Ссылки:
|
1 2 3 |
https://bozza.ru/art-297.html https://github.com/BroHui/systemd-ipset-service https://wiki.fysik.dtu.dk/it/Linux_firewall_configuration |
Создаем файл vim /usr/lib/systemd/system/ipset.service
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
[Unit] Description=IP sets for iptables Before=iptables.service Before=ip6tables.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/libexec/ipset/ipset.start-stop start ExecStop=/usr/libexec/ipset/ipset.start-stop stop ExecReload=/usr/libexec/ipset/ipset.start-stop reload # Save current ipset entries on stop/restart. # Value: yes|no, default: no # Saves all ipsets to /etc/sysconfig/ipset if ipset gets stopped Environment=IPSET_SAVE_ON_STOP=no IPSET_SAVE_ON_RESTART=no [Install] WantedBy=basic.target |
Создаем каталоги для ipset
|
1 |
mkdir /usr/libexec/ipset /etc/ipset |
Создаем файл vim /usr/libexec/ipset/ipset.start-stop
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 |
#!/bin/bash # # ipset Start and stop ipset firewall sets # # config: /etc/ipset/ipset # IPSET=ipset IPSET_BIN=/usr/sbin/${IPSET} IPSET_DATA=/etc/${IPSET}/${IPSET} IPTABLES_CONFIG=/etc/sysconfig/iptables-config IP6TABLES_CONFIG=${IPTABLES_CONFIG/iptables/ip6tables} TMP_FIFO=/tmp/${IPSET}.$$ if [[ ! -x ${IPSET_BIN} ]]; then echo "${IPSET_BIN} does not exist." exit 5 fi CLEAN_FILES=TMP_FIFO trap "rm -f \$CLEAN_FILES" EXIT # Default ipset configuration: [[ -z $IPSET_SAVE_ON_STOP ]] && IPSET_SAVE_ON_STOP=no # Overridden by ip(6)tables IP(6)TABLES_SAVE_ON_STOP [[ -z $IPSET_SAVE_ON_RESTART ]] && IPSET_SAVE_ON_RESTART=no # Overridden by ip(6)tables IP(6)TABLES_SAVE_ON_RESTART # Load iptables configuration(s) [[ -f "$IPTABLES_CONFIG" ]] && . "$IPTABLES_CONFIG" [[ -f "$IP6TABLES_CONFIG" ]] && . "$IP6TABLES_CONFIG" # It doesn't make sense to save iptables config and not our config [[ ${IPTABLES_SAVE_ON_STOP} = yes || ${IP6TABLES_SAVE_ON_STOP} = yes ]] && IPSET_SAVE_ON_STOP=yes [[ ${IPTABLES_SAVE_ON_RESTART} = yes || ${IP6TABLES_SAVE_ON_RESTART} = yes ]] && IPSET_SAVE_ON_RESTART=yes check_can_unload() { # If the xt_set module is loaded and can't be unloaded, then iptables is # using ipsets, so refuse to stop the service. if [[ -n $(lsmod | grep "^xt_set ") ]]; then rmmod xt_set 2>/dev/null [[ $? -ne 0 ]] && echo Current iptables configuration requires ipsets && return 1 fi return 0 } flush_n_delete() { local ret=0 set # Flush sets ${IPSET_BIN} flush let ret+=$? # Delete ipset sets. If we don't do them individually, then none # will be deleted unless they all can be. for set in $(${IPSET_BIN} list -name); do ${IPSET_BIN} destroy 2>/dev/null [[ $? -ne 0 ]] && ret=1 done return $ret } start_clean() { mkfifo -m go= "${TMP_FIFO}" [[ $? -ne 0 ]] && return 1 # Get the lists of sets in current(old) config and new config old_sets="$(${IPSET_BIN} list -name | sort -u)" new_sets="$(grep ^create "${IPSET_DATA}" | cut -d " " -f 2 | sort -u)" # List of sets no longer wanted drop_sets="$( printf "%s\n" "${old_sets}" > "${TMP_FIFO}" & printf "%s\n" "${new_sets}" | comm -23 "${TMP_FIFO}" - )" # Get rid of sets no longer needed # Unfortunately -! doesn't work for destroy, so we have to do it a command at a time for dset in $drop_sets; do ipset destroy $dset 2>/dev/null # If it won't go - ? in use by iptables, just clear it [[ $? -ne 0 ]] && ipset flush $dset done # Now delete the set members no longer required ${IPSET_BIN} save | grep "^add " | sort >${TMP_FIFO} & grep "^add " ${IPSET_DATA} | sort | comm -23 ${TMP_FIFO} - | sed -e "s/^add /del /" \ | ${IPSET_BIN} restore -! # At last we can add the set members we haven't got ipset restore -! <${IPSET_DATA} rm ${TMP_FIFO} return 0 } start() { # Do not start if there is no config file. [[ ! -f "$IPSET_DATA" ]] && echo "Loaded with no configuration" && return 0 # We can skip the first bit and do a simple load if # there is no current ipset configuration res=1 if [[ -n $(${IPSET_BIN} list -name) ]]; then # The following may fail for some bizarre reason start_clean res=$? [[ $res -ne 0 ]] && echo "Some old configuration may remain" fi # res -ne 0 => either start_clean failed, or we didn't need to run it if [[ $res -ne 0 ]]; then # This is the easy way to start but would leave any old # entries still configured. Still, better than nothing - # but fine if we had no config ${IPSET_BIN} restore -! <${IPSET_DATA} res=$? fi if [[ $res -ne 0 ]]; then return 1 fi return 0 } stop() { # Nothing to stop if ip_set module is not loaded. lsmod | grep -q "^ip_set " [[ $? -ne 0 ]] && return 6 flush_n_delete [[ $? -ne 0 ]] && echo Warning: Not all sets were flushed/deleted return 0 } save() { # Do not save if ip_set module is not loaded. lsmod | grep -q "^ip_set " [[ $? -ne 0 ]] && return 6 [[ -z $(${IPSET_BIN} list -name) ]] && return 0 ret=0 TMP_FILE=$(/bin/mktemp -q /tmp/$IPSET.XXXXXX) \ && CLEAN_FILES+=" $TMP_FILE" \ && chmod 600 "$TMP_FILE" \ && ${IPSET_BIN} save > $TMP_FILE 2>/dev/null \ && [[ -s $TMP_FILE ]] \ || ret=1 if [[ $ret -eq 0 ]]; then # No need to do anything if the files are the same if [[ ! -f $IPSET_DATA ]]; then mv $TMP_FILE $IPSET_DATA && chmod 600 $IPSET_DATA || ret=1 else diff -q $TMP_FILE $IPSET_DATA >/dev/null if [[ $? -ne 0 ]]; then if [[ -f $IPSET_DATA ]]; then cp -f --preserve=timestamps $IPSET_DATA $IPSET_DATA.save \ && chmod 600 $IPSET_DATA.save \ || ret=1 fi if [[ $ret -eq 0 ]]; then cp -f --preserve=timestamps $TMP_FILE $IPSET_DATA \ && chmod 600 $IPSET_DATA \ || ret=1 fi fi fi fi rm -f $TMP_FILE return $ret } case "$1" in start) start RETVAL=$? ;; stop) check_can_unload || exit 1 [[ $IPSET_SAVE_ON_STOP = yes ]] && save stop RETVAL=$? [[ $RETVAL -eq 6 ]] && echo "${IPSET}: not running" && exit 0 ;; reload) [[ $IPSET_SAVE_ON_RESTART = yes ]] && save stop RETVAL=$? [[ $RETVAL -eq 6 ]] && echo "${IPSET}: not running" && exit 0 start RETVAL=$? ;; *) echo "Usage: $IPSET {start|stop|reload}" >&2 exit 1 esac exit $RETVAL |
Готовим каталоги и выдаем права на файлы:
|
1 |
chmod 755 /usr/lib/systemd/system/ipset.service /usr/libexec/ipset/ipset.start-stop |
Первое использование:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
Добавляем в автозапуск: systemctl enable ipset Сохраняем текущие состояние ipset: ipset save > /etc/ipset/ipset Очищаем: ipset flush Запускаем демон ipset: systemctl start ipset Проверяем что получилось: ipset list |