Linux运维，限制国外IP访问服务器，访问NGINX

#!/bin/bash
iptables -P INPUT DROP
##先排除自己需要的IP访问22端口，不然自己都连不上SSH
iptables -A INPUT -s x.x.x.x/x -p tcp --dport 22 -j ACCEPT
##开放DNS解析以及下载，不然yum、wget等会失败
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 10000:65535 -j ACCEPT
##限制国外ip访问服务器，利用ipset
wget --no-check-certificate -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F| '/CN|ipv4/ { printf("%s/%d
", $4, 32-log($5)/log(2)) }' > whiteip.txt
ips=$(whereis ipset)
if [ "$ips" = ""];then
        yum -y install ipset
fi
result=$(ipset list whiteip)
if [[ "$result" =~ "whiteip" ]];then
    ipset destory whiteip
fi
ipset create whiteip hash:net
while read ip; do
    ipset add whiteip $ip
done < whiteip.txt
ipset save chnroute > whiteip.conf
##指定国内IP段访问特定端口
iptables -A INPUT -m set --match-set whiteip src -p tcp --dport 9527 -j ACCEPT

#!/bin/bash
##限制国外IP访问NGINX
#中国联通 https://ispip.clang.cn/unicom_cnc.html
wget -O zglt.txt https://ispip.clang.cn/unicom_cnc.html
#中国电信 https://ispip.clang.cn/chinatelecom.html
wget -O zgdx.txt https://ispip.clang.cn/chinatelecom.html
#中国移动 https://ispip.clang.cn/cmcc.html
wget -O zgyd.txt https://ispip.clang.cn/cmcc.html
#中国铁通 https://ispip.clang.cn/crtc.html
wget -O zgtt.txt https://ispip.clang.cn/crtc.html
#中国教育网 https://ispip.clang.cn/cernet.html
wget -O zgjyw.txt https://ispip.clang.cn/cernet.html
#中国其他ISP https://ispip.clang.cn/othernet.html
wget -O isp.txt https://ispip.clang.cn/othernet.html
echo "=============================="
echo "下载完成"
echo "=============================="
##也可以直接从apnic中下载CN的ip端
#wget --no-check-certificate -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F| '/CN|ipv4/ { printf("%s/%d
", $4, 32-log($5)/log(2)) }' > cnip.txt
curr=$(pwd)
itemFile="/www/iptable.conf"
echo "" > ${itemFile}
filelist=$(ls $curr)
for file in ${filelist}
do
    if [  "${file##*.}" = "txt" ];then
        for line in `cat ${file}` 
        do
            if  [[ ${line} =~ ^(2[0-4][0-9]|25[0-5]|1[0-9][0-9]|[1-9]?[0-9])(.(2[0-4][0-9]|25[0-5]|1[0-9][0-9]|[1-9]?[0-9])){3}(/[0-9]{1,2})?$ ]];then
                echo "allow ${line};" >> ${itemFile}
            fi
        done
    fi
done
echo "deny all;" >> ${itemFile}
echo "创建完成,正在重启nginx..."
#/usr/bin/docker ps -q | awk '{print $1}'|xargs -I '{}' /usr/bin/docker exec {} /bin/bash -c 'nginx -s reload'
nginx -s reload

菜鸟一枚，作个记录，如果有错，欢迎更改。