IP sets are stored collections of IP addresses, network ranges, MAC addresses, port numbers, and network interface names. The iptables tool can leverage IP sets for more efficient rule matching. For example, let’s say you want to drop traffic that originates from one of several IP address ranges that you know to be malicious. Instead of configuring rules for each range in iptables directly, you can create an IP set and then reference that set in an iptables rule. This makes your rule sets dynamic and therefore easier to configure; whenever you need to add or swap out network identifiers that are handled by the firewall, you simply change the IP set.
The ipset command enables you to create and modify IP sets. First you need to set a name, storage method, and data type for your set, such as:
# ipset create range_set hash:net
In this case, range_set is the name, hash is the storage method, and net is the data type. Then, you can add the ranges to the set:
# ipset add range_set 178.137.87.0/24 # ipset add range_set 46.148.22.0/24
Then, you use iptables to configure a rule to drop traffic whose source matches the ranges in this set:
# iptables -I INPUT -m set --match-set range_set src -j DROP
Alternatively, to drop traffic whose destination matches the set:
iptables -I OUTPUT -m set --match-set range_set dst -j DROP
SYNTAX
The syntax of the ipset command is:
# ipset [options] {command}
Blocking a list of network
1. Start by creating a new “set” of network addresses. This creates a new “hash” set of “net” network addresses named “myset”.
# ipset create myset hash:net
or
# ipset -N myset nethash
2. Add any IP address that you’d like to block to the set.
# ipset add myset 14.144.0.0/12 # ipset add myset 27.8.0.0/13 # ipset add myset 58.16.0.0/15 # ipset add myset 1.1.1.0/24
3. Finally, configure iptables to block any address in that set. This command will add a rule to the top of the “INPUT” chain to “-m” match the set named “myset” from ipset (–match-set) when it’s a “src” packet and “DROP”, or block, it.
# iptables -I INPUT -m set --match-set myset src -j DROP
Blocking a list of IP addresses
1. Start by creating a new “set” of ip addresses. This creates a new “hash” set of “ip” addresses named “myset-ip”.
# ipset create myset-ip hash:ip
or
# ipset -N myset-ip iphash
2. Add any IP address that you’d like to block to the set.
# ipset add myset-ip 1.1.1.1 # ipset add myset-ip 2.2.2.2
3. Finally, configure iptables to block any address in that set.
# iptables -I INPUT -m set --match-set myset-ip src -j DROP
Making ipset persistent
The ipset you have created is stored in memory and will be gone after reboot. To make the ipset persistent you have to do the followings:
1. First save the ipset to /etc/ipset.conf:
# ipset save > /etc/ipset.conf
2. Then enable ipset.service, which works similarly to iptables.service for restoring iptables rules.
Other Commands
1. To view the sets:
# ipset list
or
# ipset -L
2. To delete a set named “myset”:
# ipset destroy myset
or
# ipset -X myset
3. To delete all sets:
# ipset destroy