Всем привет!
У заказчика есть старенький сервер с FreeBSD (FreeBSD 8.2-RELEASE-p3 FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:45:57 UTC 2011) на котором у них свой почтовый сервер.
Т.к. я с FreeBSD очень поверхностно знаком, то решил сделать всё тоже самое, что у них там, но на свежей Ubuntu 18.04.
В FreeBSD используется pf (packet filter), которого нет в Ubuntu, но есть UFW и IPTABLES.
В существующем варианте PF дает доступ к SSH определенный IP-адресам из списка. Как сделать такое в IPTABLES я не нашел, но нашел решение с помощью IPSET.
Установка:
1 | sudo aptitude install ipset |
Вызов помощи:
1 | ipset --help |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 | ipset v6.34 Usage: ipset [options] COMMAND Commands: create SETNAME TYPENAME [type-specific-options] Create a new set add SETNAME ENTRY Add entry to the named set del SETNAME ENTRY Delete entry from the named set test SETNAME ENTRY Test entry in the named set destroy [SETNAME] Destroy a named set or all sets list [SETNAME] List the entries of a named set or all sets save [SETNAME] Save the named set or all sets to stdout restore Restore a saved state flush [SETNAME] Flush a named set or all sets rename FROM-SETNAME TO-SETNAME Rename two sets swap FROM-SETNAME TO-SETNAME Swap the contect of two existing sets help [TYPENAME] Print help, and settype specific help version Print version information quit Quit interactive mode Options: -o plain|save|xml Specify output mode for listing sets. Default value for "list" command is mode "plain" and for "save" command is mode "save". -s Print elements sorted (if supported by the set type). -q Suppress any notice or warning message. -r Try to resolve IP addresses in the output (slow!) -! Ignore errors when creating or adding sets or elements that do exist or when deleting elements that don't exist. -n When listing, just list setnames from the kernel. -t When listing, list setnames and set headers from kernel only. -f Read from the given file instead of standard input (restore) or write to given file instead of standard output (list/save). Supported set types: list:set 3 skbinfo support list:set 2 comment support list:set 1 counters support list:set 0 Initial revision hash:mac 0 Initial revision hash:ip,mac 0 Initial revision hash:net,iface 6 skbinfo support hash:net,iface 5 forceadd support hash:net,iface 4 comment support hash:net,iface 3 counters support hash:net,iface 2 /0 network support hash:net,iface 1 nomatch flag support hash:net,iface 0 Initial revision hash:net,port 7 skbinfo support hash:net,port 6 forceadd support hash:net,port 5 comment support hash:net,port 4 counters support hash:net,port 3 nomatch flag support hash:net,port 2 Add/del range support hash:net,port 1 SCTP and UDPLITE support hash:net,port,net 2 skbinfo support hash:net,port,net 1 forceadd support hash:net,port,net 0 initial revision hash:net,net 2 skbinfo support hash:net,net 1 forceadd support hash:net,net 0 initial revision hash:net 6 skbinfo support hash:net 5 forceadd support hash:net 4 comment support hash:net 3 counters support hash:net 2 nomatch flag support hash:net 1 Add/del range support hash:net 0 Initial revision hash:ip,port,net 7 skbinfo support hash:ip,port,net 6 forceadd support hash:ip,port,net 5 comment support hash:ip,port,net 4 counters support hash:ip,port,net 3 nomatch flag support hash:ip,port,net 2 Add/del range support hash:ip,port,net 1 SCTP and UDPLITE support hash:ip,port,ip 5 skbinfo support hash:ip,port,ip 4 forceadd support hash:ip,port,ip 3 comment support hash:ip,port,ip 2 counters support hash:ip,port,ip 1 SCTP and UDPLITE support hash:ip,mark 2 sbkinfo support hash:ip,mark 1 forceadd support hash:ip,mark 0 initial revision hash:ip,port 5 skbinfo support hash:ip,port 4 forceadd support hash:ip,port 3 comment support hash:ip,port 2 counters support hash:ip,port 1 SCTP and UDPLITE support hash:ip 4 skbinfo support hash:ip 3 forceadd support hash:ip 2 comment support hash:ip 1 counters support hash:ip 0 Initial revision bitmap:port 3 skbinfo support bitmap:port 2 comment support bitmap:port 1 counters support bitmap:port 0 Initial revision bitmap:ip,mac 3 skbinfo support bitmap:ip,mac 2 comment support bitmap:ip,mac 1 counters support bitmap:ip,mac 0 Initial revision bitmap:ip 3 skbinfo support bitmap:ip 2 comment support bitmap:ip 1 counters support bitmap:ip 0 Initial revision |
Мануал:
1 | man ipset |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 | IPSET(8) IPSET(8) NAME ipset — administration tool for IP sets SYNOPSIS ipset [ OPTIONS ] COMMAND [ COMMAND-OPTIONS ] COMMANDS := { create | add | del | test | destroy | list | save | restore | flush | rename | swap | help | version | - } OPTIONS := { -exist | -output { plain | save | xml } | -quiet | -resolve | -sorted | -name | -terse | -file filename } ipset create SETNAME TYPENAME [ CREATE-OPTIONS ] ipset add SETNAME ADD-ENTRY [ ADD-OPTIONS ] ipset del SETNAME DEL-ENTRY [ DEL-OPTIONS ] ipset test SETNAME TEST-ENTRY [ TEST-OPTIONS ] ipset destroy [ SETNAME ] ipset list [ SETNAME ] ipset save [ SETNAME ] ipset restore ipset flush [ SETNAME ] ipset rename SETNAME-FROM SETNAME-TO ipset swap SETNAME-FROM SETNAME-TO ipset help [ TYPENAME ] ipset version ipset - DESCRIPTION ipset is used to set up, maintain and inspect so called IP sets in the Linux kernel. Depending on the type of the set, an IP set may store IP(v4/v6) addresses, (TCP/UDP) port numbers, IP and MAC address pairs, IP address and port number pairs, etc. See the set type definitions below. Iptables matches and targets referring to sets create references, which protect the given sets in the kernel. A set cannot be destroyed while there is a single reference pointing to it. OPTIONS The options that are recognized by ipset can be divided into several different groups. COMMANDS These options specify the desired action to perform. Only one of them can be specified on the command line unless otherwise specified below. For all the long versions of the command names, you need to use only enough letters to ensure that ipset can differentiate it from all other commands. The ipset parser follows the order here when looking for the shortest match in the long command names. n, create SETNAME TYPENAME [ CREATE-OPTIONS ] Create a set identified with setname and specified type. The type may require type specific options. If the -exist option is specified, ipset ignores the error otherwise raised when the same set (setname and create parameters are identical) already exists. add SETNAME ADD-ENTRY [ ADD-OPTIONS ] Add a given entry to the set. If the -exist option is specified, ipset ignores if the entry already added to the set. del SETNAME DEL-ENTRY [ DEL-OPTIONS ] Delete an entry from a set. If the -exist option is specified and the entry is not in the set (maybe already expired), then the command is ignored. test SETNAME TEST-ENTRY [ TEST-OPTIONS ] Test whether an entry is in a set or not. Exit status number is zero if the tested entry is in the set and nonzero if it is missing from the set. x, destroy [ SETNAME ] Destroy the specified set or all the sets if none is given. If the set has got reference(s), nothing is done and no set destroyed. list [ SETNAME ] [ OPTIONS ] List the header data and the entries for the specified set, or for all sets if none is given. The -resolve option can be used to force name lookups (which may be slow). When the -sorted option is given, the entries are listed sorted (if the given set type supports the operation). The option -output can be used to control the format of the listing: plain, save or xml. (The default is plain.) If the option -name is specified, just the names of the existing sets are listed. If the option -terse is specified, just the set names and headers are listed. The output is printed to stdout, the option -file can be used to specify a filename instead of stdout. save [ SETNAME ] Save the given set, or all sets if none is given to stdout in a format that restore can read. The option -file can be used to specify a filename instead of stdout. restore Restore a saved session generated by save. The saved session can be fed from stdin or the option -file can be used to specify a filename instead of stdin. Please note, existing sets and elements are not erased by restore unless specified so in the restore file. All commands are allowed in restore mode except list, help, version, interactive mode and restore itself. flush [ SETNAME ] Flush all entries from the specified set or flush all sets if none is given. e, rename SETNAME-FROM SETNAME-TO Rename a set. Set identified by SETNAME-TO must not exist. w, swap SETNAME-FROM SETNAME-TO Swap the content of two sets, or in another words, exchange the name of two sets. The referred sets must exist and compatible type of sets can be swapped only. help [ TYPENAME ] Print help and set type specific help if TYPENAME is specified. version Print program version. - If a dash is specified as command, then ipset enters a simple interactive mode and the commands are read from the standard input. The interactive mode can be finished by entering the pseudo-command quit. OTHER OPTIONS The following additional options can be specified. The long option names cannot be abbreviated. -!, -exist Ignore errors when exactly the same set is to be created or already added entry is added or missing entry is deleted. -o, -output { plain | save | xml } Select the output format to the list command. -q, -quiet Suppress any output to stdout and stderr. ipset will still exit with error if it cannot continue. -r, -resolve When listing sets, enforce name lookup. The program will try to display the IP entries resolved to host names which requires slow DNS lookups. -s, -sorted Sorted output. When listing sets entries are listed sorted. Not supported yet. -n, -name List just the names of the existing sets, i.e. suppress listing of set headers and members. -t, -terse List the set names and headers, i.e. suppress listing of set members. -f, -file filename Specify a filename to print into instead of stdout (list or save commands) or read from instead of stdin (restore command). INTRODUCTION A set type comprises of the storage method by which the data is stored and the data type(s) which are stored in the set. Therefore the TYPENAME parameter of the create command follows the syntax TYPENAME := method:datatype[,datatype[,datatype]] where the current list of the methods are bitmap, hash, and list and the possible data types are ip, net, mac, port and iface. The dimension of a set is equal to the number of data types in its type name. When adding, deleting or testing entries in a set, the same comma separated data syntax must be used for the entry parameter of the commands, i.e ipset add foo ipaddr,portnum,ipaddr If host names or service names with dash in the name are used instead of IP addresses or service numbers, then the host name or service name must be enclosed in square brackets. Example: ipset add foo [test-hostname],[ftp-data] In the case of host names the DNS resolver is called internally by ipset but if it returns multiple IP addresses, only the first one is used. The bitmap and list types use a fixed sized storage. The hash types use a hash to store the elements. In order to avoid clashes in the hash, a limited number of chaining, and if that is exhausted, the doubling of the hash size is performed when adding entries by the ipset command. When entries added by the SET target of iptables/ip6tables, then the hash size is fixed and the set won't be dupli‐ cated, even if the new entry cannot be added to the set. GENERIC CREATE AND ADD OPTIONS timeout All set types supports the optional timeout parameter when creating a set and adding entries. The value of the timeout parameter for the create command means the default timeout value (in seconds) for new entries. If a set is created with timeout support, then the same timeout option can be used to specify non-default timeout values when adding entries. Zero timeout value means the entry is added permanent to the set. The timeout value of already added elements can be changed by re-adding the element using the -exist option. Example: ipset create test hash:ip timeout 300 ipset add test 192.168.0.1 timeout 60 ipset -exist add test 192.168.0.1 timeout 600 When listing the set, the number of entries printed in the header might be larger than the listed number of entries for sets with the timeout extensions: the number of entries in the set is updated when elements added/deleted to the set and periodically when the garbage collector evicts the timed out entries. counters, packets, bytes All set types support the optional counters option when creating a set. If the option is specified then the set is created with packet and byte counters per element support. The packet and byte coun‐ ters are initialized to zero when the elements are (re-)added to the set, unless the packet and byte counter values are explicitly specified by the packets and bytes options. An example when an ele‐ ment is added to a set with non-zero counter values: ipset create foo hash:ip counters ipset add foo 192.168.1.1 packets 42 bytes 1024 comment All set types support the optional comment extension. Enabling this extension on an ipset enables you to annotate an ipset entry with an arbitrary string. This string is completely ignored by both the kernel and ipset itself and is purely for providing a convenient means to document the reason for an entry's existence. Comments must not contain any quotation marks and the usual escape character (\) has no meaning. For example, the following shell command is illegal: ipset add foo 1.1.1.1 comment "this comment is \"bad\"" In the above, your shell will of course escape the quotation marks and ipset will see the quote marks in the argument for the comment, which will result in a parse error. If you are writing your own system, you should avoid creating comments containing a quotation mark if you do not want to break "ipset save" and "ipset restore", nonetheless, the kernel will not stop you from doing so. The fol‐ lowing is perfectly acceptable: ipset create foo hash:ip comment ipset add foo 192.168.1.1/24 comment "allow access to SMB share on \\\\fileserv\\" the above would appear as: "allow access to SMB share on \\fileserv\" skbinfo, skbmark, skbprio, skbqueue All set types support the optional skbinfo extension. This extension allows you to store the metainfo (firewall mark, tc class and hardware queue) with every entry and map it to packets by usage of SET netfilter target with --map-set option. skbmark option format: MARK or MARK/MASK, where MARK and MASK are 32bit hex numbers with 0x prefix. If only mark is specified mask 0xffffffff are used. skbprio option has tc class format: MAJOR:MINOR, where major and minor numbers are hex without 0x prefix. skbqueue option is just decimal number. ipset create foo hash:ip skbinfo ipset add foo skbmark 0x1111/0xff00ffff skbprio 1:10 skbqueue 10 hashsize This parameter is valid for the create command of all hash type sets. It defines the initial hash size for the set, default is 1024. The hash size must be a power of two, the kernel automatically rounds up non power of two hash sizes to the first correct value. Example: ipset create test hash:ip hashsize 1536 maxelem This parameter is valid for the create command of all hash type sets. It does define the maximal number of elements which can be stored in the set, default 65536. Example: ipset create test hash:ip maxelem 2048. family { inet | inet6 } This parameter is valid for the create command of all hash type sets except for hash:mac. It defines the protocol family of the IP addresses to be stored in the set. The default is inet, i.e IPv4. For the inet family one can add or delete multiple entries by specifying a range or a network of IPv4 addresses in the IP address part of the entry: ipaddr := { ip | fromaddr-toaddr | ip/cidr } netaddr := { fromaddr-toaddr | ip/cidr } Example: ipset create test hash:ip family inet6 nomatch The hash set types which can store net type of data (i.e. hash:*net*) support the optional nomatch option when adding entries. When matching elements in the set, entries marked as nomatch are skipped as if those were not added to the set, which makes possible to build up sets with exceptions. See the example at hash type hash:net below. When elements are tested by ipset, the nomatch flags are taken into account. If one wants to test the existence of an element marked with nomatch in a set, then the flag must be specified too. forceadd All hash set types support the optional forceadd parameter when creating a set. When sets created with this option become full the next addition to the set may succeed and evict a random entry from the set. ipset create foo hash:ip forceadd SET TYPES bitmap:ip The bitmap:ip set type uses a memory range to store either IPv4 host (default) or IPv4 network addresses. A bitmap:ip type of set can store up to 65536 entries. CREATE-OPTIONS := range fromip-toip|ip/cidr [ netmask cidr ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ] ADD-ENTRY := { ip | fromip-toip | ip/cidr } ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] DEL-ENTRY := { ip | fromip-toip | ip/cidr } TEST-ENTRY := ip Mandatory create options: range fromip-toip|ip/cidr Create the set from the specified inclusive address range expressed in an IPv4 address range or network. The size of the range (in entries) cannot exceed the limit of maximum 65536 elements. Optional create options: netmask cidr When the optional netmask parameter specified, network addresses will be stored in the set instead of IP host addresses. The cidr prefix value must be between 1-32. An IP address will be in the set if the network address, which is resulted by masking the address with the specified netmask, can be found in the set. The bitmap:ip type supports adding or deleting multiple entries in one command. Examples: ipset create foo bitmap:ip range 192.168.0.0/16 ipset add foo 192.168.1/24 ipset test foo 192.168.1.1 bitmap:ip,mac The bitmap:ip,mac set type uses a memory range to store IPv4 and a MAC address pairs. A bitmap:ip,mac type of set can store up to 65536 entries. CREATE-OPTIONS := range fromip-toip|ip/cidr [ timeout value ] [ counters ] [ comment ] [ skbinfo ] ADD-ENTRY := ip[,macaddr] ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] DEL-ENTRY := ip[,macaddr] TEST-ENTRY := ip[,macaddr] Mandatory options to use when creating a bitmap:ip,mac type of set: range fromip-toip|ip/cidr Create the set from the specified inclusive address range expressed in an IPv4 address range or network. The size of the range cannot exceed the limit of maximum 65536 entries. The bitmap:ip,mac type is exceptional in the sense that the MAC part can be left out when adding/deleting/testing entries in the set. If we add an entry without the MAC address specified, then when the first time the entry is matched by the kernel, it will automatically fill out the missing MAC address with the source MAC address from the packet. If the entry was specified with a timeout value, the timer starts off when the IP and MAC address pair is complete. The bitmap:ip,mac type of sets require two src/dst parameters of the set match and SET target netfilter kernel modules and the second one must be src to match, add or delete entries, because the set match and SET target have access to the source MAC address only. Examples: ipset create foo bitmap:ip,mac range 192.168.0.0/16 ipset add foo 192.168.1.1,12:34:56:78:9A:BC ipset test foo 192.168.1.1 bitmap:port The bitmap:port set type uses a memory range to store port numbers and such a set can store up to 65536 ports. CREATE-OPTIONS := range fromport-toport [ timeout value ] [ counters ] [ comment ] [ skbinfo ] ADD-ENTRY := { [proto:]port | [proto:]fromport-toport } ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] DEL-ENTRY := { [proto:]port | [proto:]fromport-toport } TEST-ENTRY := [proto:]port Mandatory options to use when creating a bitmap:port type of set: range [proto:]fromport-toport Create the set from the specified inclusive port range. The set match and SET target netfilter kernel modules interpret the stored numbers as TCP or UDP port numbers. proto only needs to be specified if a service name is used, and that name does not exist as a TCP service. Examples: ipset create foo bitmap:port range 0-1024 ipset add foo 80 ipset test foo 80 ipset del foo udp:[macon-udp]-[tn-tl-w2] hash:ip The hash:ip set type uses a hash to store IP host addresses (default) or network addresses. Zero valued IP address cannot be stored in a hash:ip type of set. CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ netmask cidr ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ] ADD-ENTRY := ipaddr ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] DEL-ENTRY := ipaddr TEST-ENTRY := ipaddr Optional create options: netmask cidr When the optional netmask parameter specified, network addresses will be stored in the set instead of IP host addresses. The cidr prefix value must be between 1-32 for IPv4 and between 1-128 for IPv6. An IP address will be in the set if the network address, which is resulted by masking the address with the netmask, can be found in the set. Examples: ipset create foo hash:ip netmask 30 ipset add foo 192.168.1.0/24 ipset test foo 192.168.1.2 hash:mac The hash:mac set type uses a hash to store MAC addresses. Zero valued MAC addresses cannot be stored in a hash:mac type of set. CREATE-OPTIONS := [ hashsize value ] [ maxelem value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ] ADD-ENTRY := macaddr ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] DEL-ENTRY := macaddr TEST-ENTRY := macaddr Examples: ipset create foo hash:mac ipset add foo 01:02:03:04:05:06 ipset test foo 01:02:03:04:05:06 hash:ip,mac The hash:ip,mac set type uses a hash to store IP and a MAC address pairs. Zero valued MAC addresses cannot be stored in a hash:ip,mac type of set. CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ] ADD-ENTRY := ipaddr,macaddr ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] DEL-ENTRY := ipaddr,macaddr TEST-ENTRY := ipaddr,macaddr Examples: ipset create foo hash:ip,mac ipset add foo 1.1.1.1,01:02:03:04:05:06 ipset test foo 1.1.1.1,01:02:03:04:05:06 hash:net The hash:net set type uses a hash to store different sized IP network addresses. Network address with zero prefix size cannot be stored in this type of sets. CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ] ADD-ENTRY := netaddr ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] DEL-ENTRY := netaddr TEST-ENTRY := netaddr where netaddr := ip[/cidr] When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value is assumed. When adding/deleting entries, the exact element is added/deleted and over‐ lapping elements are not checked by the kernel. When testing entries, if a host address is tested, then the kernel tries to match the host address in the networks added to the set and reports the result accordingly. From the set netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific prefix) to the largest one (least specific prefix) added to the set. When adding/deleting IP addresses to the set by the SET netfilter target, it will be added/deleted by the most specific prefix which can be found in the set, or by the host prefix value if the set is empty. The lookup time grows linearly with the number of the different prefix values added to the set. Example: ipset create foo hash:net ipset add foo 192.168.0.0/24 ipset add foo 10.1.0.0/16 ipset add foo 192.168.0/24 ipset add foo 192.168.0/30 nomatch When matching the elements in the set above, all IP addresses will match from the networks 192.168.0.0/24, 10.1.0.0/16 and 192.168.0/24 except the ones from 192.168.0/30. hash:net,net The hash:net,net set type uses a hash to store pairs of different sized IP network addresses. Bear in mind that the first parameter has precedence over the second, so a nomatch entry could be potentially be ineffective if a more specific first parameter existed with a suitable second parameter. Network address with zero prefix size cannot be stored in this type of set. CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ] ADD-ENTRY := netaddr,netaddr ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] DEL-ENTRY := netaddr,netaddr TEST-ENTRY := netaddr,netaddr where netaddr := ip[/cidr] When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value is assumed. When adding/deleting entries, the exact element is added/deleted and over‐ lapping elements are not checked by the kernel. When testing entries, if a host address is tested, then the kernel tries to match the host address in the networks added to the set and reports the result accordingly. From the set netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific prefix) to the largest one (least specific prefix) with the first param having precedence. When adding/deleting IP addresses to the set by the SET netfilter target, it will be added/deleted by the most specific prefix which can be found in the set, or by the host prefix value if the set is empty. The lookup time grows linearly with the number of the different prefix values added to the first parameter of the set. The number of secondary prefixes further increases this as the list of secondary prefixes is traversed per primary prefix. Example: ipset create foo hash:net,net ipset add foo 192.168.0.0/24,10.0.1.0/24 ipset add foo 10.1.0.0/16,10.255.0.0/24 ipset add foo 192.168.0/24,192.168.54.0-192.168.54.255 ipset add foo 192.168.0/30,192.168.64/30 nomatch When matching the elements in the set above, all IP addresses will match from the networks 192.168.0.0/24<->10.0.1.0/24, 10.1.0.0/16<->10.255.0.0/24 and 192.168.0/24<->192.168.54.0/24 except the ones from 192.168.0/30<->192.168.64/30. hash:ip,port The hash:ip,port set type uses a hash to store IP address and port number pairs. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ] ADD-ENTRY := ipaddr,[proto:]port ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] DEL-ENTRY := ipaddr,[proto:]port TEST-ENTRY := ipaddr,[proto:]port The [proto:]port part of the elements may be expressed in the following forms, where the range variations are valid when adding or deleting entries: portname[-portname] TCP port or range of ports expressed in TCP portname identifiers from /etc/services portnumber[-portnumber] TCP port or range of ports expressed in TCP port numbers tcp|sctp|udp|udplite:portname|portnumber[-portname|portnumber] TCP, SCTP, UDP or UDPLITE port or port range expressed in port name(s) or port number(s) icmp:codename|type/code ICMP codename or type/code. The supported ICMP codename identifiers can always be listed by the help command. icmpv6:codename|type/code ICMPv6 codename or type/code. The supported ICMPv6 codename identifiers can always be listed by the help command. proto:0 All other protocols, as an identifier from /etc/protocols or number. The pseudo port number must be zero. The hash:ip,port type of sets require two src/dst parameters of the set match and SET target kernel modules. Examples: ipset create foo hash:ip,port ipset add foo 192.168.1.0/24,80-82 ipset add foo 192.168.1.1,udp:53 ipset add foo 192.168.1.1,vrrp:0 ipset test foo 192.168.1.1,80 hash:net,port The hash:net,port set type uses a hash to store different sized IP network address and port pairs. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. Network address with zero prefix size is not accepted either. CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ] ADD-ENTRY := netaddr,[proto:]port ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] DEL-ENTRY := netaddr,[proto:]port TEST-ENTRY := netaddr,[proto:]port where netaddr := ip[/cidr] For the netaddr part of the elements see the description at the hash:net set type. For the [proto:]port part of the elements see the description at the hash:ip,port set type. When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value is assumed. When adding/deleting entries, the exact element is added/deleted and over‐ lapping elements are not checked by the kernel. When testing entries, if a host address is tested, then the kernel tries to match the host address in the networks added to the set and reports the result accordingly. From the set netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific prefix) to the largest one (least specific prefix) added to the set. When adding/deleting IP addresses to the set by the SET netfilter target, it will be added/deleted by the most specific prefix which can be found in the set, or by the host prefix value if the set is empty. The lookup time grows linearly with the number of the different prefix values added to the set. Examples: ipset create foo hash:net,port ipset add foo 192.168.0/24,25 ipset add foo 10.1.0.0/16,80 ipset test foo 192.168.0/24,25 hash:ip,port,ip The hash:ip,port,ip set type uses a hash to store IP address, port number and a second IP address triples. The port number is interpreted together with a protocol (default TCP) and zero protocol num‐ ber cannot be used. CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ] ADD-ENTRY := ipaddr,[proto:]port,ip ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] DEL-ENTRY := ipaddr,[proto:]port,ip TEST-ENTRY := ipaddr,[proto:]port,ip For the first ipaddr and [proto:]port parts of the elements see the descriptions at the hash:ip,port set type. The hash:ip,port,ip type of sets require three src/dst parameters of the set match and SET target kernel modules. Examples: ipset create foo hash:ip,port,ip ipset add foo 192.168.1.1,80,10.0.0.1 ipset test foo 192.168.1.1,udp:53,10.0.0.1 hash:ip,port,net The hash:ip,port,net set type uses a hash to store IP address, port number and IP network address triples. The port number is interpreted together with a protocol (default TCP) and zero protocol num‐ ber cannot be used. Network address with zero prefix size cannot be stored either. CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ] ADD-ENTRY := ipaddr,[proto:]port,netaddr ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] DEL-ENTRY := ipaddr,[proto:]port,netaddr TEST-ENTRY := ipaddr,[proto:]port,netaddr where netaddr := ip[/cidr] For the ipaddr and [proto:]port parts of the elements see the descriptions at the hash:ip,port set type. For the netaddr part of the elements see the description at the hash:net set type. From the set netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific cidr) to the largest one (least specific cidr) added to the set. When adding/deleting triples to the set by the SET netfilter target, it will be added/deleted by the most specific cidr which can be found in the set, or by the host cidr value if the set is empty. The lookup time grows linearly with the number of the different cidr values added to the set. The hash:ip,port,net type of sets require three src/dst parameters of the set match and SET target kernel modules. Examples: ipset create foo hash:ip,port,net ipset add foo 192.168.1,80,10.0.0/24 ipset add foo 192.168.2,25,10.1.0.0/16 ipset test foo 192.168.1,80.10.0.0/24 hash:ip,mark The hash:ip,mark set type uses a hash to store IP address and packet mark pairs. CREATE-OPTIONS := [ family { inet | inet6 } ] | [ markmask value ] [ hashsize value ] [ maxelem value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ] ADD-ENTRY := ipaddr,mark ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] DEL-ENTRY := ipaddr,mark TEST-ENTRY := ipaddr,mark Optional create options: markmask value Allows you to set bits you are interested in the packet mark. This values is then used to perform bitwise AND operation for every mark added. markmask can be any value between 1 and 4294967295, by default all 32 bits are set. The mark can be any value between 0 and 4294967295. The hash:ip,mark type of sets require two src/dst parameters of the set match and SET target kernel modules. Examples: ipset create foo hash:ip,mark ipset add foo 192.168.1.0/24,555 ipset add foo 192.168.1.1,0x63 ipset add foo 192.168.1.1,111236 hash:net,port,net The hash:net,port,net set type behaves similarly to hash:ip,port,net but accepts a cidr value for both the first and last parameter. Either subnet is permitted to be a /0 should you wish to match port between all destinations. CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ] ADD-ENTRY := netaddr,[proto:]port,netaddr ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] DEL-ENTRY := netaddr,[proto:]port,netaddr TEST-ENTRY := netaddr,[proto:]port,netaddr where netaddr := ip[/cidr] For the [proto:]port part of the elements see the description at the hash:ip,port set type. For the netaddr part of the elements see the description at the hash:net set type. From the set netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific cidr) to the largest one (least specific cidr) added to the set. When adding/deleting triples to the set by the SET netfilter target, it will be added/deleted by the most specific cidr which can be found in the set, or by the host cidr value if the set is empty. The first subnet has precedence when performing the most-specific lookup, just as for hash:net,net The lookup time grows linearly with the number of the different cidr values added to the set and by the number of secondary cidr values per primary. The hash:net,port,net type of sets require three src/dst parameters of the set match and SET target kernel modules. Examples: ipset create foo hash:net,port,net ipset add foo 192.168.1.0/24,0,10.0.0/24 ipset add foo 192.168.2.0/24,25,10.1.0.0/16 ipset test foo 192.168.1.1,80,10.0.0.1 hash:net,iface The hash:net,iface set type uses a hash to store different sized IP network address and interface name pairs. CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ] ADD-ENTRY := netaddr,[physdev:]iface ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] DEL-ENTRY := netaddr,[physdev:]iface TEST-ENTRY := netaddr,[physdev:]iface where netaddr := ip[/cidr] For the netaddr part of the elements see the description at the hash:net set type. When adding/deleting/testing entries, if the cidr prefix parameter is not specified, then the host prefix value is assumed. When adding/deleting entries, the exact element is added/deleted and over‐ lapping elements are not checked by the kernel. When testing entries, if a host address is tested, then the kernel tries to match the host address in the networks added to the set and reports the result accordingly. From the set netfilter match point of view the searching for a match always starts from the smallest size of netblock (most specific prefix) to the largest one (least specific prefix) added to the set. When adding/deleting IP addresses to the set by the SET netfilter target, it will be added/deleted by the most specific prefix which can be found in the set, or by the host prefix value if the set is empty. The second direction parameter of the set match and SET target modules corresponds to the incoming/outgoing interface: src to the incoming one (similar to the -i flag of iptables), while dst to the outgoing one (similar to the -o flag of iptables). When the interface is flagged with physdev:, the interface is interpreted as the incoming/outgoing bridge port. The lookup time grows linearly with the number of the different prefix values added to the set. The internal restriction of the hash:net,iface set type is that the same network prefix cannot be stored with more than 64 different interfaces in a single set. Examples: ipset create foo hash:net,iface ipset add foo 192.168.0/24,eth0 ipset add foo 10.1.0.0/16,eth1 ipset test foo 192.168.0/24,eth0 list:set The list:set type uses a simple list in which you can store set names. CREATE-OPTIONS := [ size value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ] ADD-ENTRY := setname [ { before | after } setname ] ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ] DEL-ENTRY := setname [ { before | after } setname ] TEST-ENTRY := setname [ { before | after } setname ] Optional create options: size value The size of the list, the default is 8. The parameter is ignored since ipset version 6.24. By the ipset command you can add, delete and test set names in a list:set type of set. By the set match or SET target of netfilter you can test, add or delete entries in the sets added to the list:set type of set. The match will try to find a matching entry in the sets and the target will try to add an entry to the first set to which it can be added. The number of direction options of the match and target are important: sets which require more parameters than specified are skipped, while sets with equal or less parameters are checked, elements added/deleted. For example if a and b are list:set type of sets then in the command iptables -m set --match-set a src,dst -j SET --add-set b src,dst the match and target will skip any set in a and b which stores data triples, but will match all sets with single or double data storage in a set and stop matching at the first successful set, and add src to the first single or src,dst to the first double data storage set in b to which the entry can be added. You can imagine a list:set type of set as an ordered union of the set elements. Please note: by the ipset command you can add, delete and test the setnames in a list:set type of set, and not the presence of a set's member (such as an IP address). GENERAL RESTRICTIONS Zero valued set entries cannot be used with hash methods. Zero protocol value with ports cannot be used. COMMENTS If you want to store same size subnets from a given network (say /24 blocks from a /8 network), use the bitmap:ip set type. If you want to store random same size networks (say random /24 blocks), use the hash:ip set type. If you have got random size of netblocks, use hash:net. Backward compatibility is maintained and old ipset syntax is still supported. The iptree and iptreemap set types are removed: if you refer to them, they are automatically replaced by hash:ip type of sets. DIAGNOSTICS Various error messages are printed to standard error. The exit code is 0 for correct functioning. BUGS Bugs? No, just funny features. :-) OK, just kidding... SEE ALSO iptables(8), ip6tables(8) iptables-extensions(8) AUTHORS Jozsef Kadlecsik wrote ipset, which is based on ippool by Joakim Axelsson, Patrick Schaaf and Martin Josefsson. Sven Wegener wrote the iptreemap type. LAST REMARK I stand on the shoulders of giants. Jozsef Kadlecsik Jun 25, 2015 IPSET(8) |
Как видно из мануала IPSET много чего умеет.
Мне пока что нужно самое простое – список доступа.
Создадим список:
1 | ipset create ssh_allow hash:ip |
где:
create – создать,
ssh_allow – название списка,
hash:ip – тип, используемый для данного списка
Добавим необходимый IP-адрес:
1 | ipset add ssh_allow 192.168.1.50 |
где:
add – добавить,
ssh_allow – список, созданный ранее,
192.168.1.50 – адрес, который добавляем в список.
Теперь можем посмотреть содержимое созданного списка:
1 | ipset list ssh_allow |
Собственно, вывод:
1 | Name: ssh_allow |
1 | Type: hash:ip |
1 | Revision: 4 |
1 | Header: family inet hashsize 1024 maxelem 65536 |
1 | Size in memory: 184 |
1 | References: 1 |
1 | Number of entries: 1 |
1 | Members: |
1 | 192.168.1.50 |
Теперь надо добавить правило фильтрации в IPTABLES:
1 | iptables -A INPUT -p tcp -m set --set ssh_allow src --dport 22 -j ACCEPT |
где:
-m set – указывает на использование модуля расширения – ipset,
–set ssh_allow src – сопоставлять пакеты, исходный заголовок которых совпадает (то есть содержится внутри) с набором с именем myset. Флаг src означает совпадение с «источником».
Проверим правило:
1 | iptables -n -L -v --line-numbers |
1 2 3 4 5 6 | Chain INPUT (policy DROP 175 packets, 16842 bytes) num pkts bytes target prot opt in out source destination 1 1985 421K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 1066 1103K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 3 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 <strong>4 558 52656 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set ssh_allow src tcp dpt:22</strong> |
Теперь, если попробовать с другой машины попасть по SSH на эту – ничего не получится:
1 | ssh user01@192.168.1.4 |
Получаем вот такое сообщение:
ssh: connect to host 192.168.1.4 port 22: Connection timed out
Что бы резрешить подключение с нужного адреса – просто добавим нужный адрес в списко ssh_allow. Перезапускать iptables не надо. Пробуем:
1 2 3 4 | ssh user@192.168.1.4 The authenticity of host '192.168.1.4 (192.168.1.4)' can't be established. ECDSA key fingerprint is SHA256:[bla-bla-bla]. Are you sure you want to continue connecting (yes/no)? |
Для удаления IP из списка используем команду:
1 | ipset del ssh_allow 192.168.1.50 |
где:
del – удалить,
ssh_allow – нужный нам список,
192.168.1.50 – наш адрес.
1 2 3 4 5 6 7 8 9 | ipset list ssh_aalow Name: ssh_allow Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 88 References: 0 Number of entries: 0 Members: |
Это, конечно, не все возможности, что есть.
Ссылки:
Linux Journal | сохраненная копия
If you found an error, highlight it and press Shift + Enter or to inform us.