服务器遭受来自国外的ddos攻击
该脚本仅适用于centos
ubuntu/debian请按照滑动到下方按照手动方式部署
脚本方式
#!/bin/bashmmode=$1ins () {pa=`rpm -qa | grep iptables`if [ -z "$pa" ] ;thenyum install -y iptables >/dev/nullecho "iptables安装成功!"elseecho "已安装iptables"fipb=`rpm -qa | grep ipset`if [ -z "$pb" ] ;thenyum install -y ipset >/dev/nullecho "ipset安装成功"elseecho "已安装ipset"fi}coll () {kk=`ipset -L | grep cnip`if [ -z "$kk" ] ;thenipset -N cnip hash:netecho "cnip合集创建成功!"elseecho "已有cnip合集"ficn=`ls /root/cn.zone`if [ -z "$cn" ] ;thenwget -P /root/ /ipblocks/data/countries/cn.zone >/dev/nullecho "下载国外ip段,存放位置:/root/cn.zone"fi}dr () {sudi=`ipset -L | grep 223`if [ -z "$sudi" ] ;thenfor i in `cat /root/cn.zone`; do ipset -A cnip $i; done #导入ip段到cnip合集echo "ip段导入成功!"elseecho "ip段已导入过cnip合集"fi}flush () {opk=`iptables -L | grep cnip`if [ -z "$opk" ] ;theniptables -A INPUT -p tcp -m set --match-set cnip src -j ACCEPTiptables -P INPUT DROPecho "已创建屏蔽国外ip规则"elseecho "已有屏蔽国外ip规则"fi}iprctstop () {psd=`rpm -qa | grep iptables-1`if [ -z "$psd" ] ;thenecho "暂未安装iptables,请先安装iptables"fipssd=`rpm -qa | grep ipset-7`if [ -z "$pssd" ] ;thenecho "暂未安装ipset,请先安装iptables"fiexit 0dpo=`iptables -L -n | grep cnip`if [ "$dpo" ] ;thenread -p "输入y删除iptables中cnip规则、删除ipset中cnip合集,输入其他则结束操作: " bif [ "$b" == "y" ] ;thensleep 2iptables -P INPUT ACCEPTiptables -D INPUT -p tcp -m set --match-set cnip src -j ACCEPTsleep 1echo "iptables中cnip规则已删除"else [ "$b" != "y" ]exit 0fifiice=`iptables -L | grep cnip`if [ "$ice" ] ;thenecho "iptables中无cnip规则"fi#exit 0}delset () {stnd=`ipset -L | grep cnip`if [ "$stnd" ] ;thenipset destroy cnipecho "合集已成功删除"exit 0fiecho "ipset中没有发现cnip合集"kos=`iptables -L | grep cnip`if [ "$kos" ] ;thenecho " "elseecho "iptables中没有发现cnip规则"fi}if [ "$mmode" == "stop" ] ;theniprctstopdelsetexit 0fiinscolldrflush
命令方式
安装iptables、ipset
#centos安装方式yum install iptablesyum install ipset#Ubuntu/Debian安装方式apt-get install iptablesapt-get install ipset
清空之前的iptables规则
#防止设置不生效,建议清空下之前的防火墙规则iptables -P INPUT ACCEPTiptables -F
创建新的合集 (至于什么叫合集不懂就百度,不想懂就别纠结)
#创建一个名为cnip的规则ipset -N cnip hash:net#下载国家ip段,这里以中国为例wget -P /root/ /ipblocks/data/countries/cn.zone#将IP段添加到cnip规则中for a in $(cat /root/cn.zone ); do ipset -A cnip $a; done
设置ip段白名单
#放行ip段,cnip为刚刚命名的cnip合集,具体以你命名的合集为准iptables -A INPUT -p tcp -m set --match-set cnip src -j ACCEPT#关闭所有端口iptables -P INPUT DROP 当执行此命令的时候,非国内ip将立马停止访问
转载需注明此原创地址!
