假设本机sip端口是5060-5090
可以运行下面的shell脚本:
#! /bin/sh
ipset create china hash:net maxelem 65536
ipset flush china
wget --no-check-certificate -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /etc/china.txt
ipset flush china
while read ip; do
/sbin/ipset add china $ip
done < /etc/china.txt
ipset add china 192.168.0.0/16
ipset add china 172.16.0.0/8
ipset add china 10.0.0.0/8
ipset add china 127.0.0.0/24
ipset save china > /etc/china.conf
再运行下面的shell脚本:
#! /bin/sh
iptables -A INPUT -p udp -m udp --dport 5060:5090 -m set --match-set china src -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5060:5090 -j DROP
iptables-save > /etc/iprule.conf
可以配置为自启动,下面是方法:
cat /lib/systemd/system/rc-local.service
debian10的内容如下:
[Unit]
Description=/etc/rc.d/rc.local Compatibility
Documentation=man:systemd-rc-local-generator(8)
ConditionFileIsExecutable=/etc/rc.d/rc.local
After=network-online.target
Wants=network-online.target
[Service]
Type=forking
ExecStart=/etc/rc.d/rc.local start
TimeoutSec=0
RemainAfterExit=yes
GuessMainPID=no
可以看出,条件是/etc/rc.d/rc.local有可执行的属性
那么,现在
chmod +x /etc/rc.d/rc.local
并且编辑下,内容如下:
#! /bin/sh
ipset restore < /etc/china.conf
iptables-restore < /etc/iprule.conf
exit 0
CentOS我暂时没做测试,但我记得也有rc.local服务,可能路径和文件名略有差异,基本道理应该是一样的。