Shulou(Shulou.com)06/01 Report--

It is believed that many inexperienced people don't know what to do about how to block IP addresses in batches in Linux. Therefore, this article summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

The problem with Netfilter/IPtables

In Linux, you can simply use the netfilter/iptables framework to disable IP addresses:

The code is as follows:

$sudo iptables-An INPUT-s 1.1.1.1-p TCP-j DROP

If you want to completely block an IP address field, you can simply do it with the following command:

The code is as follows:

$sudo iptables-An INPUT-s 1.1.2.0 24-p TCP-j DROP

However, what do you do when you have 1000 separate IP addresses without the CIDR (classless inter-domain routing) prefix? You have to have 1000 iptable rules! This is obviously not suitable for large-scale shielding.

The code is as follows:

$sudo iptables-An INPUT-s 1.1.1.1-p TCP-j DROP

$sudo iptables-An INPUT-s 2.2.2.2-p TCP-j DROP

$sudo iptables-An INPUT-s 3.3.3.3-p TCP-j DROP

. . . .

What is an IP set?

This is the time for the IP episode to debut. The IP set is a kernel feature that allows multiple (independent) IP addresses, MAC addresses, or even port numbers to be encoded and efficiently stored in bitmap / hash kernel data structures. Once the IP set is created, you can create an iptables rule to match the set.

You will soon see the benefits of the IP collection, which allows you to match multiple ip addresses with a single iptable rule! You can construct IP sets with multiple IP addresses and port numbers, and you can update rules dynamically without performance impact.

Install IPset tools in Linux

To create and manage IP sets, you need to use a user space tool called ipset.

To install on Debian, Ubuntu, or Linux Mint:

The code is as follows:

$sudo apt-get install ipset

Install on Fedora or CentOS/RHEL 7:

The code is as follows:

$sudo yum install ipset

Use the IPset command to disable IP

Let me show you how to use the ipset command with a simple example.

First, let's create a new IP set called banthis (any name):

The code is as follows:

$sudo ipset create banthis hash:net

The second parameter (hash:net) is required and represents the type of collection. There are multiple types of IP sets. IP sets of type hash:net use hashes to store multiple CIDR blocks. If you want to store individual IP addresses in a collection, you can use the hash:ip type.

Once you have created an IP set, you can check it with the following command:

The code is as follows:

$sudo ipset list

This shows a list of available IP collections with details containing the members of the collection. By default, each IP collection can contain 65536 elements (in this case, CIDR blocks). You can increase the limit by adding the "maxelem N" option.

The code is as follows:

$sudo ipset create banthis hash:net maxelem 1000000

Now let's add IP blocks to this collection:

The code is as follows:

$sudo ipset add banthis 1.1.1.1 Compact 32

$sudo ipset add banthis 1.1.2.0 Compact 24

$sudo ipset add banthis 1.1.3.0 Compact 24

$sudo ipset add banthis 1.1.4.10 Universe 24

You will see that the assembly members have changed.

The code is as follows:

$sudo ipset list

Now it's time to create an iptables rule that uses the IP set. The key here is to use the "- m set-- match-set" option.

Now let's create an iptable rule that prevents the previous IP blocks from accessing the web service through port 80. You can use the following command:

The code is as follows:

$sudo iptables-I INPUT-m set-match-set banthis src-p tcp-destination-port 80-j DROP

If you prefer, you can save a specific IP set to a file and restore it later from the file:

The code is as follows:

$sudo ipset save banthis-f banthis.txt

$sudo ipset destroy banthis

$sudo ipset restore-f banthis.txt

In the above command, I used the destory option to delete an existing IP set to see if I could restore it.

Automatic IP address disable

By now you should see the power of the IP collection. Maintaining IP blacklists is a tedious and time-consuming task. In fact, there are many free or fee-based services that can help you do this. As an added benefit, let's look at how to automatically add the IP blacklist to the IP set.

First of all, let's get a free blacklist from iblocklist.com, which has different free and paid lists. The free version is in P2P format.

Next I'm going to use an open source Python tool called iblocklist2ipset to convert P2P blacklists into IP sets.

First, you need to install pip (refer to this guide to install pip).

Use the following command to install iblocklist2ipset.

The code is as follows:

$sudo pip install iblocklist2ipset

In some distributions such as Fedora, you may need to run:

The code is as follows:

$sudo python-pip install iblocklist2ipset

Now go to iblocklist.com and grab the URL of any P2P list (such as the "level1" list).

Paste URL into the following command.

The code is as follows:

$iblocklist2ipset generate\

-- ipset banthis "http://list.iblocklist.com/?list=ydxerpxkpcfqjaybcssw&fileformat=p2p&archiveformat=gz"\

> banthis.txt

After the above command runs, you will get a file called banthis.txt. If you look at its contents, you will see something like this:

The code is as follows:

Create banthis hash:net family inet hashsize 131072 maxelem 237302

Add banthis 1.2.4.0/24

Add banthis 1.2.8.0/24

Add banthis 1.9.75.8/32

Add banthis 1.9.96.105/32

Add banthis 1.9.102.251/32

Add banthis 1.9.189.65/32

Add banthis 1.16.0.0/14

You can load this file with the following ipset command:

The code is as follows:

$sudo ipset restore-f banthis.txt

You can now view the automatically created IP set:

The code is as follows:

$sudo ipset list banthis

After reading the above, have you mastered how to block IP addresses in batch in Linux? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.