====== IPSET ====== ===== Creating our "blacklist" ===== Let's first start by creating a list - we'll call our list 'blacklist' (please forgive the lack of originality). Note you can create several types of ipset lists, with the type defining the IP address input formats. The two we're interested in here is ip and nethash. ip simply allows defining IP addresses (in their full form) and nethash allows (and requires) CIDR format - which allows us to block entire IP ranges (which if you tried to add to an ipset using hash:ip, could very easily fill the ipset list up to it's maximum). **To create an ip type list:** sudo ipset create blacklist hash:ip hashsize 4096 **To create a nethash (CIDR) type list:** sudo ipset create blacklist nethash Enabling (and deleting) the list in iptables **Now that we've created out list, we need to tell iptables to use it:** sudo iptables -I INPUT -m set --match-set blacklist src -j DROP sudo iptables -I FORWARD -m set --match-set blacklist src -j DROP Note, we can always remove these rules (to get iptables to not use the list) by: sudo iptables -D INPUT -m set --match-set blacklist src -j DROP sudo iptables -D FORWARD -m set --match-set blacklist src -j DROP See Make ip-tables (firewall) rules persistent for saving the above ip-table rules permanently. **Alternatively**, you can list all iptables rules (of which ipset will be in there) and then select a rule to delete. For example, the below commands will list, and then delete the listed rule 1: sudo iptables -L --list-numbers sudo iptables -D INPUT 1 ==== COMMANDS ==== These options specify the desired action to perform. Only one of them can be specified on the command line unless otherwise specified below. For all the long versions of the command names, you need to use only enough letters to ensure that ipset can differentiate it from all other commands. The ipset parser follows the order here when looking for the shortest match in the long command names.
n, create SETNAME TYPENAME [ CREATE-OPTIONS ]
Create a set identified with setname and specified type. The type may require type specific options. If the -exist option is specified, ipset ignores the error otherwise raised when the same set (setname and create parameters are identical) already exists.
add SETNAME ADD-ENTRY [ ADD-OPTIONS ]
Add a given entry to the set. If the -exist option is specified, ipset ignores if the entry already added to the set.
del SETNAME DEL-ENTRY [ DEL-OPTIONS ]
Delete an entry from a set. If the -exist option is specified and the entry is not in the set (maybe already expired), then the command is ignored.
test SETNAME TEST-ENTRY [ TEST-OPTIONS ]
Test whether an entry is in a set or not. Exit status number is zero if the tested entry is in the set and nonzero if it is missing from the set.
x, destroy [ SETNAME ]
Destroy the specified set or all the sets if none is given.

If the set has got reference(s), nothing is done and no set destroyed.

list [ SETNAME ] [ OPTIONS ]
List the header data and the entries for the specified set, or for all sets if none is given. The -resolve option can be used to force name lookups (which may be slow). When the -sorted option is given, the entries are listed sorted (if the given set type supports the operation). The option -output can be used to control the format of the listing: plain, save or xml. (The default is plain.) If the option -name is specified, just the names of the existing sets are listed. If the option -terse is specified, just the set names and headers are listed. The output is printed to stdout, the option -file can be used to specify a filename instead of stdout.
save [ SETNAME ]
Save the given set, or all sets if none is given to stdout in a format that restore can read. The option -file can be used to specify a filename instead of stdout.
restore
Restore a saved session generated by save. The saved session can be fed from stdin or the option -file can be used to specify a filename instead of stdin.

Please note, existing sets and elements are not erased by restore unless specified so in the restore file. All commands are allowed in restore mode except list, help, version, interactive mode and restore itself.

flush [ SETNAME ]
Flush all entries from the specified set or flush all sets if none is given.
e, rename SETNAME-FROM SETNAME-TO
Rename a set. Set identified by SETNAME-TO must not exist.
w, swap SETNAME-FROM SETNAME-TO
Swap the content of two sets, or in another words, exchange the name of two sets. The referred sets must exist and compatible type of sets can be swapped only.
help [ TYPENAME ]
Print help and set type specific help if TYPENAME is specified.
version
Print program version.
-
If a dash is specified as command, then ipset enters a simple interactive mode and the commands are read from the standard input. The interactive mode can be finished by entering the pseudo-command quit.

OTHER OPTIONS

The following additional options can be specified. The long option names cannot be abbreviated.
-!, -exist
Ignore errors when exactly the same set is to be created or already added entry is added or missing entry is deleted.
-o, -output { plain | save | xml }
Select the output format to the list command.
-q, -quiet
Suppress any output to stdout and stderr. ipset will still exit with error if it cannot continue.
-r, -resolve
When listing sets, enforce name lookup. The program will try to display the IP entries resolved to host names which requires slow DNS lookups.
-s, -sorted
Sorted output. When listing sets entries are listed sorted. Not supported yet.
-n, -name
List just the names of the existing sets, i.e. suppress listing of set headers and members.
-t, -terse
List the set names and headers, i.e. suppress listing of set members.
-f, -file filename
Specify a filename to print into instead of stdout (list or save commands) or read from instead of stdin (restore command).
{{tag>ipset iptables}}