...
Alternatively, you can list all iptables rules (of which ipset will be in there) and then select a rule to delete. For example, the below commands will list, and then delete the listed rule 1:
Code Block | ||
---|---|---|
| ||
sudo iptables -L --list-numbers sudo iptables -D INPUT 1 |
Setting ipset to be persistent (not lose lists on reboot)
netfilter-persistent should save your ipset lists. You might need to install this package. On Debian/Ubuntu:
Code Block | ||
---|---|---|
| ||
sudo apt-get install netfilter-persistent |
First make sure the service has started
Code Block | ||
---|---|---|
| ||
sudo service netfilter-persistent start |
If your distro is using systemd (Ubuntu, Arch, RHEL 7+, etc.) then you create a service to load ipset tables at boot (as well as save the table/s when the service is stopped, e.g. at shutdown etc.).
Info |
---|
The below is for a Ubuntu (16.04) server, so if you are using another distro you might need to modify the following to suit. |
For the service file (example) below, I'm only going to be saving a single ipset: blacklist
, but you can modify it to save all ipsets (if you have multiple).
Let's start by creating our service file based off this excellent post by selivan:
Code Block | ||||
---|---|---|---|---|
| ||||
[Unit]
Description=ipset persistancy service
DefaultDependencies=no
Requires=netfilter-persistent.service
Requires=ufw.service
Before=network.target
Before=netfilter-persistent.service
Before=ufw.service
ConditionFileNotEmpty=/etc/ipsets.conf
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/sbin/ipset restore -f -! /etc/ipsets.conf
# save on service stop, system shutdown etc.
ExecStop=/sbin/ipset save blacklist -f /etc/ipsets.conf
[Install]
WantedBy=multi-user.target
RequiredBy=netfilter-persistent.service
RequiredBy=ufw.service |
Info |
---|
Note: the above requires both |
Now all that's left is to start and enable the service and then save settings (once you've created your block list):
Code Block | ||
---|---|---|
| ||
sudo systemctl daemon-reload sudo systemctl servicestart netfilteripset-persistent save sudo systemctl enable ipset-persistent |
Now, on shutdown (or stopping the service) our ipset-persistent
service should backup the current blacklist
ipset and restore it on rebootSee chkconfig alternative for debian based distros for setting the 'netfilter-persistent' service to start on boot.
Listing / adding / removing IP addresses from our blacklist
...
Code Block | ||
---|---|---|
| ||
sudo ipset restore -! < ipset-blacklist.backup |
Backing up list periodically (with cron)
It's a good idea to keep a backup of your list. One way to do this automatically is to create a cron entry to backup script.
Let's create a simple backup script that will check whether there are members (entries) for a particular list (in this example we have a list called "blacklist"), and then if there are members to backup to a specific location. Here's my script:
Code Block | ||||
---|---|---|---|---|
| ||||
#!/bin/bash
# check if ipset output has output. The below command counts all lines after "Members:" line of ipset list
NUM_LINES=$( /sbin/ipset list blacklist | awk '/Members:/{l=1;next}l' | wc -l )
if [ $"$NUM_LINES" -gt 0 ]; then
/sbin/ipset save blacklist -f /home/<USER>/ipset-blacklist.backup
echo "blacklist backed up"
else
echo "ipset list blacklist is empty - nothing backed up"
fi |
Let's now make our script executable
Code Block |
---|
chmod a+x ipset-blacklist_backup.sh |
You can now run the above script (which needs to be run as sudo) as a cron job.
Start by opening su's crontab:
Code Block | ||
---|---|---|
| ||
sudo crontab -e |
Modify (to suit) and add the following entry into crontab
Code Block | ||
---|---|---|
| ||
# backup ipset blacklist (list of IP addresses have blacklisted with iptables/firewall) 30 2 * * * /home/<USER>/ipset-blacklist_backup.sh |
...
backup |
...
Deleting a list
You might want to delete a list. To do so you can use the 'destroy' command:
...
Note1, that you first need to remove any lists that are in use from iptables. See above section Enabling the list in iptables for details on how to do this.
...
- https://linux-audit.com/blocking-ip-addresses-in-linux-with-iptables/
- https://unix.stackexchange.com/questions/401984/how-to-import-multiple-ips-to-ipset
- http://xmodulo.com/block-unwanted-ip-addresses-linux.html
- https://strongarm.io/blog/linux-firewall-performance-testing/
- https://linoxide.com/linux-how-to/block-ips-country-ipset/
- https://selivan.github.io/2018/07/27/ipset-save-with-ufw-and-iptables-persistent-and.html
Related articles
Content by Label | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...