Fli
09-29-2017, 10:37 AM
I did this on CentOS 6 with 2.6.32 kernel, but it can be done on Debian/Ubuntu etc.
Install the ipset:
RHEL/CentOS:
yum install ipset
Debian/Ubuntu:
apt-get install ipset
Create new ipset called for example "badips":
ipset create badips iphash maxelem 1000111222
(iphash is defining set type, maxelem defining max. number of ips - in my case seems like one IP is like 20 bytes, million IPs would be roughly 20MB in RAM i assume)
OR
ipset create badips hash:net maxelem 1000111222
(this one may be better if blocking large subnets in CIDR format ex. 1.2.0.0/16)
Add or delete IP to/from badips:
ipset add badips BadIPHere
ipset del badips BadIPHere
List badips:
ipset list
ipset list badips
service ipset status (just details of the ipsets, not listing particular IPs)
Activate blocking of all badips by adding following rule to the iptables:
iptables -A INPUT -m set --match-set badips src -j DROP
Sidenote #2: some people advise using "-I INPUT 1" instead of "-A INPUT" to increase speed of handling bad traffic)
(-exist will proceed even there are soft errors like ipset we importing already exist or we attempt to delete non existing entries)
In case of a HyperVM/VPS host node (server that forwards traffic to a virtual servers), one have to add the rule probably into FORWARD chain instead of INPUT chain.
Save IPsets to a file
try to install iptables-services: yum install iptables-services;systemctl enable iptables
(it should auto-restore ipsets @reboot)
save ipsets and then iptables rules where ipset rule is called:
ipset save > /etc/sysconfig/ipsets
service iptables save
Restore IPsets from a file:
ipset restore < /etc/sysconfig/ipsets -exist
(-exist will proceed even there are soft errors like ipset we importing already exist or we attempt to delete non existing entries)
Save changes made in iptables (with some delay if all works):iptables-save > /etc/sysconfig/iptables (it should auto-restore ipsets @reboot)
---
If using HyperVM control panel, i made sure (https://internetlifeforum.com/virtualisation/8970-hypervm-openvz-vps-ips-added-placed-top-iptables-forward-chain/) it is appending forward rules for VPSs into chain instead of inserting them on the top of the FORWARD chain (ipset rule for whitelist ipset have to be on the top, blacklists below that and then regular rules).
Install the ipset:
RHEL/CentOS:
yum install ipset
Debian/Ubuntu:
apt-get install ipset
Create new ipset called for example "badips":
ipset create badips iphash maxelem 1000111222
(iphash is defining set type, maxelem defining max. number of ips - in my case seems like one IP is like 20 bytes, million IPs would be roughly 20MB in RAM i assume)
OR
ipset create badips hash:net maxelem 1000111222
(this one may be better if blocking large subnets in CIDR format ex. 1.2.0.0/16)
Add or delete IP to/from badips:
ipset add badips BadIPHere
ipset del badips BadIPHere
List badips:
ipset list
ipset list badips
service ipset status (just details of the ipsets, not listing particular IPs)
Activate blocking of all badips by adding following rule to the iptables:
iptables -A INPUT -m set --match-set badips src -j DROP
Sidenote #2: some people advise using "-I INPUT 1" instead of "-A INPUT" to increase speed of handling bad traffic)
(-exist will proceed even there are soft errors like ipset we importing already exist or we attempt to delete non existing entries)
In case of a HyperVM/VPS host node (server that forwards traffic to a virtual servers), one have to add the rule probably into FORWARD chain instead of INPUT chain.
Save IPsets to a file
try to install iptables-services: yum install iptables-services;systemctl enable iptables
(it should auto-restore ipsets @reboot)
save ipsets and then iptables rules where ipset rule is called:
ipset save > /etc/sysconfig/ipsets
service iptables save
Restore IPsets from a file:
ipset restore < /etc/sysconfig/ipsets -exist
(-exist will proceed even there are soft errors like ipset we importing already exist or we attempt to delete non existing entries)
Save changes made in iptables (with some delay if all works):iptables-save > /etc/sysconfig/iptables (it should auto-restore ipsets @reboot)
---
If using HyperVM control panel, i made sure (https://internetlifeforum.com/virtualisation/8970-hypervm-openvz-vps-ips-added-placed-top-iptables-forward-chain/) it is appending forward rules for VPSs into chain instead of inserting them on the top of the FORWARD chain (ipset rule for whitelist ipset have to be on the top, blacklists below that and then regular rules).