例1

#1，封禁ip全过程

ipset create blacklist hash:ip
ipset add blacklist 3.3.3.3
ipset add blacklist 2.2.2.2
ipset add blacklist 1.1.1.1
ipset list blacklist 
iptables -I INPUT -m set --match-set blacklist src  -p tcp -j DROP

ipset del blacklist 1.1.1.1     #删除IP
ipset save blacklist -f blacklist.txt    #将ipset规则保存到文件
ipset destroy blacklist    #删除ipset
ipset restore -f blacklist.txt   #导入ipset规则

ipset create blacklist hash:net
ipset add blacklist 1.2.3.0/24
ipset add blacklist 1.2.3.0/30 nomatch   #执行完1.2.3.0/24 里 1.2.3.0/30 这部分，就不属于 blacklist 集合了
ipset test blacklist 1.2.3.2    #执行结果：1.2.3.2 is NOT in set blacklist

ipset create blacklist hash:ip,port
ipset add blacklist 3.4.5.6,80        #tcp80端口
ipset add blacklist 5.6.7.8,udp:53    #udp53端口
ipset add blacklist 1.2.3.4,80-86     #端口范围

ipset create blacklist hash:ip timeout 300  #默认300秒后删除
ipset add blacklist 1.2.3.4
ipset add blacklist 6.6.6.6 timeout 60   #60秒后删除