1.禁用firewalld
systemctl stop firewalld
systemctl disable firewalld
2.安装ipset
yum -y install ipset
3. 创建ipset规则
ipset create blocklist hash:ip
ipset create whitelist hash:ip
4.控制ip
ipset add blocklist 172.16.200.143 //禁止的ip
ipset add whitelist 172.16.200.109 //允许的ip
5.保存ipset 规则
ipset save -f Script/ipset.txt
6.关联ipset 和iptables
iptables -I INPUT -i lo -j ACCEPT -m comment --comment "Allow Loopback traffi"
iptables -I INPUT 2 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow inbound traffic for established and related connections"
iptables -A INPUT -m set --match-set blocklist src -j DROP -m comment --comment "Reject from blocklist"
iptables -A INPUT -m set --match-set whitelist src -j ACCEPT -m comment --comment "Allow from whitelist"
iptables -P INPUT DROP
7.保存iptables信息
如果服务器重启了,上面的规则会清空
iptables-save > Script/iptables
8.设置开机启动重新应用上述规则
cd Script
vim use_ipset.sh
#!/bin/bash
# Defined Color
Red='�33[31m�33[1m'
Green='�33[32m�33[1m'
Null='�33[0m'
# <----------------------------Configure Start--------------------------->
BasePath=$(cd `dirname ${BASH_SOURCE}` ; pwd)
iptconf=${BasePath}/iptables
useipset=1
ipsetlist=blocklist
ipsetconf=${BasePath}/blocklist.txt
# <----------------------------Configure End---------------------------->
if [ ${useipset} -eq 1 ];then
ipset restore -f ${ipsetconf}
fi
iptables-restore ${iptconf}
echo -e "${Green}Done${Null}"
注: iptables-restore -f 将保存的规则生效
vim /etc/rc.loacl
/root/Script/use_ipset.sh