What do you think? Discuss, post comments, or ask questions at the end of this article. [More about me]

Skip to end of metadata
Go to start of metadata

ipset is an excellent tool that can be used to efficiently block a list of IP addresses at the firewall level (it uses iptables).  It really helps in easily adding IP addresses and maintaining IP address blocklists.

The below guide sets up ipset to block a list of IP addresses and includes several commands to save/restore said IP lists.

This guide assumes you on are on form of Linux (Ubuntu 16.10 Server is used below).

Guide

Installing ipset

Let's first install ipset.  On Debian/Ubuntu we can do:

sudo apt-get install ipset

On CentOS/Amazon-Linux you would do:

sudo yum install ipset

Creating our "blacklist"

Let's first start by creating a list - we'll call our list 'blacklist' (please forgive the lack of originality).

Note you can create several types of ipset lists, with the type defining the IP address input formats.  The two we're interested in here is ip and nethaship simply allows defining IP addresses (in their full form) and nethash allows (and requires) CIDR format - which allows us to block entire IP ranges (which if you tried to add to an ipset using hash:ip, could very easily fill the ipset list up to it's maximum).

To create an ip type list:

sudo ipset create blacklist hash:ip hashsize 4096

To create a nethash (CIDR) type list:

sudo ipset create blacklist nethash

Enabling (and deleting) the list in iptables

Now that we've created out list, we need to tell iptables to use it:

sudo iptables -I INPUT -m set --match-set blacklist src -j DROP
sudo iptables -I FORWARD -m set --match-set blacklist src -j DROP

Note, we can always remove these rules (to get iptables to not use the list) by:

sudo iptables -D INPUT -m set --match-set blacklist src -j DROP
sudo iptables -D FORWARD -m set --match-set blacklist src -j DROP

See Make ip-tables (firewall) rules persistent for saving the above ip-table rules permanently.

Alternatively, you can list all iptables rules (of which ipset will be in there) and then select a rule to delete.  For example, the below commands will list, and then delete the listed rule 1:

sudo iptables -L --list-numbers
sudo iptables -D INPUT 1

Setting ipset to be persistent (not lose lists on reboot)

If your distro using systemd (Ubuntu, Arch, RHEL 7+, etc.) then you create a service to load ipset tables at boot (as well as save the table/s when the service is stopped, e.g. at shutdown etc.).

The below is for a Ubuntu (16.04) server, so if you are using another distro you might need to modify the following to suit.

For the service file (example) below, I'm only going to be saving a single ipset: blacklist, but you can modify it to save all ipsets (if you have multiple).

Let's start by creating our service file based off this excellent post by selivan:

/etc/systemd/system/ipset-persistent.service
[Unit]
Description=ipset persistancy service
DefaultDependencies=no
Requires=netfilter-persistent.service
Requires=ufw.service
Before=network.target
Before=netfilter-persistent.service
Before=ufw.service
ConditionFileNotEmpty=/etc/ipsets.conf

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/ipset restore -f -! /etc/ipsets.conf

# save on service stop, system shutdown etc.
ExecStop=/sbin/ipset save blacklist -f /etc/ipsets.conf

[Install]
WantedBy=multi-user.target

RequiredBy=netfilter-persistent.service
RequiredBy=ufw.service

Note: the above requires both ufw  and netfilter-persistent packages.  See  Make ip-tables (firewall) rules persistent for more information on configuring persistent ip-tables.

Now all that's left is to start and enable the service:

sudo systemctl daemon-reload
sudo systemctl start ipset-persistent
sudo systemctl enable ipset-persistent

Now, on shutdown (or stopping the service) our ipset-persistent service should backup the current blacklist ipset and restore it on reboot.

Listing / adding / removing IP addresses from our blacklist

To list current IP addresses in our list, do:

sudo ipset list

To add an IP address, simply do:

sudo ipset add blacklist <IP-ADDRESS_OR_CIDR-IF-NETHASH>

To remove an IP address, do:

sudo ipset del blacklist <IP-ADDRESS_OR_CIDR-IF-NETHASH>

To remove ALL IP addresses in a list, use the flush command

sudo ipset flush blacklist

Querying to see if IP address is in list

You can use the "test" command to check if an IP address is in a specific list:

sudo ipset test blacklist <IP-ADDRESS>

Saving / restoring IP lists

To save the current list to a file:

sudo ipset save blacklist -f ipset-blacklist.backup

To restore said file:

sudo ipset restore -! < ipset-blacklist.backup

Deleting a list

You might want to delete a list.  To do so you can use the 'destroy' command:

sudo ipset destroy blacklist

Note1, that you first need to remove any lists that are in use from iptables.  See above section Enabling the list in iptables for details on how to do this.

Note2: use the flush command to simply delete all ip addreses in the list without deleting the list itself.

References

  1. https://linux-audit.com/blocking-ip-addresses-in-linux-with-iptables/
  2. https://unix.stackexchange.com/questions/401984/how-to-import-multiple-ips-to-ipset
  3. http://xmodulo.com/block-unwanted-ip-addresses-linux.html
  4. https://strongarm.io/blog/linux-firewall-performance-testing/
  5. https://linoxide.com/linux-how-to/block-ips-country-ipset/
  6. https://selivan.github.io/2018/07/27/ipset-save-with-ufw-and-iptables-persistent-and.html