Detailed usage of ipset command in linux
- 2020-06-19 12:33:49
- OfStack
ipset introduction
iptables is a user-space tool for configuring firewall rules in the linux kernel, which is actually part of the netfilter framework. Probably because iptables is the most common part of the netfilter framework, the framework is often referred to as iptables, and iptables is the firewall solution introduced by linux from version 2.4.
ipset is an extension of iptables that allows you to create rules that match the entire set of sets addresses. Unlike ordinary iptables chains, which store and filter linearly,ip collections are stored in indexed data structures that can be searched efficiently even if the collection is large.
In addition to some common situations, such as preventing dangerous hosts from accessing the machine to reduce system resource utilization or network congestion,IPsets also has some new firewall design methods and simplified configuration.
Liverpoolfc.tv: http: / / ipset. netfilter. org /
The installation
rpm -ivh libmnl-devel-1.0.2-3.el6.x86_64.rpm libmnl-1.0.2-3.el6.x86_64.rpm
tar xvf ipset-6.24.tar.bz2
cd ipset-6.24
./configure
make
make install
# note:
If installed under centos6.6 or otherwise, configure reports the following error
configure: error: Invalid kernel source directory /lib/modules/2.6.32-358.el6.x86_64/source
Solution: The kernel source package es47EN-ES48en-2.6.32-358.el6.x86_64.rpm needs to be installed
Create ipset
ipset-n or ipset create:
n, create SETNAME TYPENAME [ CREATE-OPTIONS ]
SETNAME is the name of the ipset created and TYPENAME is the type of ipset:
TYPENAME := method:datatype[,datatype[,datatype]]
method specifies how entry in ipset is to be stored, and subsequent datatype specify the format of each entry.
Available method:
bitmap, hash, list
datatype available:
ip, net, mac, port, iface
Add records
ipset add is used to add records to ipset:
add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
When adding entry to ipset, the format of the added entry must match the format that was specified when ipset was created.
$ipset creat foo hash:ip,port,ip
$ipset add foo ipaddr,portnum,ipaddr
$ipset list foo
Name: foo
Type: hash:ip,port,ip
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16584
References: 0
Members:
192.168.1.2,tcp:80,192.168.1.3
Delete records
ipset del for deleting records from ipset:
del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
Query log
ipset test can check whether target entry is in ipset:
test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
ipset list can see all of ipset's content:
configure: error: Invalid kernel source directory /lib/modules/2.6.32-358.el6.x86_64/source
0
Export import
ipset save can export all ipset:
configure: error: Invalid kernel source directory /lib/modules/2.6.32-358.el6.x86_64/source
1
ipset restore is used to import the exported content.
other
configure: error: Invalid kernel source directory /lib/modules/2.6.32-358.el6.x86_64/source
2
Use ipset in iptables
Available in iptables
-m set
Enable the ipset module, for example.
-A POSTROUTING -m set --match-set felix-masq-ipam-pools src -m set ! --match-set felix-all-ipam-pools dst -j MASQUERADE
set MODULE of iptables
configure: error: Invalid kernel source directory /lib/modules/2.6.32-358.el6.x86_64/source
4
ipset can also be operated on in TARGET:
configure: error: Invalid kernel source directory /lib/modules/2.6.32-358.el6.x86_64/source
5
in
man iptables-extensions
Can be found in
set module
and
SET TARGET
All of the options.
conclusion