这里先假定 sip 端口是 5060 和 5080
cat china.sh,and ./china.sh
#!/bin/bash
apt install -y ipset
ipset destroy china
ipset create china hash:net maxelem 65536
ipset flush china
wget --no-check-certificate -O- 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | awk -F\| '/CN\|ipv4/ { printf("%s/%d\n", $4, 32-log($5)/log(2)) }' > /etc/china.txt
while read ip; do
/sbin/ipset add china $ip
done < /etc/china.txt
ipset add china 192.168.0.0/16
ipset add china 172.16.0.0/12
ipset add china 10.0.0.0/8
ipset save china > ./china.conf
设置下面几条 iptables 规则:
iptables -A INPUT -p udp --dport 5060:5080 -m set --match-set china src -j ACCEPT
iptables -A INPUT -p udp --dport 5060:5080 -j DROP
iptables -A INPUT -p tcp --dport 5060:5080 -m set --match-set china src -j ACCEPT
iptables -A INPUT -p tcp --dport 5060:5080 -j DROP
iptables-save > ./iprule.conf
最后一个问题是开机后自动生效
cat /lib/systemd/system/rc-local.service
该服务的生效条件为 /etc/rc.local 有可执行的属性,剩下的就简单了,不再赘述