語(yǔ)法：
ipset [ OPTIONS ] COMMAND [ COMMAND-OPTIONS ]
COMMANDS := { create | add | del | test | destroy | list | save | restore | flush | rename | swap | help | version | - }
OPTIONS := { -exist | -output { plain | save | xml } | -quiet | -resolve | -sorted | -name | -terse | -file filename }
ipset create SETNAME TYPENAME [ CREATE-OPTIONS ]
ipset add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
ipset del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
ipset test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
ipset destroy [ SETNAME ]
ipset list [ SETNAME ]
ipset save [ SETNAME ]
ipset restore
ipset flush [ SETNAME ]
ipset rename SETNAME-FROM SETNAME-TO
ipset swap SETNAME-FROM SETNAME-TO
ipset help [ TYPENAME ]
ipset version

TYPENAME := method:datatype[,datatype[,datatype]]
當(dāng)前使用的method方法是bitmap旺嬉、hash, datatypes的list有 ip, net, mac, port and iface, botmap和list用于一個(gè)固定大小的storage,
The bitmap and list types use a fixed sized storage. The hash types use a hash to store the elements. In order to avoid clashes in the hash, a limited number of chaining, and if that is exhausted, the doubling of the hash size is performed when adding entries by the ipset command. When entries added by the SET target of iptables/ip6tables, then the hash size is fixed and the set won't be duplicated, even if the new entry cannot be added to the set.

一般的創(chuàng)建和添加操作：
timeout設(shè)置超時(shí)時(shí)間餐弱，如果設(shè)置為0，表示永久生效两残，超時(shí)時(shí)間可以通過(guò) -exist來(lái)進(jìn)行修改：

ipset create test hash:ip timeout 300
ipset add test 192.168.0.1 timeout 60

ipset -exist add test 192.168.0.1 timeout 600

counters, packets, bytes:
如果不指定packets和bytes的話(huà)，會(huì)在初始化的時(shí)候變?yōu)?威根，或者在創(chuàng)建set的時(shí)候指定value:
ipset create foo hash:ip counters

ipset add foo 192.168.1.1 packets 42 bytes 1024

comment(擴(kuò)展)：
所有的set類(lèi)型都支持comments采缚，此模塊是用來(lái)做注釋?zhuān)喈?dāng)于git中的-m:

ipset create foo hash:ip comment
ipset add foo 192.168.1.1/24 comment "allow access to SMB share on \\fileserv\"

the above would appear as: "allow access to SMB share on \fileserv"

hashsize:
這個(gè)模塊用于創(chuàng)建set時(shí)候的命令（適用于所有hash set），默認(rèn)大小為1024，設(shè)置的時(shí)候必須是2的冪次方渠羞，不對(duì)話(huà)kernal會(huì)四舍五入：
ipset create test hash:ip hashsize 1536
maxelem：
這個(gè)模塊用于 所有的hash type sets create動(dòng)作斤贰，這個(gè)是用來(lái)指定存出來(lái)set中最大元素的數(shù)量，默認(rèn)是65535：

           ipset create test hash:ip maxelem 2048

family(inet|inet6):
用于所有hash type sets(除了hash:mac)的create動(dòng)作次询， It defines the protocol family of the IP addresses to be stored in the set 荧恍，對(duì)于inet家族，您可以通過(guò)在該條目的IP地址部分指定一個(gè)范圍或一個(gè)IPv4地址網(wǎng)絡(luò)來(lái)添加或刪除多個(gè)條目屯吊。

•      ipaddr* := { *ip* | *fromaddr*-*toaddr* | *ip*/*cidr* }
  

•      netaddr* := { *fromaddr*-*toaddr* | *ip*/*cidr* }
  

Example:

ipset create test hash:ip family inet6

hash:ip：
set type用一個(gè)hash存儲(chǔ)ip或者網(wǎng)絡(luò)地址送巡，zero value是不能被存儲(chǔ)到hash:ip類(lèi)型中的：
CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ netmask cidr ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := ipaddr（要添加的ip地址）
ADD-OPTIONS := [ timeout value ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]

DEL-ENTRY := ipaddr（要?jiǎng)h除的ip地址）

TEST-ENTRY := ipaddr
netmask cidr:
當(dāng)選定的netmask被指定的時(shí)候， network addresses將代替 IP host addresses存儲(chǔ)在set中盒卸，cidr的值對(duì)于iPv4是1-32骗爆，ipv6是1-128， An IP address will be in the set if the network address, which is resulted by masking the address with the netmask, can be found in the set. Examples:

ipset create foo hash:ip netmask 30
ipset add foo 192.168.1.0/24

ipset test foo 192.168.1.2

nomatch：
The hash set types which can store net type of data (i.e. hash:net) support the optional nomatch option when adding entries. When matching elements in the set, entries marked as nomatch are skipped as if those were not added to the set, which makes possible to build up sets with exceptions. See the example at hash type hash:net below.

When elements are tested by ipset, the nomatch flags are taken into account. If one wants to test the existence of an element marked with nomatch in a set, then the flag must be specified too.
總結(jié)下來(lái)就是蔽介，這個(gè)通常與hash:net搭配使用摘投，用來(lái)跳過(guò) hash:net指定的ip netmask address.

hash:net：
** 這個(gè)是用一個(gè)hash存儲(chǔ)不同大小的** IP network addresses，具有0前綴的的網(wǎng)絡(luò)地址不能被存儲(chǔ)到sets中：

CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := netaddr
ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := netaddr
TEST-ENTRY := netaddr
where netaddr := ip[/cidr]

Example:

ipset create foo hash:net
ipset add foo 192.168.0.0/24
ipset add foo 10.1.0.0/16
ipset add foo 192.168.0/24

ipset add foo 192.168.0/30 nomatch

hash:net,net
** 這種set type是用一個(gè)hash存儲(chǔ)成對(duì)的不同大小的ip network address,** Bear in mind(記住)第一個(gè)參數(shù)比第二個(gè)參數(shù)優(yōu)先虹蓄，加入有明確的第一和第二個(gè)參數(shù)犀呼，很可能 nomatch就不生效了，帶0前綴的地址也是無(wú)法存儲(chǔ)的薇组。

CREATE-OPTIONS := [ family { inet | inet6 } ] | [ hashsize value ] [ maxelem value ] [ timeout value ] [ counters ] [ comment ] [ skbinfo ]
ADD-ENTRY := netaddr,netaddr
ADD-OPTIONS := [ timeout value ] [ nomatch ] [ packets value ] [ bytes value ] [ comment string ] [ skbmark value ] [ skbprio value ] [ skbqueue value ]
DEL-ENTRY := netaddr,netaddr
TEST-ENTRY := netaddr,netaddr
where netaddr := ip[/cidr]
Example:

ipset create foo hash:net,net
ipset add foo 192.168.0.0/24,10.0.1.0/24
ipset add foo 10.1.0.0/16,10.255.0.0/24
ipset add foo 192.168.0/24,192.168.54.0-192.168.54.255

ipset add foo 192.168.0/30,192.168.64/30 nomatch

hash:ip,port
** ** The hash:ip,port set type uses a hash to store IP address and port number pairs. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used.
Examples:

ipset create foo hash:ip,port
ipset add foo 192.168.1.0/24,80-82
ipset add foo 192.168.1.1,udp:53
ipset add foo 192.168.1.1,vrrp:0

ipset test foo 192.168.1.1,80

創(chuàng)建一個(gè)集合
ipset create vader hash:ip

這條命令創(chuàng)建了名為 vader 的集合外臂，以 hash 方式存儲(chǔ)，存儲(chǔ)內(nèi)容是 IP 地址体箕。
添加 iptables 規(guī)則
iptables -I INPUT -m set --match-set vader src -j DROP

如果源地址(src)屬于 vader 這個(gè)集合专钉，就進(jìn)行 DROP 操作。這條命令中累铅，vader 是作為黑名單的跃须，如果要把某個(gè)集合作為白名單，添加一個(gè) ‘!’ 符號(hào)就可以娃兽。
iptables -I INPUT -m set ! --match-set vader src -j DROP

hash:net,port

The hash:net,port set type uses a hash to store different sized IP network address and port pairs. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. Network address with zero prefix size is not accepted either.

Examples:

ipset create foo hash:net,port
ipset add foo 192.168.0/24,25
ipset add foo 10.1.0.0/16,80

ipset test foo 192.168.0/24,25

hash:ip,port,ip

The hash:ip,port,ip set type uses a hash to store IP address, port number and a second IP address triples. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used.

         Examples:

ipset create foo hash:ip,port,ip
ipset add foo 192.168.1.1,80,10.0.0.1

ipset test foo 192.168.1.1,udp:53,10.0.0.1

hash:ip,port,net

The hash:ip,port,net set type uses a hash to store IP address, port number and IP network address triples. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. Network address with zero prefix size cannot be stored either.菇民、

       Examples:

ipset create foo hash:ip,port,net
ipset add foo 192.168.1,80,10.0.0/24
ipset add foo 192.168.2,25,10.1.0.0/16

ipset test foo 192.168.1,80.10.0.0/24

hash:ip,mark

The hash:ip,mark set type uses a hash to store IP address and packet mark pairs.

Examples:

ipset create foo hash:ip,mark
ipset add foo 192.168.1.0/24,555
ipset add foo 192.168.1.1,0x63

ipset add foo 192.168.1.1,111236

hash:net,port,net

The hash:net,port,net set type behaves similarly to hash:ip,port,net but accepts a cidr value for both the first and last parameter. Either subnet is permitted to be a /0 should you wish to match port between all destinations.

Examples:

ipset create foo hash:net,port,net
ipset add foo 192.168.1.0/24,0,10.0.0/24
ipset add foo 192.168.2.0/24,25,10.1.0.0/16

ipset test foo 192.168.1.1,80,10.0.0.1

hash:net,iface

The hash:net,iface set type uses a hash to store different sized IP network address and interface name pairs.

Examples:

ipset create foo hash:net,iface
ipset add foo 192.168.0/24,eth0
ipset add foo 10.1.0.0/16,eth1

ipset test foo 192.168.0/24,eth0

list:set
** ** The list:set type uses a simple list in which you can store set names.

By the set match or SET target of netfilter you can test, add or delete entries in the sets added to the list:set type of set. The match will try to find a matching entry in the sets and the target will try to add an entry to the first set to which it can be added. The number of direction options of the match and target are important: sets which require more parameters than specified are skipped, while sets with equal or less parameters are checked, elements added/deleted. For example if a and b are list:set type of sets then in the command

iptables -m set --match-set a src,dst -j SET --add-set b src,dst

iptables想所有人開(kāi)放9200端口：

[root@centos2 ~]# iptables -A INPUT -p tcp --dport 9200 -j ACCEPT
[root@centos2 ~]# iptables -A OUTPUT -p tcp --sport 9200 -j ACCEPT

添加 iptables 規(guī)則
iptables -I INPUT -m set --match-set vader src -j DROP

如果源地址(src)屬于 vader 這個(gè)集合，就進(jìn)行 DROP 操作投储。這條命令中第练，vader 是作為黑名單的，如果要把某個(gè)集合作為白名單玛荞，添加一個(gè) ‘!’ 符號(hào)就可以娇掏。

iptables -I INPUT -m set ! --match-set yoda src -j DROP

創(chuàng)建一個(gè)新的ipset
ipset create openapi hash:net
1、查看已創(chuàng)建的ipset

2勋眯、ipset默認(rèn)可以存儲(chǔ)65536個(gè)element婴梧，使用maxelem指定數(shù)量

ipset create openapi hash:net maxelem 1000000
ipset list
3下梢、加入一個(gè)黑名單ip
ipset add openapi 180.156.238.246
4、創(chuàng)建防火墻規(guī)則塞蹭，與此同時(shí)孽江，openapi這個(gè)ipset里的ip都無(wú)法訪(fǎng)問(wèn)22端口
iptables -I INPUT -m set --match-set openapi src -p tcp --destination-port 22 -j DROP
service iptables save
5、去除黑名單番电，與此同時(shí)岗屏，又可以訪(fǎng)問(wèn)了
ipset del openapi 180.156.238.246
6、將ipset規(guī)則保存到文件
ipset save openapi -f openapi.txt
7漱办、刪除ipset
ipset destroy openapi
8这刷、導(dǎo)入ipset規(guī)則
ipset restore -f openapi.txt