Ubuntu利用IPSET批量封禁IP

ipset create xxx hash:net 
ipset -N cnip hash:net

ipset create blacklist hash:net maxelem 1000000 #黑名单
ipset create whitelist hash:net maxelem 1000000 #白名单

ipset add blacklist 10.60.10.xx

wget -P . http://www.ipdeny.com/ipblocks/data/countries/cn.zone

for i in $(cat /root/cn.zone ); do ipset -A cnip $i; done

将ipset规则保存到文件
ipset save blacklist -f blacklist.txt
ipset save whitelist -f whitelist.txt

删除ipset
ipset destroy blacklist
ipset destroy whitelist

允许cnip访问端口
-A INPUT -p tcp -m set --match-set cnip src -m tcp --dport 51801:51809 -j ACCEPT