For beginners
Assuming you have a modern .deb based distro, here are some simple steps.
apt-get update
apt-get install ipset
ipset create SET1 hash:net #(for example)
ipset add SET1 91.83.231.25 #(for example)
ipset add SET1 80.249.172.0/24 #(for example)
iptables -I INPUT -m set --match-set SET1 src -j DROP #(to drop all matching packets)
To save all your sets:
ipset save > backupfile
To delete:
ipset del SET1 91.83.231.25 #deletes a single line from a set
ipset flush SET1 #deletes a whole set
ipset destroy #deletes all the sets
BEFORE deleting a set you should delete the links in your iptables pointing to your set, e.g.
iptables -D INPUT -m set --match-set SET1 src -j DROPTo see your sets in different ways:
ipset -n list
ipset -t list
ipset list
To check if an IP address exists in a set:
ipset test 10.10.10.10 To restore your sets (assuming that sets in the file don't exist already)
ipset restore < mybackupfile
Some tricks
To create a new ruleset being the type of hash (thats the type because you want ipset, more info here), append some addresses to it and deny them based on the source IP address.
ipset -N set2 hash
ipset -A set2 10.10.10.0/24
ipset -A set2 80.249.172.62
iptables -A INPUT -m set --myset set2 src -j DROPTo fast delete a rule (don't forget to delete the relevant iptables rule before)
ipset -F set2
ipset -X set2
or simply:
ipset f
ipset xTo auto-deny a host that wants to connect to your SSH port is so simple that:
ipset -N denied hash
iptables -A INPUT -p tcp --dport 22 -j SET --add-set denied src
iptables -A INPUT -m set --set denied src -j DROP
To block IP addresses based on geo location (country) here is a simple shellscript:
#!/bin/sh
ipset -N geoblock nethash
for IP in $(wget -O – http://www.ipdeny.com/ipblocks/data/countries/{cn,kr,pk,tw,sg,hk,pe}.zone)
do
ipset -A geoblock $IP
done
iptables -A INPUT -m set –set geoblock src -j DROP
#EoF
To auto-timeout a rule (and not generate any message if it already exists):
ipset create test hash:ip timeout 10
ipset add --exists test 91.83.231.25 120 #(overwriting the default 10 seconds value)
To auto-learn a MAC address: (and define a range)
ipset create test bitmap:ip,mac range 192.168.0.0/24
ipset add test 192.168.0.1,11:11:22:22:11:11
ipset add test 192.168.0.2 (this one will auto-learn)
More advanced WAN/LAN/DMZ firewall example
We define our client (source) IPs and ports they want to communicate to. We define our server IP address and ports. We allow established tcp sessions. Here, things are getting interesting.
We allow all packets coming in my external (internet) interface heading towards to my dmz server ip address and ports. (see dst,dst. That means destination IP AND destination port. (Here HTTP and HTTPS and udp only DNS and ping [it will reply the echo].)
Then we allow our LAN clients to access the internet web based on src,dst. (source IP address and destination port). In our case, anyone in the LAN can browse the web but only 192.168.0.10 can use https.
In the last line we allow our trusted administrator to connect to tcp ports 22020 to 22022 anywhere in our system.
ipset n dmzservers hash:ip,port
ipset n mynetworks hash:ip,iface
ipset n lanusers hash:ip,port
ipset n remoteadmin hash:ip,port
ipset a dmzservers 195.195.195.195,http
ipset a dmzservers 195.195.195.195,https
ipset a dmzservers 195.195.195.195,udp:53
ipset a dmzservers 195.195.195.195,icmp:ping
ipset a mynetworks 192.168.0.0/24,eth0
ipset a mynetworks 8.8.8.0/24,eth1
ipset a mynetworks 195.195.195.193/30,eth2 #(these network definitions are not used)
ipset a lanusers 192.168.0.0/24,http
ipset a lanusers 192.168.0.10,https
ipset a remoteadmin 82.112.112.112,tcp:22020-22022
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXTERNAL -m set --match-set dmzservers dst,dst -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $INTERNAL -m set --match-set lanusers src,dst -m state --state NEW -j ACCEPT
iptables -A FORWARD -i $EXTERNAL -m set --match-set remoteadmin src,dst -m state --state NEW -j ACCEPT| Attribute(s): | Public | |||
| Created: | 14.08.2014 15:52 | Total Views: | 361 | |
| Last Changed: | 13.03.2021 14:54 | Total Changes: | 3 |
Δt = 0.049462080001831s