Ipsets Operation

Ip sets是一个批量操作iptables的工具，通过集合规则来管理iptables，如果有大量iptables规则的刷新将是很难维护的，通过ipsets可以有效避免这些问题

Ip sets官网

自己实现Ipset manager工具类

Ipsets Install

// centos
sudo yum install ipset

// ubuntu
sudo apt-get install ipset

Create Ipset Sets

ipset create SETNAME TYPENAME(method:datatype[,datatype[,datatype]])

• SETNAME是创建的ipset的名称
• TYPENAME是ipset的类型
  • method指定ipset中的entry存放的方式（bitmap, hash, list）
  • datatype约定了每个entry的格式（ip, net, mac, port, iface）

sudo ipset create ipwhitelist hash:ip
sudo ipset create ipwhitelist01 hash:ip,port

sudo ipset --list

Name: ipwhitelist
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 128
References: 0
Members:

Name: ipwhitelist01
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 128
References: 0
Members:

Supported set types:
    list:set		3	skbinfo support
    list:set		2	comment support
    list:set		1	counters support
    list:set		0	Initial revision
    hash:mac		0	Initial revision
    hash:net,iface	6	skbinfo support
    hash:net,iface	5	forceadd support
    hash:net,iface	4	comment support
    hash:net,iface	3	counters support
    hash:net,iface	2	/0 network support
    hash:net,iface	1	nomatch flag support
    hash:net,iface	0	Initial revision
    hash:net,port	7	skbinfo support
    hash:net,port	6	forceadd support
    hash:net,port	5	comment support
    hash:net,port	4	counters support
    hash:net,port	3	nomatch flag support
    hash:net,port	2	Add/del range support
    hash:net,port	1	SCTP and UDPLITE support
    hash:net,port,net	2	skbinfo support
    hash:net,port,net	1	forceadd support
    hash:net,port,net	0	initial revision
    hash:net,net	2	skbinfo support
    hash:net,net	1	forceadd support
    hash:net,net	0	initial revision
    hash:net		6	skbinfo support
    hash:net		5	forceadd support
    hash:net		4	comment support
    hash:net		3	counters support
    hash:net		2	nomatch flag support
    hash:net		1	Add/del range support
    hash:net		0	Initial revision
    hash:ip,port,net	7	skbinfo support
    hash:ip,port,net	6	forceadd support
    hash:ip,port,net	5	comment support
    hash:ip,port,net	4	counters support
    hash:ip,port,net	3	nomatch flag support
    hash:ip,port,net	2	Add/del range support
    hash:ip,port,net	1	SCTP and UDPLITE support
    hash:ip,port,ip	5	skbinfo support
    hash:ip,port,ip	4	forceadd support
    hash:ip,port,ip	3	comment support
    hash:ip,port,ip	2	counters support
    hash:ip,port,ip	1	SCTP and UDPLITE support
    hash:ip,mark	2	sbkinfo support
    hash:ip,mark	1	forceadd support
    hash:ip,mark	0	initial revision
    hash:ip,port	5	skbinfo support
    hash:ip,port	4	forceadd support
    hash:ip,port	3	comment support
    hash:ip,port	2	counters support
    hash:ip,port	1	SCTP and UDPLITE support
    hash:ip		4	skbinfo support
    hash:ip		3	forceadd support
    hash:ip		2	comment support
    hash:ip		1	counters support
    hash:ip		0	Initial revision
    bitmap:port		3	skbinfo support
    bitmap:port		2	comment support
    bitmap:port		1	counters support
    bitmap:port		0	Initial revision
    bitmap:ip,mac	3	skbinfo support
    bitmap:ip,mac	2	comment support
    bitmap:ip,mac	1	counters support
    bitmap:ip,mac	0	Initial revision
    bitmap:ip		3	skbinfo support
    bitmap:ip		2	comment support
    bitmap:ip		1	counters support
    bitmap:ip		0	Initial revision

Create Options

1. TTL生命周期 (所有集合适用)

设置为0，表示永久生效；可以通过 -exist来进行修改

sudo ipset create ipwhitelist_timeout hash:ip timeout 5000

Name: ipwhitelist_timeout
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 5000
Size in memory: 128
References: 0
Members:

sudo ipset create ipwhitelist_timeout01 hash:ip timeout 0

Name: ipwhitelist_timeout01
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 0
Size in memory: 128
References: 0
Members:

2. Comment 备注（所有集合适用）

内核和ipset本身完全忽略这个字符串，纯粹是为了注释

sudo ipset create ipwhitelist_comment hash:ip comment
sudo ipset add ipwhitelist_comment 10.1.8.145 comment "测试"

Name: ipwhitelist_comment
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 224
References: 0
Members:
10.1.8.145 comment "测试"

3. Hashsize初始哈希大小 、Maxelem集合存储最大数量

hashsize定义了集合的初始哈希大小，默认值为1024。哈希大小必须是2的幂，内核会自动舍入两个哈希大小的非幂到第一个正确的值

maxelem定义了可以存储在集合中的元素的最大数量，默认值为65536

sudo ipset create ipwhitelist_size hash:ip hashsize 2408  maxelem 500

Name: ipwhitelist_size
Type: hash:ip
Revision: 4
Header: family inet hashsize 4096 maxelem 500
Size in memory: 128
References: 0
Members:

Set Types

1. Method存储方式

bitmap和list: 使用固定大小的存储

hash: 使用hash表来存储元素。但为了避免Hash表键冲突,在ipset会在hash表key用完后，若又有新增条目，则ipset将自动对hash表扩大

这里需要注意的是，一旦使用 hash:ip和hash:ip,port 方式 进行ipset配置，而ip又非常多的话，可能会出现下面的情况.(最后是使用hash：net替换hash：ip解决的)

2. Datatype数据类型

支持的类型有：ip, net, mac, port, iface

• hash:ip

1. 使用哈希存储ip主机地址(默认)或网络地址。零值IP地址不能存储在散列中
2. 支持单个ip: 10.1.1.1，也支持ip段：10.1.1.1-10.1.1.100

• hash:net

1. 使用集合存储不同大小的IP网络地址。前缀大小为零的网络地址不能存储在这种类型的集合中

• hash:ip,port

1. 使用hash存储IP地址和端口号对。端口号与协议(默认TCP)一起，不能使用零协议号

• hash:ip,port,net

1. 使用hash存储IP地址、端口号和IP网络地址三元组。端口号与协议(默认TCP)一起，不能使用零协议号。前缀大小为零的网络地址也不能存储

Add Rules To Sets

ipset add SETNAME ENTRY

• ENTRY 要符合创建ipset的类型

sudo ipset add ipwhitelist 10.1.8.140
sudo ipset add ipwhitelist01 10.1.8.141,5240

sudo ipset -list
Name: ipwhitelist
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 224
References: 0
Members:
10.1.8.140

Name: ipwhitelist01
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 192
References: 0
Members:
10.1.8.141,tcp:5240

添加时指定协议

• ip,protocal:port

sudo ipset add ipwhitelist01 10.1.8.141,udp:5340

Name: ipwhitelist01
Type: hash:ip,port
Revision: 5
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 256
References: 0
Members:
10.1.8.141,tcp:5240
10.1.8.141,udp:5340

末尾加-exist表示已经存在就忽略，不然会报已经存在的错误

Check Ipset Entry

ipset test SETNAME ENTRY

sudo ipset test ipwhitelist 10.1.8.140
10.1.8.140 is in set ipwhitelist.

sudo ipset test ipwhitelist01 10.1.8.141,5240
10.1.8.141,tcp:5240 is in set ipwhitelist01.

sudo ipset test ipwhitelist01 10.1.8.141,5241
10.1.8.141,tcp:5241 is NOT in set ipwhitelist01.

Del、Flush、Destroy Sets

ipset del SETNAME ENTRY
ipset flush SETNAME
ipset destroy SETNAME

// 删除某一条记录
sudo ipset del ipwhitelist 10.1.8.140
// 清空某个集合
sudo ipset flush ipwhitelist
// 删除整个集合
sudo ipset destroy ipwhitelist

末尾加-exist表示不存在就忽略，不然会报不存在的错误

Import and Export ipsets

sudo ipset save SETNAME -f FILE_PATH

sudo ipset restore -f FILE_PATH

// 备份到文件
sudo ipset save ipwhitelist01 -f /home/wxmimperio/bigdata/ipwhitelist01.txt

vim  /home/wxmimperio/bigdata/ipwhitelist01.txt
create ipwhitelist01 hash:ip,port family inet hashsize 1024 maxelem 65536
add ipwhitelist01 10.1.8.141,tcp:5240
add ipwhitelist01 10.1.8.141,udp:5340

// 删除列表
sudo ipset destroy ipwhitelist01
// 从文件恢复
sudo ipset restore -f /home/wxmimperio/bigdata/ipwhitelist01.txt

Use of ipset and iptables

在iptables中使用ipset，只要加上-m set --match-set即可

1.目的ip使用ipset（ipset集合为bbb）

iptables -I INPUT -s 192.168.100.36 -m set --match-set bbb dst -j DROP

2.源ip使用ipset（ipset集合为aaa）

iptables -I INPUT -m set --match-set aaa src -d 192.168.100.36 -j DROP

3.源和目的都使用ipset（源ip集合为aaa，目的ip集合为bbb）

iptables -I INPUT -m set --match-set aaa src -m set --match-set bbb dst -j DROP

4.设定白名单（源ip集合为ipwhitelist）

iptables -A INPUT -p tcp -m set --match-set ipwhitelist src -j ACCEPT

5.为ipset list开启特定端口

iptables -A INPUT -p tcp -m multiport --destination-port 21,22 -m set --match-set ipwhitelist src -j ACCEPT

6.在hash ip:port情况下，指定源、目标的权限

iptables -I INPUT -p tcp -m set --match-set ipwhitelist src,dst -j REJECT
表示：src为源ip，dst为目标端口

---

转载请注明出处：https://github.com/imperio-wxm

---