How do i manage ip sets with iptables?
-
The command ipset is used to manage a group of ip sets of various kinds. iptables has an option to match a set.
Let's say you want to add a number of IPs to iptables where packets are dropped, individually you can do this.
$ sudo iptables -A INPUT -s 10.0.0.0/8 -j DROP $ sudo iptables -A INPUT -s 172.16.0.0/12 -j DROP $ sudo iptables -A INPUT -s 192.168.0.0/16 -j DROP
or create an ipset and use a matching set with iptables.
$ sudo ipset create block-ips hash:net
Add ip addresses to the ipset named block-ips
$ sudo ipset add block-ips 10.0.0.0/8 $ sudo ipset add block-ips 172.16.0.0/12 $ sudo ipset add block-ips 192.168.0.0/16
Verify the ipset list
$ sudo ipset list block-ips Name: block-ips Type: hash:net Revision: 3 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16880 References: 0 Members: 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12
Add to iptables like this
$ sudo iptables -A INPUT -m set --set block-ips src -j DROP
Using ipset makes it easy to manage large number of rules by ways of grouping up ip addresses.
© Lightnetics 2024