Servers running iptables with CSF firewall can become slow and bogged down while processing the sometimes hundreds of IP addresses in CSF’s iptables chains. Thankfully, it is possible to quickly and easily alleviate this slowdown by installing and configuring a took called ipset.
IP sets are a framework inside the Linux kernel that can store IP addresses, networks, (TCP/UDP) port numbers, MAC addresses, interface names or combinations of them in a way, which ensures lightning speed when matching an entry against a set.
Installing
To get started, we want to install ipset. CentOS, Red Hat and Fedora (yum) users do this by:
yum install ipset
Ubuntu or Debian, run
apt-get install ipset
Configuring
Once ipset packages are installed, we need to configure CSF that ipset is available. We need edit CSF’s main config file:
nano /etc/csf/csf.conf
Change LF_IPSET from 0 to 1.
LF_IPSET = "1"
And finally, we need to reload CSF to apply our changes:
csf -r