# 黑名单 iptables -t filter -N NET_DEFEND # 创建自定义规则链 iptables -t filter -I INPUT -p tcp --dport 80 -j NET_DEFEND # 引用之前创建的自定义规则链 # 创建ipset ipset create block_list_IPv4 hash:net timeout 0 # 创建 ipset add block_list_IPv4 10.20.192.90 ipset create Eblock_list_IPv4 hash:ip timeout 60 iptables -A INPUT ! -i lo -p tcp -m set ! --match-set admin_ip_IPv4 dst -j NET_DEFEND iptables -A NET_DEFEND -m set --match-set block_list_IPv4 src -m set ! --match-set Eblock_list_IPv4 src -j LOG --log-prefix "iptables: black: " iptables -A NET_DEFEND -m set --match-set block_list_IPv4 src -j SET --add-set Eblock_list_IPv4 src iptables -A NET_DEFEND -m set --match-set block_list_IPv4 src -j DROP # 白名单 iptables -t filter -N NET_DEFEND # 创建自定义规则链 iptables -t filter -I INPUT -p tcp --dport 80 -j NET_DEFEND # 引用之前创建的自定义规则链 ipset create allow_list_IPv4 hash:net timeout 0 ipset add allow_list_IPv4 10.20.192.90 ipset create Eallow_list_IPv4 hash:ip timeout 60 -A INPUT ! -i lo -p tcp -m set ! --match-set admin_ip_IPv4 dst -j NET_DEFEND -A NET_DEFEND -m set --match-set allow_list_IPv4 src -m set ! --match-set Eallow_list_IPv4 src -j LOG --log-prefix "iptables: white: " -A NET_DEFEND -m set --match-set allow_list_IPv4 src -j SET --add-set Eallow_list_IPv4 src -A NET_DEFEND -m set --match-set allow_list_IPv4 src -j ACCEPT