我需要使用 ipset 和 iptables 来阻止一些国家。
我目前所做的工作(创建新的 ipset 设置“geoblock”):
sudo ipset create geoblock hash:net,port
然后我创建了以下脚本/usr/sbin/ipsetfirewall.sh
#!/bin/bash
for IP in $(wget -O – http://www.ipdeny.com/ipblocks/data/countries/{cn,iq,af,ir,ae,sg,hk,kw,kg}.zone)
do
# ban everything – block countryX
sudo ipset add geoblock $IP
done
正如解释的那样这里我也尝试过:
wget -O – http://www.ipdeny.com/ipblocks/data/countries/{cn,iq,af,ir,ae,sg,hk,kw,kg}.zone --header "Referer: www.ipdeny.com"
我也尝试过这个(因为我使用的是 ipv4)
wget -4 http://www.ipdeny.com/ipblocks/data/countries/{cn,iq,af,ir,ae,sg,hk,kw,kg}.zone
我每次尝试都会得到同样的错误:
/usr/sbin$ sudo sh ipsetfirewall.sh
--2016-04-21 15:40:58-- http://www.ipdeny.com/ipblocks/data/countries/%7Bcn,iq,af,ir,ae,sg,hk,kw,kg%7D.zone
Resolving www.ipdeny.com (www.ipdeny.com)... 192.241.240.22
Connecting to www.ipdeny.com (www.ipdeny.com)|192.241.240.22|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2016-04-21 15:40:59 ERROR 404: Not Found.
有什么问题?
答案1
使用此脚本:
for country in cn tw in
do
ipset destroy geoblock-$country > /dev/null 2>&1
ipset create geoblock-$country hash:net
for IP in $(wget -O - http://www.ipdeny.com/ipblocks/data/countries/$country.zone)
do
ipset add geoblock-$country $IP
done
done
ipset save > /etc/ipset.rules
答案2
占领所有区域可能更有效率
wget http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
tar -xzf all-zones.tar.gz
否则,一次一个
for C in cn iq af ir ae sg hk kw kg ; do
wget -4 http://www.ipdeny.com/ipblocks/data/countries/${C}.zone
done