1.ipset

//安装ipset

yum install ipset 

//创建地址表

ipset create china hash:net maxelem 65536

2.获取国内IP地址段并导入

vi ipset_china.sh


#!/bin/bash
rm -rf cn.zone
wget http://www.ipdeny.com/ipblocks/data/countries/cn.zone
for i in `cat cn.zone`
do
ipset add china $i
done

//添加权限

chmod +x ipset_china.sh

//查看是否导入成功

ipset list china

3.iptables

//停止firewall

systemctl stop firewall.service

//禁止firewall开机启动

systemctl disable firewall.service

//安装iptables

yum install iptables-services

//重启防火墙使配置文件生效

systemctl restart iptables.service

//设置iptables防火墙为开机启动项

systemctl enable iptables.service

//编辑

vi /etc/sysconfig/iptables


# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# OPEN PORT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Internal network
-A INPUT -s 192.168.0.0/24 -j ACCEPT

# China 只允许国内IP访问特定端口
-A INPUT -m set --match-set china src -p tcp --dport 80 -j ACCEPT
-A INPUT -m set --match-set china src -p tcp --dport 443 -j ACCEPT
-A INPUT -m set --match-set china src -p tcp --dport 22 -j ACCEPT

# DROP PORT
-A INPUT -p tcp -j DROP
-A INPUT -p udp -j DROP
-A INPUT -p icmp -j DROP

COMMIT


iptables-restore < /etc/sysconfig/iptables
iptables -nL

备注：

iptables 所在目录 /etc/sysconfig/iptables

service iptables start启动服务
service iptables stop停止服务
service iptables restart重启服务
service iptables status查看状态

增加大陆可访问ip：

ipset add china 123.123.0.0/16

删除：

ipset del china 123.123.0.0/16

设置Crontab定时每天零点更新一次IP集合

crontab -e

添加一行

0 0 * * * /home/mainland.sh