IP sets is a Linux kernel framework to effectively store and manage sets of IP addresses and/or network interfaces.
Questions tagged [ipset]
38 questions
4
votes
1 answer
Why FirewallD is not blocking IPs with 'reject' rules?
My setup is the follow:
fail2ban with some jails (working fine) using FirewallD to block the caught IPs.
Here is my default Firewall:
myzone
target: default
icmp-block-inversion: no
interfaces:
sources:
services: rcsa dhcpv6-client http…
acs-f
- 41
- 2
4
votes
1 answer
Can I use iptables to rate limit an ipset?
Is it possible to use iptable tables to rate limit an ipset ?
I know you can use ipset to create a block list named blacklist
i.e.
ipset create blacklist hash:ip
iptables -I INPUT -m set --match-set blacklist src -j DROP
ipset add blacklist…
p4guru
- 963
- 1
- 8
- 15
4
votes
0 answers
IPsets in FirewallD with Nftables backend
I upgraded my server to Fedora 32. Firewalld has switched the backend to Nftables.
My setup is pretty simple. Just HTTP, HTTPS, SSH, SMTP ports open and multiple IPsets (IPv4, IPv6) to block a preset list of IP addresses. Earlier I used to do…
user213598
3
votes
1 answer
How to block both IPv4 and IPv6 with ipset on Ubuntu 16.04?
So I have the following script that blocks IPs:
#!/bin/bash
# here's your list of IPS
CURRENT_BL=/path/to/my/ip_black_list.txt
# create/flush recreate the tables
iptables -F BLACKHOLE
iptables -N BLACKHOLE
for BAD_IP in $(cat $CURRENT_BL)
do
…
Emmanuel-Ab
- 185
- 1
- 6
3
votes
0 answers
GeoIP vs IPset performance in iptables
I would like to ask you what is faster in term of performance GeoIP or IPset.
Let me explain, imagine that I have rule:
iptables -A INPUT -m geoip ! --src-cc US,UK,CA -j DROP
And imagine that I have IPset of hash:net and I put all these IPs (from…
tomsk
- 257
- 4
- 18
3
votes
1 answer
Why does the 'nomatch' option of ipset not work in this case?
I am using ipset 6.23-2 on Debian Jessie. I created a hash:net set for and an iptables rule to drop all traffic for addresses in the set.
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere …
Kanra
- 31
- 1
2
votes
1 answer
Why does ipset succeed on adding ipv4 ranges, but fail on adding ipv6 range?
Using ipset to clean up bulky iptable rulesets does not seem so different between IPv4 and IPv6:
# ipset create TEST hash:net family inet
# ipset create DEMO hash:net family inet6
# iptables -A INPUT -m set --match-set TEST src -j DROP
# ip6tables…
anx
- 6,875
- 4
- 22
- 45
2
votes
1 answer
ipset not being applied to iptables
I'm trying to filter out a country that keeps probing my SMTP server (CentOS6) and I can't seem to get the ipset to work out right in iptables.
I downloaded that countries IP addresses from ipdeny.com and installed the list as a text file. …
pathrider
- 135
- 6
2
votes
2 answers
In Linux how to add a route to a prefix via a specific device with certain destinations in that prefix going via default route?
I'm currently dealing with a VPN which connection endpoint lies within the subnet which prefix shall be tunneled via that specific VPN.
Essentially the problem thus boils down to match against a (larger) set of destination addresses (/16 mask),…
datenwolf
- 259
- 1
- 9
2
votes
0 answers
Where can I find ipv6 blacklists
We have blacklists in place to stop traffic from known bad actors. There are plenty of resources such as the lists below but I am not finding any results for ipv6 blacklists. Does anyone know where I can find such lists?
…
Dovid Bender
- 397
- 1
- 6
- 16
2
votes
1 answer
firewalld, `--add-rich-rule` and missing blacklist set
My server uses Centos8 quite recently installed (~1 year).
After trying to ban an IP:
firewall-cmd --permanent --zone=extz --add-rich-rule='rule family="ipv4" source address="49.88.112.70" drop'
My system seams to be corrupt:
# firewall-cmd…
PeptideChain
- 135
- 6
1
vote
3 answers
Using fail2ban, ipset and iptables to block bad IP addresses on Google Compute Engine
I am running Ubuntu Linux 16.04 on a GCP Compute Engine VM instance. This is hosting a web server for a web application. I need feedback from the community about verification that what I have set up on Ubuntu Linux is correct and that I can…
Jack Stein
- 11
- 3
1
vote
1 answer
How to use iptables and ipset for destination host redirect to another server?
How to block access to the list of the sites and show a notification page?
This example blocking without a page, work correctly:
iptables -I FORWARD -m set --match-set site src,dst -j DROP
I try to use the next rule for hosts redirect to another…
Kvartu
- 11
- 2
1
vote
2 answers
Traffic shaping with iptables, ipset and tc (--match-set and --set-mark)
I am having some trouble with what I believe should be a fairly straightforward traffic shaping problem.
I have an Ubuntu (16.04) server that is acting as a router/nat. I want to allow most users to use 2mbps internet, whilst throttling some devices…
Gav
- 13
- 1
- 4
1
vote
3 answers
Configure Iptables with Ipset
I would highly appreciate it if someone could help on a quite simple ipset rule I am trying to set up. I cannot really understand why it does not seem to work. So here it goes:
I create a simple file with IP addresses I would like to block and call…
Klaipedaville
- 41
- 1
- 1
- 6