ipset is an excellent tool that can be used to efficiently block a list of IP addresses at the firewall level (it uses iptables). It really helps in easily adding IP addresses and maintaining IP address blocklists.
The below guide sets up ipset to block a list of IP addresses and includes several commands to save/restore said IP lists.
This guide assumes you on are on form of Linux (Ubuntu 16.10 Server is used below).
Let's first install ipset. On Debian/Ubuntu we can do:
On CentOS/Amazon-Linux you would do:
Creating our "blacklist"
Let's first start by creating a list - we'll call our list 'blacklist' (please forgive the lack of originality).
Note you can create several types of ipset lists, with the type defining the IP address input formats. The two we're interested in here is
ip simply allows defining IP addresses (in their full form) and
nethash allows (and requires) CIDR format - which allows us to block entire IP ranges (which if you tried to add to an ipset using
hash:ip, could very easily fill the ipset list up to it's maximum).
To create an
ip type list:
To create a
nethash (CIDR) type list:
Enabling (and deleting) the list in iptables
Now that we've created out list, we need to tell iptables to use it:
Note, we can always remove these rules (to get iptables to not use the list) by:
See Make ip-tables (firewall) rules persistent for saving the above ip-table rules permanently.
Alternatively, you can list all iptables rules (of which ipset will be in there) and then select a rule to delete. For example, the below commands will list, and then delete the listed rule 1:
Setting ipset to be persistent (not lose lists on reboot)
If your distro is using systemd (Ubuntu, Arch, RHEL 7+, etc.) then you create a service to load ipset tables at boot (as well as save the table/s when the service is stopped, e.g. at shutdown etc.).
The below is for a Ubuntu (16.04) server, so if you are using another distro you might need to modify the following to suit.
For the service file (example) below, I'm only going to be saving a single ipset:
blacklist, but you can modify it to save all ipsets (if you have multiple).
Let's start by creating our service file based off this excellent post by selivan:
Note: the above requires both
netfilter-persistent packages. See Make ip-tables (firewall) rules persistent for more information on configuring persistent ip-tables.
Now all that's left is to start and enable the service:
Now, on shutdown (or stopping the service) our
ipset-persistent service should backup the current
blacklist ipset and restore it on reboot.
Listing / adding / removing IP addresses from our blacklist
To list current IP addresses in our list, do:
To add an IP address, simply do:
To remove an IP address, do:
To remove ALL IP addresses in a list, use the flush command
Querying to see if IP address is in list
You can use the "test" command to check if an IP address is in a specific list:
Saving / restoring IP lists
To save the current list to a file:
To restore said file:
Deleting a list
You might want to delete a list. To do so you can use the 'destroy' command:
Note1, that you first need to remove any lists that are in use from iptables. See above section Enabling the list in iptables for details on how to do this.
Note2: use the flush command to simply delete all ip addreses in the list without deleting the list itself.