AlmaLinux 使用iptables屏蔽非中国IP访问

安装ipset扩展

dnf -y install ipset ipset-service

修改ipset配置文件

vi /etc/sysconfig/ipset-config
# Save current ipsets on stop.
#   Value: yes|no,  default: no
# Saves all ipsets to /etc/ipset/ipset if service gets stopped
# (e.g. on system shutdown).
IPSET_SAVE_ON_STOP="yes"

创建一个名为blockip的规则

ipset -N blockip hash:net

下载非中国IP段列表

wget https://mirror.apad.pro/dns/country-ip-blocks-master/nonchina_ip_list.txt

将IP段添加到blockip规则中

for i in $(cat /root/nonchina_ip_list.txt ); do ipset -A blockip $i; done

也可以通过命令将IP段从规则中移除

for i in $(cat /root/nonchina_ip_list.txt ); do ipset -D blockip $i; done

启动ipset服务

systemctl enable ipset
service ipset save
service ipset restart

屏蔽非中国IP访问

iptables -I INPUT -p tcp -m set --match-set blockip src -j DROP

解除屏蔽

iptables -D INPUT -p tcp -m set --match-set blockip src -j DROP

以上两条命令建议在测试规则时使用，生产环境推荐编辑iptables规则

vi /etc/sysconfig/iptables 配置更灵活的iptable规则

# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -s 172.0.0.0/24 -j ACCEPT
-A INPUT -p icmp -m set --match-set blockip src -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -s 172.0.0.1 -j ACCEPT
-A INPUT -p tcp -m set --match-set blockip src -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

其中172.0.0.0/24、172.0.0.1为示例的例外IP

配置规则时应注意顺序，配置完成后执行

systemctl reload iptables

这样即可实现屏蔽非中国IP对服务器的访问

vi blockip.sh 创建更新屏蔽规则脚本

for i in $(cat /etc/blockip.zone ); do ipset -D blockip $i; done && curl https://mirror.apad.pro/dns/country-ip-blocks-master/nonchina_ip_list.txt > /etc/blockip.zone && for i in $(cat /etc/blockip.zone ); do ipset -A blockip $i; done

可通过 crontab -e 创建定时任务，实现定时更新屏蔽规则，更新规则比较耗费服务器资源，应在非高峰时间自动更新

---

另外一种仅允许中国大陆白名单访问的方法， 通过脚本实现：

vi /root/onlycn.sh 输入以下内容并保存

mmode=$1


curl https://raw.githubusercontent.com/pmkol/easymosdns/rules/china_ip_list.txt > /root/china_ip_list.txt

CNIP="/root/china_ip_list.txt"

gen_iplist() {
        cat <<-EOF
                $(cat ${CNIP:=/dev/null} 2>/dev/null)
EOF
}

flush_r() {
iptables  -F ALLCNRULE 2>/dev/null
iptables -D INPUT -p tcp -j ALLCNRULE 2>/dev/null
iptables  -X ALLCNRULE 2>/dev/null
ipset -X allcn 2>/dev/null
}

mstart() {
ipset create allcn hash:net 2>/dev/null
ipset -! -R <<-EOF
$(gen_iplist | sed -e "s/^/add allcn /")
EOF

iptables -N ALLCNRULE
iptables -I INPUT -p tcp -j ALLCNRULE
iptables -A ALLCNRULE -s 127.0.0.0/8 -j RETURN
iptables -A ALLCNRULE -s 169.254.0.0/16 -j RETURN
iptables -A ALLCNRULE -s 224.0.0.0/4 -j RETURN
iptables -A ALLCNRULE -s 255.255.255.255 -j RETURN
#可在此增加白名单网段

iptables -A ALLCNRULE -m set --match-set allcn  src -j RETURN
iptables -A ALLCNRULE -p tcp -j DROP
}

if [ "$mmode" == "stop" ] ;then
flush_r
exit 0
fi

flush_r
sleep 1
mstart

设置脚本可执行权限
chmod a+x /root/onlycn.sh

屏蔽非中国大陆IP访问
/root/allcn.sh

恢复非中国大陆IP访问
/root/allcn.sh stop