Page History

...

Alternatively, you can list all iptables rules (of which ipset will be in there) and then select a rule to delete.  For example, the below commands will list, and then delete the listed rule 1:

sudo iptables -L --list-numbers
sudo iptables -D INPUT 1

Setting ipset to be persistent (not lose lists on reboot)

netfilter-persistent should save your ipset lists.  You might need to install this package.  On Debian/Ubuntu:

sudo apt-get install netfilter-persistent

First make sure the service has started

sudo service netfilter-persistent start

If your distro using systemd (Ubuntu, Arch, RHEL 7+, etc.) then you create a service to load ipset tables at boot (as well as save the table/s when the service is stopped, e.g. at shutdown etc.).

For the service file (example) below, I'm only going to be saving a single ipset: blacklist, but you can modify it to save all ipsets (if you have multiple).

Let's start by creating our service file:

[Unit]
Description=ipset persistancy service
DefaultDependencies=no
Before=network.target
Before=netfilter-persistent.service
Before=ufw.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/touch /etc/ipsets.conf
ExecStart=/sbin/ipset restore -f -! /etc/ipsets.conf

# save on service stop, system shutdown etc.
ExecStop=/sbin/ipset save blacklist -f /etc/ipsets.conf

[Install]
WantedBy=multi-user.target

RequiredBy=netfilter-persistent.service
RequiredBy=ufw.service

Now all that's left is to start and enable the service and then save settings (once you've created your block list):

sudo systemctl daemon-reload
sudo systemctl servicestart netfilteripset-persistent save
sudo systemctl enable ipset-persistent

Now, on shutdown (or stopping the service) our ipset-persistent service should backup the current blacklist ipset and restore it on rebootSee chkconfig alternative for debian based distros for setting the 'netfilter-persistent' service to start on boot.

Listing / adding / removing IP addresses from our blacklist

...

sudo ipset restore -! < ipset-blacklist.backup

...

It's a good idea to keep a backup of your list.  One way to do this automatically is to create a cron entry to backup script.

Let's create a simple backup script that will check whether there are members (entries) for a particular list (in this example we have a list called "blacklist"), and then if there are members to backup to a specific location.  Here's my script:

#!/bin/bash

# check if ipset output has output. The below command counts all lines after "Members:" line of ipset list
NUM_LINES=$( /sbin/ipset list blacklist | awk '/Members:/{l=1;next}l' | wc -l )

if [ $"$NUM_LINES" -gt 0 ]; then
        /sbin/ipset save blacklist -f /home/<USER>/ipset-blacklist.backup
        echo "blacklist backed up"
else
        echo "ipset list blacklist is empty - nothing backed up"
fi

Let's now make our script executable

chmod a+x ipset-blacklist_backup.sh

You can now run the above script (which needs to be run as sudo) as a cron job. 

Start by opening su's crontab:

sudo crontab -e

Modify (to suit) and add the following entry into crontab

# backup ipset blacklist (list of IP addresses have blacklisted with iptables/firewall)
30 2 * * * /home/<USER>/ipset-blacklist_backup.sh

Here I've chosen to backup my blacklist every morning at 0230hrs to USER's home folder.

Note: ipset on my ubuntu setup is found at /sbin/ipset.  However, if you use another distribution you will need to check where ipset is (probably at /usr/sbin/ipset or the like).

Deleting a list

You might want to delete a list.  To do so you can use the 'destroy' command:

...

1. https://linux-audit.com/blocking-ip-addresses-in-linux-with-iptables/
2. https://unix.stackexchange.com/questions/401984/how-to-import-multiple-ips-to-ipset
3. http://xmodulo.com/block-unwanted-ip-addresses-linux.html
4. https://strongarm.io/blog/linux-firewall-performance-testing/
5. https://linoxide.com/linux-how-to/block-ips-country-ipset/
6. https://selivan.github.io/2018/07/27/ipset-save-with-ufw-and-iptables-persistent-and.html

Related articles

...