Questions tagged [ipset]
IP sets is a Linux kernel framework to effectively store and manage sets of IP addresses and/or network interfaces.
49 questions
2
votes
1
answer
238
views
Iptables: Redirect IP matched request to dedicated server port
I have an iptables configuration problem that I cannot seem to solve.
I have a list of known, bad ip address that I block access to my server via ipset and iptables.
The original approach has been to ...
- 23
0
votes
0
answers
840
views
How to correctly remove entries from firewalld ipset runtime?
Running Debian 12
I have created an IPSet in the following manner:
~$ firewall-cmd --permanent --new-ipset=myipset --type=hash:ip --option=timeout=0
success
~$ firewall-cmd --reload
success
~$ ...
0
votes
0
answers
204
views
Another iptables/ipset issue where connections are not being blocked
The listing at the bottom of this question is the output from "iptables-save" on my Debian system.
I set up an ipset list called "manual-block" to contain addresses of connections ...
- 250
0
votes
1
answer
888
views
fail2ban ipset proper setup of jail.conf
My understanding is that running Fail2ban using ipset is faster. To that end:
I downloaded and installed per instructions (modified for Fedora 37) ritsu/ipset-fail2ban from Git.
My banaction is still ...
- 3
0
votes
1
answer
269
views
Having trouble with ipset behaviour
Have a script to populates ipsets and then I do:
/sbin/iptables -I INPUT -m set --match-set ipsum src -j DROP
Now not sure how this works out for other ports but I know that if I want the addresses ...
0
votes
1
answer
511
views
firewalld apply interface zone after ipset zone match
I have a firewalld setup with two zones.
One zone, some-ips-allowed, is used to permit traffic from specific IP networks on some ports:
some-ips-allowed (active)
target: default
icmp-block-...
- 101
0
votes
1
answer
343
views
How can I organize the IPs/CIDR when executing restore ipset?
I have this bash script of ipset v7.15 (run in ubuntu 22.04), courtesy of Martin (that I have made some modifications for this question):
ipset create -! blacklist hash:net family inet hashsize 1024
...
- 408
1
vote
0
answers
211
views
Where do I find all the ipset options?
Where do I find all the ipset options (ipset v7.15)?.
man ipset online are not all. I didn't find them on the command line either, by running:
man ipset
ipset --help
For example this options:
ipset -...
- 408
0
votes
1
answer
2k
views
how to add multiples ips cidr with ipset save and restore options
i have this loop to block IPs and CIDR with ipset/iptables:
# this is just an example. the actual list IPs/CIDR is very large
cat blockip.txt
13.31.0.254
cat blockcidr.txt
13.32.0.0/15
Loop:
#!/bin/...
- 408
0
votes
0
answers
155
views
Is there a way to capture packages by using tcpdump with ipset?
I got a big ipset and I want to capture networking packages related/not-related to these IPs.
Is there a way to capture packages by using tcpdump with ipset as param?
- 101
0
votes
0
answers
1k
views
how to block ipv4 list with iptables/ipset, but exclude certain ports
I have the following rules in a bash (in that order):
# blocklist.txt contains:
#192.168.1.39
for ip in $(cat blocklist.txt); do
iptables -I INPUT -s $ip -p tcp -m multiport --dports 137:139,445 -...
- 408
0
votes
0
answers
328
views
nftables or fw4 issue with timebased traffic rules
Since the OpenWRT ver > 22.3 does use NFTABLES instead of IPTABLES I got issue with some firewall (fw4) time based traffic rules that I have no idea how to solve them.
The firewall rule is as ...
- 11
0
votes
1
answer
259
views
Shorewall: IPSet from blrules not applying
We're hoping to make use of IPSet to manage temporary IP blocking from sources (CSF+LFD, fail2ban, wherever relevant). The purpose would be that routers using Shorewall at the edges would make use of ...
- 174
3
votes
2
answers
2k
views
In Linux how to add a route to a prefix via a specific device with certain destinations in that prefix going via default route?
I'm currently dealing with a VPN which connection endpoint lies within the subnet which prefix shall be tunneled via that specific VPN.
Essentially the problem thus boils down to match against a (...
- 299
0
votes
0
answers
346
views
Addresses not always added to set (iptables)
We use iptables with ipset lists on our network boundary. Generally this works well. I have updated the rules to catch more activity and found that a rule to update a set does not always seem to ...
- 280
0
votes
1
answer
237
views
Allow only SYN packets to port 80 matching an ipset
I have an ipset named allowList.
I want to allow every connection to my machine on every port but port 80, which there I want to allow connections only to the ipset: allowList.
I want to target only ...
- 101
1
vote
0
answers
697
views
How to combine ipset IPv4 and IPv6 configurations
I'm running Arch Linux and referring to Simple stateful firewall - ArchWiki.
I have two different bash scripts for creating my iptables rules: one for IPv4 and another for IPv6. Each creates one or ...
- 711
1
vote
0
answers
508
views
iptables - how does one use multiple prerouting sources to force dns traffic through a particular IP?
I know this question has been asked historically, but the answers I have yet to find are not all too helpful in this one niche use case.
I currently have one router running DD-WRT on 192.168.0.1, one ...
- 11
1
vote
1
answer
408
views
Ratelimit IPs for UDP traffic in ipset list before being sent over GRE tunnel
I am using nat DNAT to forward traffic on a certain port to another Centos server over a GRE tunnel however I want to rate limit a bunch of datacenter IPs I have in a ipset list 'blacklist'. So that ...
- 21
2
votes
0
answers
147
views
Where can I find ipv6 blacklists [duplicate]
We have blacklists in place to stop traffic from known bad actors. There are plenty of resources such as the lists below but I am not finding any results for ipv6 blacklists. Does anyone know where I ...
- 507
1
vote
3
answers
6k
views
Ipset with Iptables with large list of IP ranges (CIDR)
I have read some answers here about blocking IP address ranges, and have already used iptables for this purpose before. It is suggested to use ipset in combination with iptables.
I have only ...
- 115
1
vote
0
answers
358
views
ipset or iptables keeps crashing my server?
I'm trying to work out why this keeps crashing my server. Weirdly, the server stays up - but nothing can be reached (FTP, Apache, nginx, emails etc). The script is:
#!/bin/bash
ipset -q flush ...
- 1,214
1
vote
1
answer
1k
views
ipset rules on iptables do not match
I want to block all ip Adresses except from a specific country. So i installed ipset and downloaded the ip range list from ipdeny.com and did this:
ipset create allow-list hash:net
for i in $( cat /...
- 51
2
votes
1
answer
935
views
firewalld, `--add-rich-rule` and missing blacklist set
My server uses Centos8 quite recently installed (~1 year).
After trying to ban an IP:
firewall-cmd --permanent --zone=extz --add-rich-rule='rule family="ipv4" source address="49.88.112....
- 135
4
votes
0
answers
4k
views
IPsets in FirewallD with Nftables backend
I upgraded my server to Fedora 32. Firewalld has switched the backend to Nftables.
My setup is pretty simple. Just HTTP, HTTPS, SSH, SMTP ports open and multiple IPsets (IPv4, IPv6) to block a preset ...
user213598
0
votes
1
answer
607
views
ipset iptables drop all exclude ports but via rate limit
I have simple ipset map to track suspicious ips.
These my commands:
ipset flush
ipset -q destroy banlists
ipset create banlists hash:ip comment family inet hashsize 2048 maxelem 1048576 timeout 300
...
0
votes
1
answer
211
views
Misunderstanding with configuring iptables
It is possible to create iptables logic in such way?
accept ssh,http,https
drop connection if such ip is already connected (only 1 connection per ip / 1 second).
put to blacklist (ipset I guess) if ...
- 103
1
vote
3
answers
2k
views
Using fail2ban, ipset and iptables to block bad IP addresses on Google Compute Engine
I am running Ubuntu Linux 16.04 on a GCP Compute Engine VM instance. This is hosting a web server for a web application. I need feedback from the community about verification that what I have set ...
google-compute-engine
0
votes
1
answer
4k
views
Add ip to ipset with port
I would like to block IPs when connectioning on a given port, e.g. 1.1.1.1 on port 443.
I create the ipset like this:
sudo ipset -N blockdaily nethash maxelem 2500000
I can add an IP to it like ...
- 171
1
vote
1
answer
2k
views
How to use iptables and ipset for destination host redirect to another server?
How to block access to the list of the sites and show a notification page?
This example blocking without a page, work correctly:
iptables -I FORWARD -m set --match-set site src,dst -j DROP
I try to ...
- 11
4
votes
1
answer
8k
views
How to block both IPv4 and IPv6 with ipset on Ubuntu 16.04?
So I have the following script that blocks IPs:
#!/bin/bash
# here's your list of IPS
CURRENT_BL=/path/to/my/ip_black_list.txt
# create/flush recreate the tables
iptables -F BLACKHOLE
iptables -N ...
- 225
4
votes
1
answer
2k
views
Why FirewallD is not blocking IPs with 'reject' rules?
My setup is the follow:
fail2ban with some jails (working fine) using FirewallD to block the caught IPs.
Here is my default Firewall:
myzone
target: default
icmp-block-inversion: no
...
- 41
3
votes
0
answers
2k
views
GeoIP vs IPset performance in iptables
I would like to ask you what is faster in term of performance GeoIP or IPset.
Let me explain, imagine that I have rule:
iptables -A INPUT -m geoip ! --src-cc US,UK,CA -j DROP
And imagine that I ...
- 299
2
votes
1
answer
1k
views
Why does ipset succeed on adding ipv4 ranges, but fail on adding ipv6 range?
Using ipset to clean up bulky iptable rulesets does not seem so different between IPv4 and IPv6:
# ipset create TEST hash:net family inet
# ipset create DEMO hash:net family inet6
# iptables -A INPUT ...
- 10.4k
0
votes
3
answers
7k
views
How to update an ipset name-based entry
I need to handle on my firewall (Firehol, which is then transformed into iptables) a few dynamic entries. In an ideal world I would use a name (instead of an IP address) which always points to the ...
- 3,767
0
votes
1
answer
4k
views
ipset loaded from file?
how to load ipset definition (one setname or more) on reboot from certain file ?
for example I have ssh access to linuxbox and want to update setname periodically that way that I have one simple ...
- 31
0
votes
1
answer
1k
views
centos firewalld ipset blacklist ip cidrs on specific ports
I found this link regarding how to set up a blacklist xml file for firewalld:
ipset instructions
Clear enough, but I don't want to drop access for all ports, just 80 and 443. Suggestions? (BTW the ...
- 56
0
votes
1
answer
885
views
fail2ban create jail failed
I have debian jessie, with fail2ban v0.8.13 and virtualmin.
I use iptables but firewallD was install and uinstall maybe it's the problem....
the problem is: the think for all Jail
2017-09-20 11:33:...
3
votes
1
answer
1k
views
Why does the 'nomatch' option of ipset not work in this case?
I am using ipset 6.23-2 on Debian Jessie. I created a hash:net set for and an iptables rule to drop all traffic for addresses in the set.
Chain INPUT (policy ACCEPT)
target prot opt source ...
- 31
0
votes
1
answer
1k
views
IP white list for docker containers with iptables and ipset
I want to restrict access to docker container ports just from specified IPs.
I set up iptables rules with ipset.
I have exposed the port 8888. The requests from port 8888 are forwarded to simple ...
- 101
1
vote
2
answers
8k
views
Traffic shaping with iptables, ipset and tc (--match-set and --set-mark)
I am having some trouble with what I believe should be a fairly straightforward traffic shaping problem.
I have an Ubuntu (16.04) server that is acting as a router/nat. I want to allow most users to ...
- 113
0
votes
2
answers
2k
views
replacing a runtime instance of ipset
I have a running instance of iptables and ipset services. Among them one set has a spec similar to this that has 20+ references to it:
create_set foo ipmap --network 123.45.67.0/24
add_to_set foo ...
- 127
1
vote
3
answers
24k
views
Configure Iptables with Ipset
I would highly appreciate it if someone could help on a quite simple ipset rule I am trying to set up. I cannot really understand why it does not seem to work. So here it goes:
I create a simple file ...
2
votes
1
answer
2k
views
ipset not being applied to iptables
I'm trying to filter out a country that keeps probing my SMTP server (CentOS6) and I can't seem to get the ipset to work out right in iptables.
I downloaded that countries IP addresses from ipdeny....
- 135
0
votes
1
answer
362
views
iptables ipset misconfiguration?
I'm looking for a solid method to block unwanted TCP/IP traffic.
On my linux machine iptables and ipset seem to offer a nice way to do so.
Until now I've done this:
ipset create ipsok hash:net ...
0
votes
1
answer
3k
views
no package ipset available (centos EL5 x86_64)
I want to install ipset, but none of my repos seem to have it when I run
yum install ipset
[root@ora1 /]# cd /etc/yum.repos.d/
[root@ora1 yum.repos.d]# ls
CentOS-Base.repo CentOS-Debuginfo.repo ...
- 109
4
votes
1
answer
2k
views
Can I use iptables to rate limit an ipset?
Is it possible to use iptable tables to rate limit an ipset ?
I know you can use ipset to create a block list named blacklist
i.e.
ipset create blacklist hash:ip
iptables -I INPUT -m set --match-...
- 963
2
votes
3
answers
6k
views
IPTables add an IP to IPSet list
How to correctly add an IP address to ipset from an iptables rule?
Or isn't that possible at all?
This rule doesn't work for me: -A INPUT -m recent --name IP_LIST --set
Type of IP_LIST is hash:net
...
- 43
1
vote
1
answer
6k
views
Using Ipset and Iptables for MAC address filtering
I use MAC address filtering on my Linux router. Here is what I have done:
iptables -A INPUT -i eth5 -m mac --mac-source 00:07:e9:84:2b:99 -j RETURN #User: Someuser
iptables -A INPUT -i eth5 -j DROP
...
- 1,613