Ipset

From Leo's Notes
Last edited on 14 June 2020, at 21:55.

You can use ipset to mass block a list of IP addresses with IPTables efficiently.

Usage & Configuration

Install the ipset package.

In order to block a list of IP addresses, create a new set hashed by the IP address that will contain all the banned IP addresses.

# ipset create banlist hash:ip hashsize 4096
# ipset list
Name: banlist
Type: hash:ip
Header: family inet hashsize 4096 maxelem 65536
Size in memory: 65656
References: 1
Members:

Use the ipset add command to add IP addresses to the set.

# ipset add banlist 1.2.3.4
# ipset add banlist 1.2.3.4
ipset v6.11: Element cannot be added to the set: it's already added

Duplicates will generate a warning. You can make ipset silently ignore duplicates this by passing the -exist flag.

# ipset -exist add banlist 1.2.3.4

IPs can be removed by using the ipset remove command or wiped completely using the ipset flush command.

Integrating with IPTables

To make use of a ipset set created above, create a new IPTables rule that uses the set module. Eg:

$IPT -t mangle -N banned_ip_check
$IPT -t mangle -A banned_ip_check -m set --match-set banlist src -j banned_ip
$IPT -t mangle -A PREROUTING -j banned_ip_check

In this case, we match source IP addresses to the ipset set named 'banlist'.

See Also