Iptables deny ip

systemctl stop firewalld.service
systemctl disable firewalld.service

yum install ipset
yum install iptables-services

iptables -P INPUT ACCEPT
iptables -F

ipset -N cnip hash:net
ipset save
# 下载国家IP段，这里以中国为例
wget -P . http://www.ipdeny.com/ipblocks/data/countries/cn.zone
# 将IP段添加到cnip规则中
for i in $(cat /root/cn.zone ); do ipset -A cnip $i; done

ipset save cnip -f /etc/ipset.cnip
/sbin/ipset restore -f /etc/ipset.cnip

iptables -A INPUT -p tcp -m set --match-set cnip src -j ACCEPT

iptables -P INPUT DROP
# 关闭指定端口，比如80/443
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

# 将参数里的-A改成-D就是删除规则了，如
iptables -D INPUT -p tcp -m set --match-set cnip src -j ACCEPT
iptables -D INPUT -p tcp --dport 443 -j DROP

# save
iptables-save > /etc/sysconfig/iptalbes
iptables-save > /etc/iptables-script
# restore
iptables-restore > /etc/sysconfig/iptables
iptables-restore > /etc/iptables-script

#全部接受中国IP
-A INPUT -m set --match-set china src -j ACCEPT
#接受中国IP访问本机特定端口特定协议（例如5060UDP协议），freeswitch一般要用这条，直接具体到端口协议
-A INPUT -m set --match-set china src -p udp -m udp --dport 5060 -j ACCEPT
#接受中国IP的ping响应
-A INPUT -m set --match-set china src -p icmp -j ACCEPT

#!/bin/bash
ipset create china hash:net hashsize 1024 maxelem 65536
rm -f cn.zone
wget http://www.ipdeny.com/ipblocks/data/countries/cn.zone
for i in `cat cn.zone`
do
ipset add china $i
done

#!/bin/bash
ipset create hongkong hash:net hashsize 1024 maxelem 65536
rm -f hk.zone
wget http://www.ipdeny.com/ipblocks/data/countries/hk.zone
for i in `cat hk.zone`
do
ipset add hongkong $i
done

vim /etc/sysconfig/iptables

ipset save > /etc/ipset.cn.hk
/sbin/ipset restore -f /etc/ipset.cn.hk
systemctl restart iptables

iptables -L -n --line-number
iptables -vnL
netstat -an | awk '/^tcp/ {++s[$NF]} END {for(a in s ) print a,s[a]}'

iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT

iptables -I INPUT -p tcp --dport 80 --syn -m recent --name SYN_FLOOD --update --seconds 60 --hitcount 10 -j REJECT