yum install ipset
ipset create mainland hash:net maxelem 65536
#!/usr/bin/env bash
wget --no-check-certificate -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /home/mainland.txt
ipset flush mainland
while read ip; do
ipset add mainland $ip
done < /home/mainland.txt
ipset save chnroute > /home/mainland.confchmod +x /home/mainland.sh
执行这个shell脚本,查看ipset:
ipset list
有大陆ip的结果即可。
配置防火墙脚本:
[root@iZj6 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Thu Jun 21 16:39:54 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# open port
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 123 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Internal network
-A INPUT -s 10.0.0.0/8 -j ACCEPT
# Mainland 只允许大陆来访问80,443,22端口
-A INPUT -m set --match-set mainland src -p tcp --dport 80 -j ACCEPT
-A INPUT -m set --match-set mainland src -p tcp --dport 443 -j ACCEPT
-A INPUT -m set --match-set mainland src -p tcp --dport 22 -j ACCEPT
####################
# DROP PORT
-A INPUT -p tcp -j DROP
-A INPUT -p udp -j DROP
COMMIT执行命令:
iptables-restore < /etc/sysconfig/iptables
iptables -nL 有结果即可
另外mainland.sh可以放到cron执行,一个月更新一次即可。
如果需要增加大陆可访问ip:
ipset add mainland 123.123.0.0/16
减去:
ipset del mainland 123.123.0.0/16