Shulou(Shulou.com)06/02 Report--

Ipset introduction

Iptables is a user-space tool for configuring firewall rules in the linux kernel. It is actually part of the netfilter framework. Perhaps because iptables is the most common part of the netfilter framework, the framework is often referred to as iptables,iptables, a firewall solution introduced by linux from version 2.4.

Ipset is an extension of iptables that allows you to create rules that match the entire address sets (address set). Unlike ordinary iptables chains, which are stored and filtered linearly, ip collections are stored in indexed data structures, which can search efficiently even if the set is large.

In addition to some common situations, such as preventing some dangerous hosts from accessing the local computer, so as to reduce system resource consumption or network congestion, IPsets also has some new firewall design methods and simplifies configuration.

Official website: http://ipset.netfilter.org/

Installation

Rpm-ivh libmnl-devel-1.0.2-3.el6.x86_64.rpm libmnl-1.0.2-3.el6.x86_64.rpmtar xvf ipset-6.24.tar.bz2cd ipset-6.24./configuremakemake install

# Note:

If you install centos6.6 or other cases, the configure error is as follows

Configure: error: Invalid kernel source directory / lib/modules/2.6.32-358.el6.x86_64/source

Solution: kernel source package kernel-devel-2.6.32-358.el6.x86_64.rpm needs to be installed

Create ipset

Ipset-n or ipset create:

N, create SETNAME TYPENAME [CREATE-OPTIONS]

SETNAME is the name of the ipset created, and TYPENAME is the type of ipset:

TYPENAME: = method:datatype [, datatype [, datatype]]

Method specifies how the entry in the ipset is stored, and the subsequent datatype prescribes the format of each entry.

Method that can be used:

Bitmap, hash, list

Datatype that can be used:

Ip, net, mac, port, iface

Add record

Ipset add is used to add records to ipset:

Add SETNAME ADD-ENTRY [ADD-OPTIONS]

When you add an entry to an ipset, the format of the added entry must match the format specified to create the ipset.

$ipset creat foo hash:ip,port,ip$ipset add foo ipaddr,portnum,ipaddr$ipset list fooName: fooType: hash:ip,port,ipRevision: 2Header: family inet hashsize 1024 maxelem 65536Size in memory: 16584References: 0Members 2Header 192.168.1.2

Delete record

Ipset del is used to delete records from ipset:

Del SETNAME DEL-ENTRY [DEL-OPTIONS]

Query record

Ipset test can check whether the target entry is in the ipset:

Test SETNAME TEST-ENTRY [TEST-OPTIONS]

Ipset list can view all the contents of ipset:

List [SETNAME] [OPTIONS]

Export and import

Ipset save can export all ipset:

Save [SETNAME]

Ipset restore is used to import the exported content.

Other

Flush [SETNAME] Flush all entries from the specified set or flush all sets if none is given.e, rename SETNAME-FROM SETNAME-TO Rename a set. Set identified by SETNAME-TO must not exist.w, swap SETNAME-FROM SETNAME-TO Swap the content of two sets, or in another words, exchange the name of two sets. The referred sets must exist and identical type of sets can be swapped only.help [TYPENAME] Print help and set type specific help if TYPENAME is specified.version Print program version.- If a dash is specified as command, then ipset enters a simple interactive mode and the commands are read from the standard input. The interactive mode can be finished by entering the pseudo-command quit.

Using ipset in iptables

The ipset module can be enabled with-m set in iptables, for example.

-A POSTROUTING-m set-- match-set felix-masq-ipam-pools src-m set!-- match-set felix-all-ipam-pools dst-j MASQUERADE

Set module of iptables:

SetThis module matches IP sets which can be defined by ipset (8). [!]-- match-set setname flag [, flag]... Where flags are the comma separated list of src and/or dst specifications and there can be no more than six of them. Hence the command iptables-A FORWARD-m set-- match-set test src,dst...

You can also manipulate ipset in TARGET:

SETThis module adds and/or deletes entries from IP sets which can be defined by ipset (8)-- add-set setname flag [, flag...] Add the address (es) / port (s) of the packet to the set--del-set setname flag [, flag...] Delete the address (es) / port (s) of the packet from the set where flag (s) are src and/or dst specifications and there can be no more than six of them....

All options for set module and SET TARGET can be found in man iptables-extensions.

Summary

The above is the whole content of this article, I hope that the content of this article has a certain reference and learning value for your study or work, if you have any questions, you can leave a message and exchange, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.