centos下iptables的使用

centos7默认情况下使用firewalld,关闭iptabels.

service firedwalld stop //关闭firewalld
service iptables start //如何报Unit iptables.service failed to ，执行下方
yum install iptables-services

设置开机启动

systemctl enable iptables  

常用命令

systemctl stop iptables  
systemctl start iptables  
systemctl restart iptables  
systemctl reload iptables  

开放端口

iptables -I INPUT -p tcp --dport 80 -j ACCEPT
service iptables save //保存设置
service iptables restart //重启生效

创建IP黑名单

ipset create blacklist hash:net  //创建黑名单集
ipset test blacklist 127.0.0.1 //测试127.0.0.1在不在黑名单列表里
ipset del blacklist 127.0.0.1 //从黑名单列表删除127.0.0.1

创建防火墙规则，allset这个IP集里的ip都无法访问80端口（如：CC攻击可用）

iptables -I INPUT -m set --match-set blacklist src -p tcp -j DROP
iptables -I INPUT -m set --match-set whitelist src -p tcp -j DROP
service iptables save
#禁用80端口
iptables -I INPUT -m set --match-set blacklist src -p tcp --destination-port 80 -j DROP 

将ipset规则保存到文件

ipset save blacklist -f blacklist.txt
ipset save whitelist -f whitelist.txt

删除ipset

ipset destroy blacklist
ipset destroy whitelist

导入ipset规则

ipset restore -f blacklist.txt
ipset restore -f whitelist.txt