Questions tagged [ipset]

IP sets is a Linux kernel framework to effectively store and manage sets of IP addresses and/or network interfaces.

38 questions
4
votes
1 answer

Why FirewallD is not blocking IPs with 'reject' rules?

My setup is the follow: fail2ban with some jails (working fine) using FirewallD to block the caught IPs. Here is my default Firewall: myzone target: default icmp-block-inversion: no interfaces: sources: services: rcsa dhcpv6-client http…
acs-f
  • 41
  • 2
4
votes
1 answer

Can I use iptables to rate limit an ipset?

Is it possible to use iptable tables to rate limit an ipset ? I know you can use ipset to create a block list named blacklist i.e. ipset create blacklist hash:ip iptables -I INPUT -m set --match-set blacklist src -j DROP ipset add blacklist…
p4guru
  • 963
  • 1
  • 8
  • 15
4
votes
0 answers

IPsets in FirewallD with Nftables backend

I upgraded my server to Fedora 32. Firewalld has switched the backend to Nftables. My setup is pretty simple. Just HTTP, HTTPS, SSH, SMTP ports open and multiple IPsets (IPv4, IPv6) to block a preset list of IP addresses. Earlier I used to do…
user213598
3
votes
1 answer

How to block both IPv4 and IPv6 with ipset on Ubuntu 16.04?

So I have the following script that blocks IPs: #!/bin/bash # here's your list of IPS CURRENT_BL=/path/to/my/ip_black_list.txt # create/flush recreate the tables iptables -F BLACKHOLE iptables -N BLACKHOLE for BAD_IP in $(cat $CURRENT_BL) do …
Emmanuel-Ab
  • 185
  • 1
  • 6
3
votes
0 answers

GeoIP vs IPset performance in iptables

I would like to ask you what is faster in term of performance GeoIP or IPset. Let me explain, imagine that I have rule: iptables -A INPUT -m geoip ! --src-cc US,UK,CA -j DROP And imagine that I have IPset of hash:net and I put all these IPs (from…
tomsk
  • 257
  • 4
  • 18
3
votes
1 answer

Why does the 'nomatch' option of ipset not work in this case?

I am using ipset 6.23-2 on Debian Jessie. I created a hash:net set for and an iptables rule to drop all traffic for addresses in the set. Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- anywhere …
Kanra
  • 31
  • 1
2
votes
1 answer

Why does ipset succeed on adding ipv4 ranges, but fail on adding ipv6 range?

Using ipset to clean up bulky iptable rulesets does not seem so different between IPv4 and IPv6: # ipset create TEST hash:net family inet # ipset create DEMO hash:net family inet6 # iptables -A INPUT -m set --match-set TEST src -j DROP # ip6tables…
anx
  • 6,875
  • 4
  • 22
  • 45
2
votes
1 answer

ipset not being applied to iptables

I'm trying to filter out a country that keeps probing my SMTP server (CentOS6) and I can't seem to get the ipset to work out right in iptables. I downloaded that countries IP addresses from ipdeny.com and installed the list as a text file. …
pathrider
  • 135
  • 6
2
votes
2 answers

In Linux how to add a route to a prefix via a specific device with certain destinations in that prefix going via default route?

I'm currently dealing with a VPN which connection endpoint lies within the subnet which prefix shall be tunneled via that specific VPN. Essentially the problem thus boils down to match against a (larger) set of destination addresses (/16 mask),…
datenwolf
  • 259
  • 1
  • 9
2
votes
0 answers

Where can I find ipv6 blacklists

We have blacklists in place to stop traffic from known bad actors. There are plenty of resources such as the lists below but I am not finding any results for ipv6 blacklists. Does anyone know where I can find such lists? …
Dovid Bender
  • 397
  • 1
  • 6
  • 16
2
votes
1 answer

firewalld, `--add-rich-rule` and missing blacklist set

My server uses Centos8 quite recently installed (~1 year). After trying to ban an IP: firewall-cmd --permanent --zone=extz --add-rich-rule='rule family="ipv4" source address="49.88.112.70" drop' My system seams to be corrupt: # firewall-cmd…
PeptideChain
  • 135
  • 6
1
vote
3 answers

Using fail2ban, ipset and iptables to block bad IP addresses on Google Compute Engine

I am running Ubuntu Linux 16.04 on a GCP Compute Engine VM instance. This is hosting a web server for a web application. I need feedback from the community about verification that what I have set up on Ubuntu Linux is correct and that I can…
Jack Stein
  • 11
  • 3
1
vote
1 answer

How to use iptables and ipset for destination host redirect to another server?

How to block access to the list of the sites and show a notification page? This example blocking without a page, work correctly: iptables -I FORWARD -m set --match-set site src,dst -j DROP I try to use the next rule for hosts redirect to another…
Kvartu
  • 11
  • 2
1
vote
2 answers

Traffic shaping with iptables, ipset and tc (--match-set and --set-mark)

I am having some trouble with what I believe should be a fairly straightforward traffic shaping problem. I have an Ubuntu (16.04) server that is acting as a router/nat. I want to allow most users to use 2mbps internet, whilst throttling some devices…
Gav
  • 13
  • 1
  • 4
1
vote
3 answers

Configure Iptables with Ipset

I would highly appreciate it if someone could help on a quite simple ipset rule I am trying to set up. I cannot really understand why it does not seem to work. So here it goes: I create a simple file with IP addresses I would like to block and call…
Klaipedaville
  • 41
  • 1
  • 1
  • 6
1
2 3