In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-03-31 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/01 Report--
It is believed that many inexperienced people don't know what to do about how to block IP addresses in batches in Linux. Therefore, this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.
The problem with Netfilter/IPtables
In Linux, you can simply use the netfilter/iptables framework to disable IP addresses:
The code is as follows:
$sudo iptables-An INPUT-s 1.1.1.1-p TCP-j DROP
If you want to completely block an IP address field, you can simply do it with the following command:
The code is as follows:
$sudo iptables-An INPUT-s 1.1.2.0 24-p TCP-j DROP
However, what do you do when you have 1000 separate IP addresses without the CIDR (classless inter-domain routing) prefix? You have to have 1000 iptable rules! This is obviously not suitable for large-scale shielding.
The code is as follows:
$sudo iptables-An INPUT-s 1.1.1.1-p TCP-j DROP
$sudo iptables-An INPUT-s 2.2.2.2-p TCP-j DROP
$sudo iptables-An INPUT-s 3.3.3.3-p TCP-j DROP
. . . .
What is an IP set?
This is the time for the IP episode to debut. The IP set is a kernel feature that allows multiple (independent) IP addresses, MAC addresses, or even port numbers to be encoded and efficiently stored in bitmap / hash kernel data structures. Once the IP set is created, you can create an iptables rule to match the set.
You will soon see the benefits of the IP collection, which allows you to match multiple ip addresses with a single iptable rule! You can construct IP sets with multiple IP addresses and port numbers, and you can update rules dynamically without performance impact.
Install IPset tools in Linux
To create and manage IP sets, you need to use a user space tool called ipset.
To install on Debian, Ubuntu, or Linux Mint:
The code is as follows:
$sudo apt-get install ipset
Install on Fedora or CentOS/RHEL 7:
The code is as follows:
$sudo yum install ipset
Use the IPset command to disable IP
Let me show you how to use the ipset command with a simple example.
First, let's create a new IP set called banthis (any name):
The code is as follows:
$sudo ipset create banthis hash:net
The second parameter (hash:net) is required and represents the type of collection. There are multiple types of IP sets. IP sets of type hash:net use hashes to store multiple CIDR blocks. If you want to store individual IP addresses in a collection, you can use the hash:ip type.
Once you have created an IP set, you can check it with the following command:
The code is as follows:
$sudo ipset list
This shows a list of available IP collections with details containing the members of the collection. By default, each IP collection can contain 65536 elements (in this case, CIDR blocks). You can increase the limit by adding the "maxelem N" option.
The code is as follows:
$sudo ipset create banthis hash:net maxelem 1000000
Now let's add IP blocks to this collection:
The code is as follows:
$sudo ipset add banthis 1.1.1.1 Compact 32
$sudo ipset add banthis 1.1.2.0 Compact 24
$sudo ipset add banthis 1.1.3.0 Compact 24
$sudo ipset add banthis 1.1.4.10 Universe 24
You will see that the assembly members have changed.
The code is as follows:
$sudo ipset list
Now it's time to create an iptables rule that uses the IP set. The key here is to use the "- m set-- match-set" option.
Now let's create an iptable rule that prevents the previous IP blocks from accessing the web service through port 80. You can use the following command:
The code is as follows:
$sudo iptables-I INPUT-m set-match-set banthis src-p tcp-destination-port 80-j DROP
If you prefer, you can save a specific IP set to a file and restore it later from the file:
The code is as follows:
$sudo ipset save banthis-f banthis.txt
$sudo ipset destroy banthis
$sudo ipset restore-f banthis.txt
In the above command, I used the destory option to delete an existing IP set to see if I could restore it.
Automatic IP address disable
By now you should see the power of the IP collection. Maintaining IP blacklists is a tedious and time-consuming task. In fact, there are many free or fee-based services that can help you do this. As an added benefit, let's look at how to automatically add the IP blacklist to the IP set.
First of all, let's get a free blacklist from iblocklist.com, which has different free and paid lists. The free version is in P2P format.
Next I'm going to use an open source Python tool called iblocklist2ipset to convert P2P blacklists into IP sets.
First, you need to install pip (refer to this guide to install pip).
Use the following command to install iblocklist2ipset.
The code is as follows:
$sudo pip install iblocklist2ipset
In some distributions such as Fedora, you may need to run:
The code is as follows:
$sudo python-pip install iblocklist2ipset
Now go to iblocklist.com and grab the URL of any P2P list (such as the "level1" list).
Paste URL into the following command.
The code is as follows:
$iblocklist2ipset generate\
-- ipset banthis "http://list.iblocklist.com/?list=ydxerpxkpcfqjaybcssw&fileformat=p2p&archiveformat=gz"\
> banthis.txt
After the above command runs, you will get a file called banthis.txt. If you look at its contents, you will see something like this:
The code is as follows:
Create banthis hash:net family inet hashsize 131072 maxelem 237302
Add banthis 1.2.4.0/24
Add banthis 1.2.8.0/24
Add banthis 1.9.75.8/32
Add banthis 1.9.96.105/32
Add banthis 1.9.102.251/32
Add banthis 1.9.189.65/32
Add banthis 1.16.0.0/14
You can load this file with the following ipset command:
The code is as follows:
$sudo ipset restore-f banthis.txt
You can now view the automatically created IP set:
The code is as follows:
$sudo ipset list banthis
After reading the above, have you mastered how to block IP addresses in batch in Linux? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.