{"id":438,"date":"2021-09-10T14:48:00","date_gmt":"2021-09-10T14:48:00","guid":{"rendered":"https:\/\/262235.xyz\/?p=438"},"modified":"2021-09-10T14:48:00","modified_gmt":"2021-09-10T14:48:00","slug":"438","status":"publish","type":"post","link":"https:\/\/lyvba.com\/index.php\/2021\/09\/10\/438\/","title":{"rendered":"\u4f7f\u7528Iptables\u7ed9Docker\u6dfb\u52a0\u9632\u706b\u5899 ;\u4f7f\u7528ipset\u5efa\u7acb\u9ed1\u540d\u5355\u548c\u767d\u540d\u5355"},"content":{"rendered":"<h2>\u53c2\u8003\u6587\u7ae0\uff0c\u9884\u5907\u77e5\u8bc6<\/h2>\n<ul>\n<li>TaterLi \u4e2a\u4eba\u535a\u5ba2: \u7ed9Docker\u6dfb\u52a0\u9632\u706b\u5899       <a href=\"https:\/\/www.taterli.com\/5744\/\">https:\/\/www.taterli.com\/5744\/<\/a><\/li>\n<li>add_ipset.sh \u6279\u91cf\u4ece iplist \u6309\u884c\u5bfc\u5165 ipset  <a href=\"https:\/\/lyvba.com\/index.php\/archives\/370\/\">https:\/\/lyvba.com\/index.php\/archives\/370\/<\/a><\/li>\n<\/ul>\n<h2>\u5148\u5355IP\u767d\u540d\u5355\u6d4b\u8bd5\u5b66\u4e60<\/h2>\n<pre><code># \u6e05\u7a7a\u6574\u4e2aDOCKER-USER\u7ec4\niptables -F DOCKER-USER\n\n# \u53ea\u5141\u8bb8\u7279\u5b9aIP 188.188.188.188 \u8bbf\u95ee\u591a\u4e2a\u5bb9\u5668\u7aef\u53e3\uff0c\u5176\u4ed6\u90fd DROP\niptables -I DOCKER-USER -s 188.188.188.188  -p tcp -m multiport --dport 80,443,8000,9000  -j ACCEPT\niptables -A DOCKER-USER -p tcp -m multiport --dport 80,443,8000,9000  -j DROP\niptables -A DOCKER-USER -j RETURN\n\n# \u663e\u793a\u521a\u8bbe\u7f6e\u7684DOCKER-USER\u7ec4\u89c4\u5219\niptables  -nvL   DOCKER-USER\n\nChain DOCKER-USER (1 references)\n pkts bytes target     prot opt in     out     source               destination\n    0     0 ACCEPT     tcp  --  *      *       188.188.188.188      0.0.0.0\/0            multiport dports 80,443,8000,9000\n    0     0 DROP       tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            multiport dports 80,443,8000,9000\n    0     0 RETURN     all  --  *      *       0.0.0.0\/0            0.0.0.0\/0    <\/code><\/pre>\n<h2>\u6d4f\u89c8\u5668\u6253\u5f00\u6d4b\u8bd5\u662f\u5426\u5c4f\u853d\u4e86\u5176\u4ed6IP\uff0c\u5982\u679c\u88ab\u5173\u4e86\uff0c\u91cd\u542fVPS\u5c31\u80fd\u6062\u590d\u4fee\u6539\u524d\u7684\u8bbe\u7f6e<\/h2>\n<pre><code># \u518d\u6765\u6dfb\u52a0\u7b2c\u4e8c\u4e2aIP\niptables -I DOCKER-USER -s \u81ea\u5df1IP\u5730\u5740  -p tcp -m multiport --dport 80,443,8000,9000  -j ACCEPT<\/code><\/pre>\n<h2>\u7406\u89e3 DOCKER-USER\u7ec4\u89c4\u5219\u540e\uff0c\u6211\u4eec\u6765\u4f7f\u7528 ipset \u5efa\u7acb\u767d\u540d\u5355\uff0c\u6d4b\u8bd5\u5b66\u4e60<code>ipset<\/code>\u7684\u7528\u6cd5<\/h2>\n<pre><code>apt install ipset -y            # \u5b89\u88c5ipset\u8f6f\u4ef6\n\nipset create blacklist hash:net maxelem 1000000    # 1.\u521b\u5efa\u4e00\u4e2aipset \u9ed1\u540d\u5355\nipset create whitelist hash:net maxelem 1000000    # \u767d\u540d\u5355\nipset add  whitelist 8.8.8.8    # \u52a0\u5165\u4e00\u4e2a\u540d\u5355ip\nipset list whitelist            # \u67e5\u770b\u767d\u540d\u5355<\/code><\/pre>\n<h3>bash <code>add_ipset.sh<\/code> whitelist.txt  # \u53ef\u4ee5\u6279\u91cf\u6dfb\u52a0\u767d\u540d\u5355<\/h3>\n<pre><code>#!\/bin\/bash\n# add_ipset.sh  \u6279\u91cf\u4ece iplist \u6309\u884c\u5bfc\u5165 ipset\n\nlet i=1\n\nwhile read -r line || [[ -n $line ]]; do\n  echo -e \"${i}  ${line}\"  &amp;&amp;  let i++\n  ipset add whitelist $line\ndone &lt; $1<\/code><\/pre>\n<h3>\u67e5\u770b\u767d\u540d\u5355 <code>ipset list whitelist<\/code><\/h3>\n<pre><code>Name: whitelist\nType: hash:net\nRevision: 6\nHeader: family inet hashsize 1024 maxelem 1000000\nSize in memory: 1112\nReferences: 0\nNumber of entries: 12\nMembers:\n8.8.8.8\n......<\/code><\/pre>\n<h2>\u767d\u540d\u5355IPSET\u96c6\u6d4b\u8bd5\u5b66\u4e60<\/h2>\n<pre><code># \u6e05\u7a7a\u6574\u4e2aDOCKER-USER\u7ec4\niptables -F DOCKER-USER\n\n# \u53ea\u5141\u8bb8\u767d\u540d\u5355IPSET\u96c6\u8bbf\u95ee\u591a\u4e2a\u5bb9\u5668\u7aef\u53e3\uff0c\u5176\u4ed6\u90fd DROP\niptables -I DOCKER-USER -m set --match-set whitelist src -p tcp -j ACCEPT\niptables -A DOCKER-USER -p tcp -m multiport --dport 80,443,8000,9000  -j DROP\niptables -A DOCKER-USER -j RETURN\n\n# \u663e\u793a\u521a\u8bbe\u7f6e\u7684DOCKER-USER\u7ec4\u89c4\u5219\niptables  -nvL   DOCKER-USER\n\nChain DOCKER-USER (1 references)\n pkts bytes target     prot opt in     out     source               destination\n    0     0 ACCEPT     tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            match-set whitelist src\n    0     0 DROP       tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0            multiport dports 80,443,8000,9000\n    0     0 RETURN     all  --  *      *       0.0.0.0\/0            0.0.0.0\/0           <\/code><\/pre>\n<h2>\u7528\u767d\u540d\u5355IP \u4f7f\u7528\u547d\u4ee4  <code>tcping ip:port<\/code> \u6d4b\u8bd5\u662f\u5426\u80fd\u8bbf\u95ee<\/h2>\n<pre><code>$ tcping 188.188.0.224 80\nProbing 188.188.0.224:80\/tcp - Port is open - time=167.975ms\n\nipset add whitelist 188.188.243.133   # \u5982\u679c\u4e0d\u5728\u767d\u540d\u5355\uff0c\u518d\u624b\u5de5\u6dfb\u52a0IP\nipset del whitelist 188.188.243.133   # \u4e5f\u53ef\u4ee5\u4ece\u767d\u540d\u5355IP\u4e2d\u79fb\u51fa\u518d\u6d4b\u8bd5\n$ tcping 188.188.0.224 80<\/code><\/pre>\n<h1>\u9ed1\u540d\u5355\u5c31\u8981\u6162\u6162\u6536\u96c6 \u53c2\u8003\u547d\u4ee4<\/h1>\n<pre><code>iptables -I DOCKER-USER -m set --match-set blacklist src -p tcp -j DROP<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u53c2\u8003\u6587\u7ae0\uff0c\u9884\u5907\u77e5\u8bc6 TaterLi \u4e2a\u4eba\u535a\u5ba2: \u7ed9Docker\u6dfb\u52a0\u9632\u706b\u5899 https:\/\/www.t [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,8],"tags":[15,47],"class_list":["post-438","post","type-post","status-publish","format-standard","hentry","category-docker","category-linux","tag-docker","tag-iptables"],"_links":{"self":[{"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/posts\/438","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/comments?post=438"}],"version-history":[{"count":0,"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/posts\/438\/revisions"}],"wp:attachment":[{"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/media?parent=438"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/categories?post=438"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/tags?post=438"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}