You can use
ipset to mass block a list of IP addresses with IPTables efficiently.
Usage & Configuration
In order to block a list of IP addresses, create a new set hashed by the IP address that will contain all the banned IP addresses.
# ipset create banlist hash:ip hashsize 4096 # ipset list Name: banlist Type: hash:ip Header: family inet hashsize 4096 maxelem 65536 Size in memory: 65656 References: 1 Members:
ipset add command to add IP addresses to the set.
# ipset add banlist 184.108.40.206 # ipset add banlist 220.127.116.11 ipset v6.11: Element cannot be added to the set: it's already added
Duplicates will generate a warning. You can make
ipset silently ignore duplicates this by passing the
# ipset -exist add banlist 18.104.22.168
IPs can be removed by using the
ipset remove command or wiped completely using the
ipset flush command.
Integrating with IPTables
To make use of a
ipset set created above, create a new IPTables rule that uses the
set module. Eg:
$IPT -t mangle -N banned_ip_check $IPT -t mangle -A banned_ip_check -m set --match-set banlist src -j banned_ip $IPT -t mangle -A PREROUTING -j banned_ip_check
In this case, we match source IP addresses to the
ipset set named 'banlist'.