AlmaLinux 使用iptables屏蔽非中国IP访问
source link: https://apad.pro/almalinux-iptables-chinaip/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
AlmaLinux 使用iptables屏蔽非中国IP访问
安装ipset扩展
dnf -y install ipset
- dnf -y install ipset
dnf -y install ipset
创建一个名为blockip的规则
ipset -N blockip hash:net
- ipset -N blockip hash:net
ipset -N blockip hash:net
下载非中国IP段列表
wget https://mirror.apad.pro/dns/country-ip-blocks-master/nonchina_ip_list.txt
- wget https://mirror.apad.pro/dns/country-ip-blocks-master/nonchina_ip_list.txt
wget https://mirror.apad.pro/dns/country-ip-blocks-master/nonchina_ip_list.txt
将IP段添加到blockip规则中
for i in $(cat /root/nonchina_ip_list.txt ); do ipset -A block $i; done
- for i in $(cat /root/nonchina_ip_list.txt ); do ipset -A block $i; done
for i in $(cat /root/nonchina_ip_list.txt ); do ipset -A block $i; done
也可以通过命令将IP段从规则中移除
for i in $(cat /root/nonchina_ip_list.txt ); do ipset -D block $i; done
- for i in $(cat /root/nonchina_ip_list.txt ); do ipset -D block $i; done
for i in $(cat /root/nonchina_ip_list.txt ); do ipset -D block $i; done
屏蔽非中国IP访问
iptables -I INPUT -p tcp -m set --match-set blockip src -j DROP
- iptables -I INPUT -p tcp -m set --match-set blockip src -j DROP
iptables -I INPUT -p tcp -m set --match-set blockip src -j DROP
iptables -D INPUT -p tcp -m set --match-set blockip src -j DROP
- iptables -D INPUT -p tcp -m set --match-set blockip src -j DROP
iptables -D INPUT -p tcp -m set --match-set blockip src -j DROP
以上两条命令建议在测试规则时使用,生产环境推荐编辑iptables规则
vi /etc/sysconfig/iptables 配置更灵活的iptable规则
# sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -s 172.0.0.0/24 -j ACCEPT -A INPUT -p icmp -m set --match-set blockip src -j DROP -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -s 172.0.0.1 -j ACCEPT -A INPUT -p tcp -m set --match-set blockip src -j DROP -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
- # sample configuration for iptables service
- # you can edit this manually or use system-config-firewall
- # please do not ask us to add additional ports/services to this default configuration
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
- -A INPUT -p icmp -s 172.0.0.0/24 -j ACCEPT
- -A INPUT -p icmp -m set --match-set blockip src -j DROP
- -A INPUT -p icmp -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -p tcp -s 172.0.0.1 -j ACCEPT
- -A INPUT -p tcp -m set --match-set blockip src -j DROP
- -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
- -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
- -A INPUT -j REJECT --reject-with icmp-host-prohibited
- -A FORWARD -j REJECT --reject-with icmp-host-prohibited
- COMMIT
# sample configuration for iptables service # you can edit this manually or use system-config-firewall # please do not ask us to add additional ports/services to this default configuration *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -s 172.0.0.0/24 -j ACCEPT -A INPUT -p icmp -m set --match-set blockip src -j DROP -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -s 172.0.0.1 -j ACCEPT -A INPUT -p tcp -m set --match-set blockip src -j DROP -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
其中172.0.0.0/24、172.0.0.1为示例的例外IP
配置规则时应注意顺序,配置完成后执行
systemctl reload iptables
- systemctl reload iptables
systemctl reload iptables
这样即可实现屏蔽非中国IP对服务器的访问
vi blockip.sh 创建更新屏蔽规则脚本
for i in $(cat /etc/blockip.zone ); do ipset -D blockip $i; done && curl https://mirror.apad.pro/dns/country-ip-blocks-master/nonchina_ip_list.txt > /etc/blockip.zone && for i in $(cat /etc/blockip.zone ); do ipset -A blockip $i; done
- for i in $(cat /etc/blockip.zone ); do ipset -D blockip $i; done && curl https://mirror.apad.pro/dns/country-ip-blocks-master/nonchina_ip_list.txt > /etc/blockip.zone && for i in $(cat /etc/blockip.zone ); do ipset -A blockip $i; done
for i in $(cat /etc/blockip.zone ); do ipset -D blockip $i; done && curl https://mirror.apad.pro/dns/country-ip-blocks-master/nonchina_ip_list.txt > /etc/blockip.zone && for i in $(cat /etc/blockip.zone ); do ipset -A blockip $i; done
可通过 crontab -e 创建定时任务,实现定时更新屏蔽规则,更新规则比较耗费服务器资源,应在非高峰时间自动更新
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK