使用 ipset 来阻止 IP

tag-icon tag-icon iptables
使用 ipset 来阻止 IP

iptables阻止 中的所有 IP 的命令是什么ipset?我尝试过INPUTOUTPUTsrcdst但都不起作用。

该机器是我的家用路由器在进行伪装;它有两个可进行故障转移的出站接口。

这是我的iptables脚本:

# cat bin/iptables.sh
#!/bin/sh

iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

# Blocker
ipset -L blocked >/dev/null 2>&1
if [ $? -ne 0 ]
then
        echo "Creating ipset: blocked"
        ipset create blocked hash:ip
fi

if [ -f /root/blocked_domains.txt ]
then
        ipset flush blocked
        for domain in $(cat /root/blocked_domains.txt); do
                for address in $( dig a $domain +short | grep -P -e '^(\d{1,3}\.){3}\d{1,3}$' ); do
                        echo $domain " -> " $address
                        ipset add blocked $address
                done
        done

        ipset -L blocked >/dev/null 2>&1
        if [ $? -eq 0 ]
        then
                echo "Blocking"
                # # # What goes here? # # #
                iptables -A INPUT -m set --match-set blocked src -j DROP         
        fi
fi

# Only allow things on this box to use the failover connection (limited data allowance.)
iptables -A FORWARD -s localhost -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -o enp0s6f1u2 -j DROP

# Masquerade
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o wlan0      -j MASQUERADE
iptables -t nat -A POSTROUTING -o enp0s6f1u2 -j MASQUERADE

更新

# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 15M packets, 16G bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocked src

(截断;但显然这是相关的行。)

另一个更新

我也感到很困惑,因为我试图阻止的其中一个域名似乎正在更改其 IP(来自同一名称服务器的不同回复 - 这是我 Android 手机上的 WiFi 热点。)

# date; dig b.scorecardresearch.com
Fri  2 Jul 09:34:36 BST 2021

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> b.scorecardresearch.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3185
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;b.scorecardresearch.com.       IN      A

;; ANSWER SECTION:
b.scorecardresearch.com. 1      IN      A       143.204.198.94
b.scorecardresearch.com. 1      IN      A       143.204.198.59
b.scorecardresearch.com. 1      IN      A       143.204.198.111
b.scorecardresearch.com. 1      IN      A       143.204.198.90

;; Query time: 35 msec
;; SERVER: 192.168.43.214#53(192.168.43.214)
;; WHEN: Fri Jul 02 09:34:36 BST 2021
;; MSG SIZE  rcvd: 116


# date; dig b.scorecardresearch.com
Fri  2 Jul 09:34:51 BST 2021

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> b.scorecardresearch.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52849
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;b.scorecardresearch.com.       IN      A

;; ANSWER SECTION:
b.scorecardresearch.com. 24     IN      A       99.84.15.95
b.scorecardresearch.com. 24     IN      A       99.84.15.83
b.scorecardresearch.com. 24     IN      A       99.84.15.117
b.scorecardresearch.com. 24     IN      A       99.84.15.65

;; Query time: 63 msec
;; SERVER: 192.168.43.214#53(192.168.43.214)
;; WHEN: Fri Jul 02 09:34:51 BST 2021
;; MSG SIZE  rcvd: 116

答案1

以下是一个例子

ipset create banned_hosts hash:net family inet hashsize 1048576 maxelem 1500000 counters comment

这是 iptables 规则

iptables -t nat -A PREROUTING -i eth0 -m set --match-set banned_hosts src -j DROP

相关内容