-set cnip src

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination       

翻译

搜索

复制