yum -y install ipset wget -P . http://www.ipdeny.com/ipblocks/data/countries/cn.zone ipset -N cnip hash:net for i in $(cat /root/cn.zone ); do ipset -A cnip $i; done iptables -I INPUT -p tcp -m set --match-set cnip src --dport 22 -j DROP