一. 介绍

        ipset命令是用于管理内核中IP
sets模块的,如iptables之于netfilter。ipset字面意思是一些IP地址组成一个集合(set)。但是ipset用于用于存储IP地址,整个子网,端口号(TCP/UDP),MAC地址,网络接口名或者上述这些的组合。ipset主要是由iptables来使用,用于提高iptables的灵活性,简化iptables的规则。可能你在使用iptables时会感觉到以下不便:

        1.
使用iptables命令为一批IP地址或端口应用相同的iptables规则时,不得不为每个IP或端口都新建一条iptables规则。这有时会让iptables某个表特别庞大,但是规则看起来又非常冗余。

        2.
当需要给某个iptables规则应用到一个新的IP地址或端口时,我们不得不新建一条iptables规则;当需要给某个iptables规则删除其中某个IP地址或端口时,则需要直接删除那条iptables规则。这会让iptables操作特别繁琐。

ipset可以解决以上问题:

        1.
当需要把一批IP地址或端口都应用某个iptables规则时,只需要把一批IP地址和端口放入一个ipset中,把iptables规则应用到这个ipset就可以了。

        2. 当需要更新iptables规则的IP地址或端口时,只要更新对应ipset中的IP地址或端口就可以了,不需要修改iptables表。

二. ipset命令基本介绍与使用

格式:
#ipset命令格式 ipset [ OPTIONS ] COMMAND [ COMMAND−OPTIONS ] COMMANDS := { create
| add | del | test | destroy | list | save | restore | flush | rename | swap |
help | version | − } OPTIONS := { −exist | −output { plain | save | xml } |
−quiet | −resolve | −sorted | −name | −terse | −file filename } ipset create
SETNAME TYPENAME [ CREATE−OPTIONS ] ipset add SETNAME ADD−ENTRY [ ADD−OPTIONS ]
ipset del SETNAME DEL−ENTRY [ DEL−OPTIONS ] ipset test SETNAME TEST−ENTRY [
TEST−OPTIONS ] ipset destroy [ SETNAME ] ipset list [ SETNAME ] ipset save [
SETNAME ] ipset restore ipset flush [ SETNAME ] ipset rename SETNAME−FROM
SETNAME−TO ipset swap SETNAME−FROM SETNAME−TO ipset help [ TYPENAME ] ipset
version ipset −
COMMAND选项介绍:

n, create SETNAME TYPENAME [ CREATE−OPTIONS ]

       
通过指定SETNAME和TYPENAME创建一个新IP集合。如果指定-exist选项,ipset在创建一个已经存在的IP集合时,ipset将不会报错。

add SETNAME ADD-ENTRY [ADD-OPTIONS]

        添加一个条目到SETNAME指定的IP集合中。如果指定-exist选项,IP集合存在此条目时,ipset将不会报错。

del SETNAME DEL-ENTRY [ DEL-OPTIONS ]

        从SETNAME指定的IP集合中删除一个条目。如果指定-exist选项,IP集合不存在此条目时,ipset将不会报错。

test SETNAME TEST-ENTRY [ TEST-OPTIONS ]

        测试一个条目是否在指定的IP集合中。如果在,ipset命令返回0,如果不在,则返回非0

x,destory [ SETNAME ]

        销毁指定的IP集合,如果不指定,则销毁所有的IP集合。如果某一IP集合正在被引用,则ipset不对该IP集合做任何操作。

list [ STENAME ] [ OPTIONS ]

       
列出指定IP集合的头部数据和添加的条目,如果没有指定,则是所有的IP集。--sorted选项会把IP集合排序后输出。--output指定IP集合输出的格式:
# 创建名称为test的IP集 ~ # ipset create test hash:ip # 添加114.114.114.114到test IP集中 ~
# ipset add test 114.114.114.114 # 以普通文本格式输出test IP集内容 ~ # ipset list test
-output plain Name: test Type: hash:ip Revision: 4 Header: family inet hashsize
1024 maxelem 65536 Size in memory: 8264 References: 0 Members: 114.114.114.114
# 以保存格式输出test IP集内容 ~ # ipset list test -output save create test hash:ip family
inet hashsize 1024 maxelem 65536 add test 114.114.114.114 # 以XML格式输出test IP集内容
~ # ipset list test -output xml <ipsets> <ipset name="test">
<type>hash:ip</type> <revision>4</revision>
<header><family>inet</family><hashsize>1024</hashsize><maxelem>65536</maxelem>
<memsize>8264</memsize> <references>0</references> </header> <members>
<member><elem>114.114.114.114</elem></member> </members> </ipset> </ipsets>
save [ SETNAME ]

        保存指定的IP集,如果没有指定,则是所有的IP集。如果不指定-file则是输出到标准输出,指定则是输出到指定文件。
~ # ipset save test -file /tmp/234
flush [ SETNAME ]

        清空指定IP集,如果没有指定,则是所有的IP集。

e,rename SETNAME-FROM SETNAME-TO

        重命名一个IP集
~ # ipset rename test test1
w,swap SETNAME-FROM SETNAME-TO

        交换两个IP集的名称。但是两个IP集的必须存在而且SETTYPE兼容才可以。

其他选项:

timeout

        设置IP集合添加的新条目的默认超时时间,新加的条目的时间超过超时时间后,将从IP集中删除。
# test IP集新添加的条目的默认超时时间300s ipset create test hash:ip timeout 300 #
192.168.0.1在60s后从test IP集中移除 ipset add test 192.168.0.1 timeout 60

SET TYPE:

bitmap:ip

CREATE−OPTIONS := range fromip−toip|ip/cidr [ netmask cidr ] [ timeout value ]
[ counters ] [ comment ] [ skbinfo ]
ADD−ENTRY := { ip | fromip−toip | ip/cidr }
ADD−OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment
string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL−ENTRY := { ip | fromip−toip | ip/cidr }
TEST−ENTRY := ip

举例:

range fromip−toip | ip/cidr:
# example 1 ~ # ipset create test3 bitmap:ip range 192.168.0.1-192.168.0.255 ~
# ipset add test3 192.168.1/24 ~ # ipset list test3 Name: test3 Type: bitmap:ip
Revision: 3 Header: range 192.168.0.1-192.168.0.255 Size in memory: 92
References: 0 Members: 192.168.0.1 . . . 192.168.0.255 # example 2 ~ # ipset
create test4 bitmap:ip range 192.168.0.1-192.168.0.100 ~ # ~ # ipset add test4
192.168.0/24 ipset v7.15: Element is out of the range of the set ~ # ~ # ipset
add test4 192.168.0.100 ~ # ipset list test4 Name: test4 Type: bitmap:ip
Revision: 3 Header: range 192.168.0.1-192.168.0.100 Size in memory: 76
References: 0 Members: 192.168.0.100 # example 3 ~ # ipset create test5
bitmap:ip range 192.168.1.0/16 ~ # ipset add test5 192.168.1/16 ~ # ipset list
test5 Name: test5 Type: bitmap:ip Revision: 3 Header: range
192.168.0.0-192.168.255.255 Size in memory: 8252 References: 0 Members:
192.168.0.1 . . . 192.168.0.255 . . . 192.168.255.255 # example 4 ~ # ipset
create test6 bitmap:ip range 192.168.1.0/16 ~ # ipset add test6 192.168.5/24 ~
# ipset list test6 Name: test6 Type: bitmap:ip Revision: 3 Header: range
192.168.0.0-192.168.255.255 Size in memory: 8252 References: 0 Members:
192.168.0.1 . . . 192.168.0.255
bitmap:ip,mac

CREATE−OPTIONS := range fromip−toip|ip/cidr [ timeout value ] [ counters ] [
comment ] [ skbinfo ]
ADD−ENTRY := ip[,macaddr]
ADD−OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment
string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL−ENTRY := ip[,macaddr]
TEST−ENTRY := ip[,macaddr]

举例:

range fromip−toip|ip/cidr:
~ # ipset create test bitmap:ip,mac range 192.168.0.0/16 ~ # ipset add test
192.168.1.1,12:34:56:78:9A:BC ~ # ipset add test 192.168.1.2 ~ # ipset list
test Name: test8 Type: bitmap:ip,mac Revision: 3 Header: range
192.168.0.0-192.168.255.255 Size in memory: 532532 References: 0 Members:
192.168.1.1,12:34:56:78:9A:BC 192.168.1.2
bitmap:port

CREATE−OPTIONS := range fromport−toport [ timeout value ] [ counters ] [
comment ] [ skbinfo ]
ADD−ENTRY := { [proto:]port | [proto:]fromport−toport }
ADD−OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment
string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL−ENTRY := { [proto:]port | [proto:]fromport−toport }
TEST−ENTRY := [proto:]port

举例:

range [proto:]fromport−toport:
~ # ipset create test bitmap:port range 1024-4096 ~ # ipset add test 30000
ipset v7.15: Element is out of the range of the set ~ # ~ # ipset add test 2048
~ # ~ # ipset list test Name: test Type: bitmap:port Revision: 3 Header: range
1024-4096 Size in memory: 436 References: 0 Members: 2048
hash:ip

CREATE−OPTIONS := [ family { inet | inet6 }]|[ hashsize value ] [ maxelem
value ] [ netmask cidr ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD−ENTRY := ipaddr
ADD−OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment
string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL−ENTRY := ipaddr
TEST−ENTRY := ipaddr

举例:
~ # ipset create test hash:ip ~ # ipset add test 192.168.100.1
hash:mac

CREATE−OPTIONS := [ hashsize value ] [ maxelem value ] [ timeout value ] [
counters ] [ comment ] [ skbinfo ]
ADD−ENTRY := macaddr
ADD−OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment
string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL−ENTRY := macaddr
TEST−ENTRY := macaddr

举例:
~ # ipset create test hash:mac ~ # ipset add test 01:02:03:04:05:06 ~ # ipset
test test 01:02:03:04:05:06
hash:ip,mac

CREATE−OPTIONS := [ family { inet | inet6 }]|[ hashsize value ] [ maxelem
value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD−ENTRY := ipaddr,macaddr
ADD−OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment
string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL−ENTRY := ipaddr,macaddr
TEST−ENTRY := ipaddr,macaddr

举例:
~ # ipset create test hash:ip,mac ~ # ipset add test 1.1.1.1,01:02:03:04:05:06
~ # ipset test test 1.1.1.1,01:02:03:04:05:06
hash:net

CREATE−OPTIONS := [ family { inet | inet6 }]|[ hashsize value ] [ maxelem
value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD−ENTRY := netaddr
ADD−OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ]
[ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]

举例:
~ # ipset create test hash:net ~ # ipset add test 192.168.0.0/24 ~ # ipset add
test 10.1.0.0/16 ~ # ipset add test 192.168.0/24 ~ # ipset add test
192.168.0/30 nomatch
hash:net,net

CREATE−OPTIONS := [ family { inet | inet6 }]|[ hashsize value ] [ maxelem
value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD−ENTRY := netaddr,netaddr
ADD−OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ]
[ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
CREATE−OPTIONS := [ family { inet | inet6 }]|[ hashsize value ] [ maxelem
value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD−ENTRY := netaddr,netaddr
ADD−OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ]
[ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]

举例:
~ # ipset create test hash:net,net ~ # ipset add test
192.168.0.0/24,10.0.1.0/24 ~ # ipset add test 10.1.0.0/16,10.255.0.0/24 ~ #
ipset add test 192.168.0/24,192.168.54.0-192.168.54.255 ~ # ipset add test
192.168.0/30,192.168.64/30 nomatch
hash:ip,port

CREATE−OPTIONS := [ family { inet | inet6 }]|[ hashsize value ] [ maxelem
value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD−ENTRY := ipaddr,[proto:]port
ADD−OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment
string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL−ENTRY := ipaddr,[proto:]port
TEST−ENTRY := ipaddr,[proto:]port

举例:
~ # ipset create test hash:ip,port ~ # ipset add test 192.168.1.0/24,80−82 ~ #
ipset add test 192.168.1.1,udp:53 ~ # ipset add test 192.168.1.1,vrrp:0 ~ #
ipset test test 192.168.1.1,80 Warning: 192.168.1.1,80 is in set test.

技术
下载桌面版
GitHub
Gitee
SourceForge
百度网盘(提取码:draw)
云服务器优惠
华为云优惠券
腾讯云优惠券
阿里云优惠券
Vultr优惠券
站点信息
问题反馈
邮箱:[email protected]
吐槽一下
QQ群:766591547
关注微信