1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
#!/bin/sh
# set -x
set -e
ipset=${IPSET_BIN:-../src/ipset}
# We play with the following networks:
# inet: 10.255.255.0/24
# 10.255.255.0-31 in ip1
# 10.255.255.32-63 in ip2
# rest in ipport
# inet6: 1002:1002:1002:1002::/64
# 1002:1002:1002:1002::1 in ip1
# 1002:1002:1002:1002::32 in ip2
# rest in ipport
case "$1" in
inet)
cmd=iptables
family=
NET=10.255.255.0/24
IP1=10.255.255.1
IP2=10.255.255.32
;;
inet6)
cmd=ip6tables
family="family inet6"
NET=1002:1002:1002:1002::/64
IP1=1002:1002:1002:1002::1
IP2=1002:1002:1002:1002::32
;;
*)
echo "Usage: $0 inet|inet6 start|stop"
exit 1
;;
esac
case "$2" in
start)
$ipset n ip1 hash:ip $family 2>/dev/null
$ipset a ip1 $IP1 2>/dev/null
$ipset n ip2 hash:ip $family 2>/dev/null
$ipset a ip2 $IP2 2>/dev/null
$ipset n ipport hash:ip,port $family 2>/dev/null
$ipset n list list:set 2>/dev/null
$ipset a list ipport 2>/dev/null
$ipset a list ip1 2>/dev/null
$cmd -A INPUT ! -s $NET -j ACCEPT
$cmd -A INPUT -m set ! --match-set ip1 src \
-m set ! --match-set ip2 src \
-j SET --add-set ipport src,src
$cmd -A INPUT -m set --match-set ip1 src \
-j LOG --log-prefix "in set ip1: "
$cmd -A INPUT -m set --match-set ip2 src \
-j LOG --log-prefix "in set ip2: "
$cmd -A INPUT -m set --match-set ipport src,src \
-j LOG --log-prefix "in set ipport: "
$cmd -A INPUT -m set --match-set list src,src \
-j LOG --log-prefix "in set list: "
$cmd -A OUTPUT -d $NET -j DROP
cat /dev/null > .foo.err
cat /dev/null > /var/log/kern.log
;;
start_flags)
$ipset n test hash:net $family 2>/dev/null
$ipset a test 10.0.0.0/16 2>/dev/null
$ipset a test 10.0.0.0/24 nomatch 2>/dev/null
$ipset a test 10.0.0.1 2>/dev/null
$cmd -A INPUT ! -s 10.0.0.0/16 -j ACCEPT
$cmd -A INPUT -m set --match-set test src \
-j LOG --log-prefix "in set test: "
$cmd -A INPUT -m set --match-set test src --return-nomatch \
-j LOG --log-prefix "in set test-nomatch: "
$cmd -A INPUT -s 10.0.0.0/16 -j DROP
cat /dev/null > .foo.err
cat /dev/null > /var/log/kern.log
;;
start_flags_reversed)
$ipset n test hash:net $family 2>/dev/null
$ipset a test 10.0.0.0/16 2>/dev/null
$ipset a test 10.0.0.0/24 nomatch 2>/dev/null
$ipset a test 10.0.0.1 2>/dev/null
$cmd -A INPUT ! -s 10.0.0.0/16 -j ACCEPT
$cmd -A INPUT -m set --match-set test src --return-nomatch \
-j LOG --log-prefix "in set test-nomatch: "
$cmd -A INPUT -m set --match-set test src \
-j LOG --log-prefix "in set test: "
$cmd -A INPUT -s 10.0.0.0/16 -j DROP
cat /dev/null > .foo.err
cat /dev/null > /var/log/kern.log
;;
del)
$cmd -F INPUT
$cmd -A INPUT -j SET --del-set ipport src,src
;;
timeout)
$ipset n test hash:ip,port timeout 2
$cmd -A INPUT -j SET --add-set test src,src --timeout 10 --exist
;;
mangle)
$ipset n test hash:net $family skbinfo 2>/dev/null
$ipset a test 10.255.0.0/16 skbmark 0x1234 2>/dev/null
$cmd -t mangle -A INPUT -j SET --map-set test src --map-mark
$cmd -t mangle -A INPUT -m mark --mark 0x1234 -j LOG --log-prefix "in set mark: "
$cmd -t mangle -A INPUT -s 10.255.0.0/16 -j DROP
;;
stop)
$cmd -F
$cmd -X
$cmd -F -t mangle
$cmd -X -t mangle
$ipset -F 2>/dev/null
$ipset -X 2>/dev/null
;;
*)
echo "Usage: $0 start|stop"
exit 1
;;
esac
|
