iptables как закрыть страну целиком, ipset установка, использование.

[root@as01 ~]# uname -a
Linux as01.test.local 2.6.18-308.4.1.el5 #1 SMP Tue Apr 17 17:08:10 EDT 2012 i686 i686 i386 GNU/Linux

iptables v1.3.5
ipset v4.5, protocol version 4.
Kernel module protocol version 4.

[root@as01 ~]#yum install ipset kmod-ipset
[root@as01 ~]#modprobe ip_set

[root@as01 ~]#iptables -m set
iptables v1.3.5: Couldn't load match `set':/lib/iptables/libipt_set.so: cannot open shared object file: No such file or directory

[root@as01 ~]# ls /lib/iptables
libip6t_ah.so          libip6t_length.so     libip6t_rt.so        libipt_connmark.so   libipt_icmp.so        libipt_NFQUEUE.so   libipt_sctp.so       libipt_TOS.so
libip6t_connmark.so    libip6t_limit.so      libip6t_standard.so  libipt_CONNMARK.so   libipt_iprange.so     libipt_NOTRACK.so   libipt_set.so        libipt_TRACE.so
libip6t_CONNMARK.so    libip6t_LOG.so        libip6t_state.so     libipt_conntrack.so  libipt_length.so      libipt_owner.so     libipt_SNAT.so       libipt_ttl.so
libip6t_DSCP.so        libip6t_mac.so        libip6t_tcp.so       libipt_dccp.so       libipt_limit.so       libipt_physdev.so   libipt_standard.so   libipt_TTL.so
libip6t_dst.so         libip6t_mark.so       libip6t_TRACE.so     libipt_DNAT.so       libipt_LOG.so         libipt_pkttype.so   libipt_state.so      libipt_udp.so
libip6t_eui64.so       libip6t_MARK.so       libip6t_udp.so       libipt_dscp.so       libipt_mac.so         libipt_policy.so    libipt_statistic.so  libipt_ULOG.so
libip6t_frag.so        libip6t_multiport.so  libipt_addrtype.so   libipt_DSCP.so       libipt_mark.so        libipt_realm.so     libipt_string.so     libipt_unclean.so
libip6t_hbh.so         libip6t_NFQUEUE.so    libipt_ah.so         libipt_ecn.so        libipt_MARK.so        libipt_recent.so    libipt_TARPIT.so
libip6t_hl.so          libip6t_owner.so      libipt_CLASSIFY.so   libipt_ECN.so        libipt_MASQUERADE.so  libipt_REDIRECT.so  libipt_tcpmss.so
libip6t_HL.so          libip6t_physdev.so    libipt_CLUSTERIP.so  libipt_esp.so        libipt_MIRROR.so      libipt_REJECT.so    libipt_TCPMSS.so
libip6t_icmpv6.so      libip6t_policy.so     libipt_comment.so    libipt_hashlimit.so  libipt_multiport.so   libipt_rpc.so       libipt_tcp.so
libip6t_ipv6header.so  libip6t_REJECT.so     libipt_connlimit.so  libipt_helper.so     libipt_NETMAP.so      libipt_SAME.so      libipt_tos.so

[root@as01 ~]# cd /tmp/
[root@as01 ~]# wget http://centos.alt.ru/repository/centos/5/i386/iptables-1.3.5-5.6.1.el5.i386.rpm
[root@as01 ~]# rpm2cpio iptables-1.3.5-5.6.1.el5.i386.rpm |cpio -idmv
[root@as01 ~]# cp /tmp/lib/iptables/libipt_set.so /lib/iptables/
[root@as01 ~]# iptables -m set
iptables v1.3.5: You must specify `--set' with proper arguments
Try `iptables -h' or 'iptables --help' for more information.

#!/bin/bash
ipset create list-usa nethash
while read IP; do
    ipset add list-usa $IP
    done < ip-list-file

[root@as01 sysconfig]# ipset --list | grep list
Name: list-usa

[root@as01 sysconfig]# cat ./iptables-rc
#!/bin/bash
/sbin/ipset --restore < /etc/sysconfig/iptables-ipset-save
/sbin/iptables-restore /etc/sysconfig/iptables

[root@as01 sysconfig]# cat /etc/rc.d/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

/etc/sysconfig/iptables-rc start