IPSET
Creating our "blacklist"
Let's first start by creating a list - we'll call our list 'blacklist' (please forgive the lack of originality).
Note you can create several types of ipset lists, with the type defining the IP address input formats. The two we're interested in here is ip and nethash. ip simply allows defining IP addresses (in their full form) and nethash allows (and requires) CIDR format - which allows us to block entire IP ranges (which if you tried to add to an ipset using hash:ip, could very easily fill the ipset list up to it's maximum).
To create an ip type list:
sudo ipset create blacklist hash:ip hashsize 4096
To create a nethash (CIDR) type list:
sudo ipset create blacklist nethash
Enabling (and deleting) the list in iptables
Now that we've created out list, we need to tell iptables to use it:
sudo iptables -I INPUT -m set --match-set blacklist src -j DROP sudo iptables -I FORWARD -m set --match-set blacklist src -j DROP
Note, we can always remove these rules (to get iptables to not use the list) by:
sudo iptables -D INPUT -m set --match-set blacklist src -j DROP sudo iptables -D FORWARD -m set --match-set blacklist src -j DROP
See Make ip-tables (firewall) rules persistent for saving the above ip-table rules permanently.
Alternatively, you can list all iptables rules (of which ipset will be in there) and then select a rule to delete. For example, the below commands will list, and then delete the listed rule 1:
sudo iptables -L --list-numbers sudo iptables -D INPUT 1
COMMANDS
These options specify the desired action to perform. Only one of them can be specified on the command line unless otherwise specified below. For all the long versions of the command names, you need to use only enough letters to ensure that ipset can differentiate it from all other commands. The ipset parser follows the order here when looking for the shortest match in the long command names.
<html> <dl class=“Bl-tag”>
<dt><b>n</b>, <b>create</b> <i>SETNAME</i> <i>TYPENAME</i> [
<i>CREATE-OPTIONS</i> ]</dt>
<dd>Create a set identified with setname and specified type. The type may
require type specific options. If the <b>-exist</b> option is specified,
<b>ipset</b> ignores the error otherwise raised when the same set (setname
and create parameters are identical) already exists.</dd>
<dt><b>add</b> <i>SETNAME</i> <i>ADD-ENTRY</i> [ <i>ADD-OPTIONS</i> ]</dt>
<dd>Add a given entry to the set. If the <b>-exist</b> option is specified,
<b>ipset</b> ignores if the entry already added to the set.</dd>
<dt><b>del</b> <i>SETNAME</i> <i>DEL-ENTRY</i> [ <i>DEL-OPTIONS</i> ]</dt>
<dd>Delete an entry from a set. If the <b>-exist</b> option is specified and
the entry is not in the set (maybe already expired), then the command is
ignored.</dd>
<dt><b>test</b> <i>SETNAME</i> <i>TEST-ENTRY</i> [ <i>TEST-OPTIONS</i> ]</dt>
<dd>Test whether an entry is in a set or not. Exit status number is zero if
the tested entry is in the set and nonzero if it is missing from the
set.</dd>
<dt><b>x</b>, <b>destroy</b> [ <i>SETNAME</i> ]</dt>
<dd>Destroy the specified set or all the sets if none is given.
<p class="Pp">If the set has got reference(s), nothing is done and no set
destroyed.</p>
</dd>
<dt><b>list</b> [ <i>SETNAME</i> ] [ <i>OPTIONS</i> ]</dt>
<dd>List the header data and the entries for the specified set, or for all
sets if none is given. The <b>-resolve</b> option can be used to force
name lookups (which may be slow). When the <b>-sorted</b> option is given,
the entries are listed sorted (if the given set type supports the
operation). The option <b>-output</b> can be used to control the format of
the listing: <b>plain</b>, <b>save</b> or <b>xml</b>. (The default is
<b>plain</b>.) If the option <b>-name</b> is specified, just the names of
the existing sets are listed. If the option <b>-terse</b> is specified,
just the set names and headers are listed. The output is printed to
stdout, the option <b>-file</b> can be used to specify a filename instead
of stdout.</dd>
<dt><b>save</b> [ <i>SETNAME</i> ]</dt>
<dd>Save the given set, or all sets if none is given to stdout in a format
that <b>restore</b> can read. The option <b>-file</b> can be used to
specify a filename instead of stdout.</dd>
<dt><b>restore</b></dt>
<dd>Restore a saved session generated by <b>save</b>. The saved session can be
fed from stdin or the option <b>-file</b> can be used to specify a
filename instead of stdin.
<p class="Pp">Please note, existing sets and elements are not erased by
<b>restore</b> unless specified so in the restore file. All commands are
allowed in restore mode except <b>list</b>, <b>help</b>, <b>version</b>,
interactive mode and <b>restore</b> itself.</p>
</dd>
<dt><b>flush</b> [ <i>SETNAME</i> ]</dt>
<dd>Flush all entries from the specified set or flush all sets if none is
given.</dd>
<dt><b>e</b>, <b>rename</b> <i>SETNAME-FROM</i> <i>SETNAME-TO</i></dt>
<dd>Rename a set. Set identified by <i>SETNAME-TO</i> must not exist.</dd>
<dt><b>w</b>, <b>swap</b> <i>SETNAME-FROM</i> <i>SETNAME-TO</i></dt>
<dd>Swap the content of two sets, or in another words, exchange the name of
two sets. The referred sets must exist and compatible type of sets can be
swapped only.</dd>
<dt><b>help</b> [ <i>TYPENAME</i> ]</dt>
<dd>Print help and set type specific help if <i>TYPENAME</i> is
specified.</dd>
<dt><b>version</b></dt>
<dd>Print program version.</dd>
<dt><b>-</b></dt>
<dd>If a dash is specified as command, then <b>ipset</b> enters a simple
interactive mode and the commands are read from the standard input. The
interactive mode can be finished by entering the pseudo-command
<b>quit</b>.</dd>
</dl> </section> <section class=“Ss”> <h3 class=“Ss” id=“OTHER_OPTIONS”>OTHER OPTIONS<a class=“anchor” href=“#OTHER_OPTIONS”></a></h3> The following additional options can be specified. The long option names cannot
be abbreviated.
<dl class=“Bl-tag”>
<dt><b>-!</b>, <b>-exist</b></dt>
<dd>Ignore errors when exactly the same set is to be created or already added
entry is added or missing entry is deleted.</dd>
<dt><b>-o</b>, <b>-output</b> { <b>plain</b> | <b>save</b> | <b>xml</b> }</dt>
<dd>Select the output format to the <b>list</b> command.</dd>
<dt><b>-q</b>, <b>-quiet</b></dt>
<dd>Suppress any output to stdout and stderr. <b>ipset</b> will still exit
with error if it cannot continue.</dd>
<dt><b>-r</b>, <b>-resolve</b></dt>
<dd>When listing sets, enforce name lookup. The program will try to display
the IP entries resolved to host names which requires <b>slow</b> DNS
lookups.</dd>
<dt><b>-s</b>, <b>-sorted</b></dt>
<dd>Sorted output. When listing sets entries are listed sorted. Not supported
yet.</dd>
<dt><b>-n</b>, <b>-name</b></dt>
<dd>List just the names of the existing sets, i.e. suppress listing of set
headers and members.</dd>
<dt><b>-t</b>, <b>-terse</b></dt>
<dd>List the set names and headers, i.e. suppress listing of set members.</dd>
<dt><b>-f</b>, <b>-file</b> <i>filename</i></dt>
<dd>Specify a filename to print into instead of stdout (<b>list</b> or
<b>save</b> commands) or read from instead of stdin (<b>restore</b>
command).</dd>
</html>