使用IPSet阻止中国
您无法手动将数千个IP地址添加到iptables中,即使自动执行也是一个坏主意,因为它会导致大量CPU负载(或者我读过)。相反,我们可以使用针对此类情况设计的ipset。ipset处理大量IP地址列表;您只需创建一个列表,然后告诉iptables在规则中使用该列表。
注意; 我假设以下所有内容都是以root用户身份完成的。如果您的系统基于sudo,请进行相应的调整。
apt-get install ipset
接下来,我编写了一个小的Bash脚本来完成所有工作,您应该能够从其中的注释中理解这些脚本。创建一个文件:
nano /etc/block-china.sh
这是您要粘贴到其中的内容:
# Create the ipset list
ipset -N china hash:net
# remove any old list that might exist from previous runs of this script
rm cn.zone
# Pull the latest IP set for China
wget -P . http://www.ipdeny.com/ipblocks/data/countries/cn.zone
# Add each IP address from the downloaded list into the ipset 'china'
for i in $(cat /etc/cn.zone ); do ipset -A china $i; done
# Restore iptables
/sbin/iptables-restore < /etc/iptables.firewall.rules
保存文件。使它可执行:
chmod +x /etc/block-china.sh
尚未执行任何操作,但是在运行脚本后的一分钟之内。首先,我们需要在iptables中添加一个规则,以引用上面脚本定义的这个新ipset列表:
nano /etc/iptables.firewall.rules
添加以下行:
-A INPUT -p tcp -m set --match-set china src -j DROP
保存文件。需要明确的是,我完整的iptables.firewall.rules现在看起来像这样:
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Block anything from China
# These rules are pulled from ipset's china list
# The source file is at /etc/cn.zone (which in turn is generated by a shell script at /etc/block-china.sh )
-A INPUT -p tcp -m set --match-set china src -j DROP
# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
#
# The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
现在,服务器没有任何变化,因为没有应用新规则。为此,运行block-china.sh脚本:
/etc/block-china.sh
这将显示一些输出,因为它会拉出一个基于中文的IP的新列表,然后在几秒钟后,它将完成并将您带回到命令提示符。
要测试它是否有效,请运行:
iptables -L
现在,您应该看到一条新规则阻碍了中国–输出应如下所示:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere loopback/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere match-set china src
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
快完成了!这可行,并且在重新引导时将继续起作用。但是,IP地址会更改,并且该列表将随着时间的推移而过时。如果要提取并应用更新的IP列表,可以再次运行block-china.sh脚本。
我们还可以将计算机设置为通过cron作业自动执行此操作:
crontab -e
添加这样的一行:
* 5 * * * /etc/block-china.sh
这将在每天凌晨5点运行/etc/block-china.sh。运行脚本的用户将需要是root或具有root特权。
资源