Detailed usage of ipset command in linux

  • 2020-06-19 12:33:49
  • OfStack

ipset introduction

iptables is a user-space tool for configuring firewall rules in the linux kernel, which is actually part of the netfilter framework. Probably because iptables is the most common part of the netfilter framework, the framework is often referred to as iptables, and iptables is the firewall solution introduced by linux from version 2.4.

ipset is an extension of iptables that allows you to create rules that match the entire set of sets addresses. Unlike ordinary iptables chains, which store and filter linearly,ip collections are stored in indexed data structures that can be searched efficiently even if the collection is large.

In addition to some common situations, such as preventing dangerous hosts from accessing the machine to reduce system resource utilization or network congestion,IPsets also has some new firewall design methods and simplified configuration.

Liverpoolfc.tv: http: / / ipset. netfilter. org /

The installation


rpm -ivh libmnl-devel-1.0.2-3.el6.x86_64.rpm libmnl-1.0.2-3.el6.x86_64.rpm
tar xvf ipset-6.24.tar.bz2
cd ipset-6.24
./configure
make
make install

# note:

If installed under centos6.6 or otherwise, configure reports the following error


configure: error: Invalid kernel source directory /lib/modules/2.6.32-358.el6.x86_64/source

Solution: The kernel source package es47EN-ES48en-2.6.32-358.el6.x86_64.rpm needs to be installed

Create ipset

ipset-n or ipset create:


 n, create SETNAME TYPENAME [ CREATE-OPTIONS ]

SETNAME is the name of the ipset created and TYPENAME is the type of ipset:


 TYPENAME := method:datatype[,datatype[,datatype]]

method specifies how entry in ipset is to be stored, and subsequent datatype specify the format of each entry.

Available method:


bitmap, hash, list

datatype available:


ip, net, mac, port, iface

Add records

ipset add is used to add records to ipset:


add SETNAME ADD-ENTRY [ ADD-OPTIONS ]

When adding entry to ipset, the format of the added entry must match the format that was specified when ipset was created.


$ipset creat foo hash:ip,port,ip
$ipset add foo ipaddr,portnum,ipaddr

$ipset list foo
Name: foo
Type: hash:ip,port,ip
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16584
References: 0
Members:
192.168.1.2,tcp:80,192.168.1.3

Delete records

ipset del for deleting records from ipset:


del SETNAME DEL-ENTRY [ DEL-OPTIONS ]

Query log

ipset test can check whether target entry is in ipset:


test SETNAME TEST-ENTRY [ TEST-OPTIONS ]

ipset list can see all of ipset's content:


configure: error: Invalid kernel source directory /lib/modules/2.6.32-358.el6.x86_64/source
0

Export import

ipset save can export all ipset:


configure: error: Invalid kernel source directory /lib/modules/2.6.32-358.el6.x86_64/source
1

ipset restore is used to import the exported content.

other


configure: error: Invalid kernel source directory /lib/modules/2.6.32-358.el6.x86_64/source
2

Use ipset in iptables

Available in iptables -m set Enable the ipset module, for example.


-A POSTROUTING -m set --match-set felix-masq-ipam-pools src -m set ! --match-set felix-all-ipam-pools dst -j MASQUERADE

set MODULE of iptables


configure: error: Invalid kernel source directory /lib/modules/2.6.32-358.el6.x86_64/source
4

ipset can also be operated on in TARGET:


configure: error: Invalid kernel source directory /lib/modules/2.6.32-358.el6.x86_64/source
5

in man iptables-extensions Can be found in set module and SET TARGET All of the options.

conclusion


Related articles: