分类: 系统运维
2017-10-20 15:54:58
点击(此处)折叠或打开
To create the ipset blacklist for IPv4:创建黑名单
firewall-cmd --permanent --new-ipset=blacklist --type=hash:ip
type类型(1、hash:ip
2、hash:ip,mark
3、hash:ip,port
4、hash:ip,port,ip
5、hash:ip,port,net
6、hash:mac
7、hash:net
8、hash:net,iface
9、hash:net,net
10、hash:net,port
11、hash:net,port,net
)
Reload to make the ipset usable in runtime environment:重载配置
firewall-cmd --reload
Add runtime only entries to the blacklist:往黑名单set里添加记录
firewall-cmd --ipset=blacklist --add-entry=192.168.1.4 firewall-cmd --ipset=blacklist --add-entry=192.168.1.6 firewall-cmd --ipset=blacklist --add-entry=192.168.1.8 firewall-cmd --ipset=blacklist --add-entry=192.168.1.10
Add a rich rule in the default zone for dropping all entries on the blacklist: 丢弃黑名单的访问
firewall-cmd --add-rich-rule='rule source ipset=blacklist drop'
To create the ipset blacklist6 for IPv6:
firewall-cmd --permanent --new-ipset=blacklist6 --type=hash:ip --option=family=inet6
The option family needs to be set to inet6 to make sure that the ipset is using IPv6 addresses.
Reload to make the ipset usable in runtime environment:
firewall-cmd --reload
Add runtime only entries to the blacklist6:
firewall-cmd --ipset=blacklist6 --add-entry=fe80::07FF:0004 firewall-cmd --ipset=blacklist6 --add-entry=fe80::07FF:0006 firewall-cmd --ipset=blacklist6 --add-entry=fe80::07FF:0008 firewall-cmd --ipset=blacklist6 --add-entry=fe80::07FF:0010
Add a rich rule in the default zone for dropping all entries on the blacklist6:
firewall-cmd --add-rich-rule='rule source ipset=blacklist6 drop'
