![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2019-09-03
介紹
IP sets in the Linux kernel
Type of pair:
- IP
- (TCP/UDP) port numbers
- MAC address
Usage
ipset version
ipset v6.19, protocol version: 6
create SETNAME TYPENAME [ CREATE-OPTIONS ]
i.e.
ipset create fail2ban-<name> hash:ip timeout <bantime>
hash:ip
TYPENAME := method:datatype[,datatype[,datatype]]
- methods: bitmap, hash, and list
- datatypes: ip, net, mac, port and iface
# 當一個 set 有多個 data 時的 add 法
ipset add foo ipaddr,portnum,ipaddr
timeout
- the default timeout value (in seconds) for new entries.
- specify non-default timeout values when adding entries.
- Zero timeout value means the entry is added permanent to the set.
-
The timeout value of already added elements can be changed by
"ipset -exist add test 192.168.0.1 timeout 600"
add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
i.e.
ipset add fail2ban-postfix-sasl n.n.n.n
del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
flush [ SETNAME ]
Flush all entries from the specified set or flush all sets if none is given.
list [ SETNAME ] [ OPTIONS ]
List the header data and the entries for the specified set, or for all sets if none is given.
ipset list fail2ban-postfix-sasl Name: fail2ban-postfix-sasl Type: hash:ip Revision: 1 Header: family inet hashsize 1024 maxelem 65536 timeout 3600 Size in memory: 16976 References: 1 Members: x.x.x.x timeout 2044 y.y.y.y timeout 2010
test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
Test wether an entry is in a set or not. Exit status number is zero if the tested entry is in the set and nonzero
save [ SETNAME ]
Save the given set, or all sets if none is given to stdout in a format that restore can read.
-file can be used to specify a filename instead of stdout.
restore
Restore a saved session generated by save.
-file can be used to specify a filename instead of stdin.
Ban IP with firewalld
# supported by firewalld
firewall-cmd --get-ipset-types
hash:net hash:ip
# To add a new IP set
firewall-cmd --permanent --new-ipset=BanIP --type=hash:net
# IPSet 有分是否 permanent
firewall-cmd --reload
# 查看現有的 Set
firewall-cmd --get-ipsets
# Add IP to Set
firewall-cmd --ipset=BanIP --add-entry=x.x.x.x
firewall-cmd --ipset=BanIP --get-entries
Notes
geoiplookup x.x.x.x
# Import from txt file
firewall-cmd --ipset=BanIP --add-entries-from-file=BanIP.txt
BanIP.txt
x.x.x.x y.y.y.0/24
Notes:
firewall-cmd --ipset=BanIP --remove-entries-from-file=iplist.txt
# Add to Zone
firewall-cmd --permanent --zone=drop --add-source=ipset:BanIP
fail2ban 應用 ipset
# firewall-cmd --list-all 是看不到 direct rule
firewall-cmd --direct --get-all-rules
ipv4 filter INPUT 0 -p tcp -m multiport --dports ssh
-m set --match-set fail2ban-sshd src -j REJECT --reject-with icmp-port-unreachableaction.d/firewallcmd-ipset.conf
actionstart
ipset create fail2ban-<name> hash:ip timeout <bantime> firewall-cmd --direct --add-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> \ -m set --match-set fail2ban-<name> src -j <blocktype>
actionstop
firewall-cmd --direct --remove-rule ipv4 filter <chain> 0 -p <protocol> -m multiport --dports <port> \ -m set --match-set fail2ban-<name> src -j <blocktype> ipset flush fail2ban-<name> ipset destroy fail2ban-<name>
actionban
ipset add fail2ban-<name> <ip> timeout <bantime> -existactionunban
ipset del fail2ban-<name> <ip> -exist