1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
#!/bin/sh
# set -x
set -e
ipset=${IPSET_BIN:-../src/ipset}
# We play with the following networks:
# inet: 10.255.255.0/24
# 10.255.255.0-31 in ip1
# 10.255.255.32-63 in ip2
# rest in ipport
# inet6: 1002:1002:1002:1002::/64
# 1002:1002:1002:1002::1 in ip1
# 1002:1002:1002:1002::32 in ip2
# rest in ipport
case "$1" in
inet)
cmd=iptables
family=
NET=10.255.255.0/24
IP1=10.255.255.1
IP2=10.255.255.32
;;
inet6)
cmd=ip6tables
family="family inet6"
NET=1002:1002:1002:1002::/64
IP1=1002:1002:1002:1002::1
IP2=1002:1002:1002:1002::32
;;
*)
echo "Usage: $0 inet|inet6 start|stop"
exit 1
;;
esac
case "$2" in
start)
$ipset n ip1 hash:ip $family 2>/dev/null
$ipset a ip1 $IP1 2>/dev/null
$ipset n ip2 hash:ip $family 2>/dev/null
$ipset a ip2 $IP2 2>/dev/null
$ipset n ipport hash:ip,port $family 2>/dev/null
$ipset n list list:set 2>/dev/null
$ipset a list ipport 2>/dev/null
$ipset a list ip1 2>/dev/null
$cmd -A INPUT ! -s $NET -j ACCEPT
$cmd -A INPUT -m set ! --match-set ip1 src \
-m set ! --match-set ip2 src \
-j SET --add-set ipport src,src
$cmd -A INPUT -m set --match-set ip1 src \
-j LOG --log-prefix "in set ip1: "
$cmd -A INPUT -m set --match-set ip2 src \
-j LOG --log-prefix "in set ip2: "
$cmd -A INPUT -m set --match-set ipport src,src \
-j LOG --log-prefix "in set ipport: "
$cmd -A INPUT -m set --match-set list src,src \
-j LOG --log-prefix "in set list: "
$cmd -A OUTPUT -d $NET -j DROP
cat /dev/null > .foo.err
cat /dev/null > /var/log/kern.log
;;
start_flags)
$ipset n test hash:net $family 2>/dev/null
$ipset a test 10.0.0.0/16 2>/dev/null
$ipset a test 10.0.0.0/24 nomatch 2>/dev/null
$ipset a test 10.0.0.1 2>/dev/null
$cmd -A INPUT ! -s 10.0.0.0/16 -j ACCEPT
$cmd -A INPUT -m set --match-set test src \
-j LOG --log-prefix "in set test: "
$cmd -A INPUT -m set --match-set test src --return-nomatch \
-j LOG --log-prefix "in set test-nomatch: "
$cmd -A INPUT -s 10.0.0.0/16 -j DROP
cat /dev/null > .foo.err
cat /dev/null > /var/log/kern.log
;;
start_flags_reversed)
$ipset n test hash:net $family 2>/dev/null
$ipset a test 10.0.0.0/16 2>/dev/null
$ipset a test 10.0.0.0/24 nomatch 2>/dev/null
$ipset a test 10.0.0.1 2>/dev/null
$cmd -A INPUT ! -s 10.0.0.0/16 -j ACCEPT
$cmd -A INPUT -m set --match-set test src --return-nomatch \
-j LOG --log-prefix "in set test-nomatch: "
$cmd -A INPUT -m set --match-set test src \
-j LOG --log-prefix "in set test: "
$cmd -A INPUT -s 10.0.0.0/16 -j DROP
cat /dev/null > .foo.err
cat /dev/null > /var/log/kern.log
;;
del)
$cmd -F INPUT
$cmd -A INPUT -j SET --del-set ipport src,src
;;
add)
$ipset n test hash:net $family 2>/dev/null
$cmd -F INPUT
$cmd -A INPUT -j SET --add-set test src
;;
timeout)
$ipset n test hash:ip,port timeout 2
$cmd -A INPUT -j SET --add-set test src,src --timeout 10 --exist
;;
mangle)
$ipset n test hash:net $family skbinfo 2>/dev/null
$ipset a test 10.255.0.0/16 skbmark 0x1234 2>/dev/null
$cmd -t mangle -A INPUT -j SET --map-set test src --map-mark
$cmd -t mangle -A INPUT -m mark --mark 0x1234 -j LOG --log-prefix "in set mark: "
$cmd -t mangle -A INPUT -s 10.255.0.0/16 -j DROP
;;
netiface)
$ipset n test hash:net,iface
$ipset a test 0.0.0.0/0,eth0
$cmd -A OUTPUT -m set --match-set test dst,dst -j LOG --log-prefix "in set netiface: "
$cmd -A OUTPUT -d 10.255.255.254 -j DROP
;;
stop)
$cmd -F
$cmd -X
$cmd -F -t mangle
$cmd -X -t mangle
$ipset -F 2>/dev/null
$ipset -X 2>/dev/null
;;
*)
echo "Usage: $0 start|stop"
exit 1
;;
esac
|
