使用ipset阻止IP

Question

iptables命令是什么来阻止ipset中的所有in？我试过INPUT和OUTPUT，src和dst，但是我什么也没试过。

这台机器是我的家庭路由器，做伪装；它有两个出站接口，它们都失败了。

下面是我的iptables脚本：

# cat bin/iptables.sh
#!/bin/sh

iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

# Blocker
ipset -L blocked >/dev/null 2>&1
if [ $? -ne 0 ]
then
        echo "Creating ipset: blocked"
        ipset create blocked hash:ip
fi

if [ -f /root/blocked_domains.txt ]
then
        ipset flush blocked
        for domain in $(cat /root/blocked_domains.txt); do
                for address in $( dig a $domain +short | grep -P -e '^(\d{1,3}\.){3}\d{1,3}更新# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 15M packets, 16G bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocked src(截断；但显然这是相关行)。<#>Another更新我也感到困惑，因为我试图阻止的领域之一似乎是改变它的IP (来自同一个名称服务器的不同回复--这是我安卓手机上的WiFi热点)。# date; dig b.scorecardresearch.com
Fri  2 Jul 09:34:36 BST 2021

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> b.scorecardresearch.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3185
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;b.scorecardresearch.com.       IN      A

;; ANSWER SECTION:
b.scorecardresearch.com. 1      IN      A       143.204.198.94
b.scorecardresearch.com. 1      IN      A       143.204.198.59
b.scorecardresearch.com. 1      IN      A       143.204.198.111
b.scorecardresearch.com. 1      IN      A       143.204.198.90

;; Query time: 35 msec
;; SERVER: 192.168.43.214#53(192.168.43.214)
;; WHEN: Fri Jul 02 09:34:36 BST 2021
;; MSG SIZE  rcvd: 116


# date; dig b.scorecardresearch.com
Fri  2 Jul 09:34:51 BST 2021

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> b.scorecardresearch.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52849
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;b.scorecardresearch.com.       IN      A

;; ANSWER SECTION:
b.scorecardresearch.com. 24     IN      A       99.84.15.95
b.scorecardresearch.com. 24     IN      A       99.84.15.83
b.scorecardresearch.com. 24     IN      A       99.84.15.117
b.scorecardresearch.com. 24     IN      A       99.84.15.65

;; Query time: 63 msec
;; SERVER: 192.168.43.214#53(192.168.43.214)
;; WHEN: Fri Jul 02 09:34:51 BST 2021
;; MSG SIZE  rcvd: 116 ); do
                        echo $domain " -> " $address
                        ipset add blocked $address
                done
        done

        ipset -L blocked >/dev/null 2>&1
        if [ $? -eq 0 ]
        then
                echo "Blocking"
                # # # What goes here? # # #
                iptables -A INPUT -m set --match-set blocked src -j DROP         
        fi
fi

# Only allow things on this box to use the failover connection (limited data allowance.)
iptables -A FORWARD -s localhost -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -o enp0s6f1u2 -j DROP

# Masquerade
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o wlan0      -j MASQUERADE
iptables -t nat -A POSTROUTING -o enp0s6f1u2 -j MASQUERADE

更新

A8

(截断；但显然这是相关行)。

<#>Another更新

我也感到困惑，因为我试图阻止的领域之一似乎是改变它的IP (来自同一个名称服务器的不同回复--这是我安卓手机上的WiFi热点)。

A9

Answer 1

下面是一个例子

ipset create banned_hosts hash:net family inet hashsize 1048576 maxelem 1500000 counters comment

这是iptables的规则

iptables -t nat -A PREROUTING -i eth0 -m set --match-set banned_hosts src -j DROP