Target of this guide is to provide ipset basic tutorial to understand what ipset is, when to use ipset and when not to use ipset. This tutorial can be additional steps for guides like IpTables Fail2ban WordPress Guide. ipset is the successor of IPpool Command Line Utility, which allows the sysadmins to manage big lists of IPs. ipset is an extension to iptables to create firewall rules. Normal iptables chains are stored and traversed linearly. IP sets are stored in indexed data structures. That is why lookups very efficient for larger sets. Do not confuse the phrases. IPSec is another closer phrase which is a framework consisting of protocols and algorithms for protecting data through an untrusted network.
Regular users not need to filter so much heavily for a public server, they just need to block the ssh port against the unwanted country or use some other way. Blocking at operating system level is too much basic when it is about DDoS and targeted attack.
It is correct that ipset is powerful. But our ipset basic tutorial is not for applying the bigger hammer without in-depth understanding of relationship with kernel, own infrastructure etc matters. It is not for ordinary “cloud automation”. ipset is not automatically more powerful than iptables. ipset can store multiple IP addresses to match against the collection by iptables, dynamically update iptables rules against IP addresses without performance penalty or express complex IP address and ports based rulesets with one single iptables rule. Making an ordinary web server complicated actually has not much value.
---
IPSET Basic Tutorial
One need to install ipset from official repository, your distro needs to have built-in support, follow the installation procedure listed on the ipset home page, blindly running commands like then run sudo yum install ipset or sudo apt install ipset to easily install ipset is not recommended :
|
1 2 3 |
http://www.netfilter.org/projects/ipset/index.html or distro specific manual http://manpages.ubuntu.com/manpages/zesty/en/man8/ipset.8.html |
Test with the command :
|
1 |
ipset list |
Example to create a set named example :
|
1 2 3 4 |
# commands commented out to force manual typing # sudo ipset create example hash:net # ipset create example hash:ip # sudo ipset create example hash:net,port |
Now if you run command :
|
1 |
ipset list |
You will get output like this :
|
1 2 3 4 5 6 |
Name: example Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16760 References: 0 Members: |
Or can list with :
|
1 |
ipset list example |
Output :
|
1 2 3 4 5 |
Name: example ... Members: a.b.c.d/24 ... |
and :
|
1 |
service ipset status |
Normally to drop packets against the IP a.b.c.d, with IPTables we run command :
|
1 |
iptables -A INPUT -s ! a.b.c.d -g chainname |
To get the same effect, we have to run :
|
1 2 3 4 |
ipset -A example a.b.c.d # ipset add example a.b.c.d/24 iptables -A INPUT -m set ! --set example src -g chainname # iptables -A INPUT -m set --example chainname src -j DROP |
