IPSET with IPTABLES

IPSET is an extension to iptables that allows you to create firewall rules that match entire “sets” of addresses at once. Unlike normal iptables chains, which are stored and traversed linearly, IP sets are stored in indexed data structures, like addresses, networks, (TCP/UDP) port numbers, MAC addresses, interface names or combinations of them in a way, which making lookups very efficient, even when dealing with large sets.

IPTABLES is the user-space tool for configuring firewall rules in the Linux kernel. It is actually a part of the larger netfilter framework. Perhaps because iptables is the most visible part of the netfilter framework, the framework is commonly referred to collectively as iptables. iptables has been the Linux firewall solution since the 2.4 kernel.

Installation

Depend your OS, you need install IPSET and IPTABLES packages.

Centos/Fedora:

yum install ipset iptables

Debian/Ubuntu:

apt-get install ipset iptables

Creating IPSET HASH

You can create different type HASH, depend what you need block:

  • The hash:ip set type uses a hash to store IP host addresses (default) or network addresses. Zero valued IP address cannot be stored in a hash:ip type of set.
  • The hash:mac set type uses a hash to store MAC addresses. Zero valued MAC addresses cannot be stored in a hash:mac type of set.
  • The hash:ip,mac set type uses a hash to store IP and a MAC address pairs. Zero valued MAC addresses cannot be stored in a hash:ip,mac type of set.
  • The hash:net set type uses a hash to store different sized IP network addresses. Network address with zero prefix size cannot be stored in this type of sets.
  • The hash:ip,port set type uses a hash to store IP address and port number pairs. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used.
  • The hash:net,port set type uses a hash to store different sized IP network address and port pairs. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. Network address with zero prefix size is not accepted either.

For more HASH types, look here.

ipset create me-block-net hash:net

or

ipset create me-block-ip hash:ip

If you know that you have large set of IP Address or Networks you may need use maxelem parameter. This parameter is valid for the create command of all hash type sets. It does define the maximal number of elements which can be stored in the set, default 65536.

ipset create me-block-ip hash:ip maxelem 16777216.

Add IP/NETWORK to HASH

Now we can add IP Address or Network’s to HASH, depend what you previous created:

ipset add me-block-net 14.144.0.0/12

or

ipset add me-block-ip 1.1.1.1

Configure IPTABLES to use IPSET list

Finally, configure iptables to block any address or network in that set.

iptables -I INPUT -m set --match-set me-block-ip src -j DROP
iptables -I INPUT -m set --match-set me-block-net src -j DROP

Other Commands

List add IPSET list and contents:

ipset list

Delete IP or NETWORK from IPSET hash table:

ipset del me-block-net 14.144.0.0/12
ipset del me-block-ip 1.1.1.1

Destroy HASH table:

ipset destroy me-block-net
ipset destroy me-block-ip

Conlusion

If you are not interested in maintaining your own IPSET blocklist, you can buy from us RBL-Database and use our ipset.sh ready-made script for this purpose.