IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel, which can be administered by the ipset utility.
Depending on the type, currently an IP set may store IP addresses, (TCP/UDP) port numbers or IP addresses with MAC addresses in a way, which ensures lightning speed when matching an entry against a set.
Unordered list of some tips and examples:
- In order to drop traffic to-from banned networks or IP addresses, use IP sets in the raw table of netfilter.
- If you want to change a set without disturbing your existing iptables rules, simply swap it with the new set:
# Create the new set and add the entries to it ipset -N new-set .... ipset -A new-set .... ... # Swap the old and new sets ipset -W old-set new-set # Get rid of the old set, which is now under new-set ipset -X new-set
- store multiple IP addresses or port numbers and match against the collection by iptables at one swoop;
- dynamically update iptables rules against IP addresses or ports without performance penalty;
- express complex IP address and ports based rulesets with one single iptables rule and benefit from the speed of IP sets
In order to use IP sets, you need the following sources
- For the new branch
- linux kernel source code (version >= 2.6.32)
- source of ipset: ipset-6.21.1.tar.bz2 (md5sum)
- For the old branch
- linux kernel source code (version >= 2.6.16 or >= 2.4.36)
- source of ipset: ipset-4.5.tar.bz2 (md5sum)
You can download the source of ipset from git as well: git://git.netfilter.org/ipset.git
Please note, the ipset source supports kernels released by kernel.org. It may or may not work on distribution-specific kernel sources.
Read the ipset and iptables man pages before exploring the world of IP sets.
- 文章导航 第1页 第2页
发表回复