Installing and using ipset

ipset – a tool consisting of a kernel module, libraries and utility, allowing you to organize a list of networks, IP or MAC addresses, etc., which is very convenient to use for example with IPTables.

Installation command in Ubuntu:

sudo apt install ipset

Installation on CentOS:

yum install ipset

I will give the possible types of list:
net (networks for example 192.168.5.0/24)
ip (ip only, for example 192.168.5.5)
mac (MAC addresses, for example 11:22:33:44:55:66)
port (ports, convenient when creating lists ip,port)
iface (network interfaces, convenient when creating lists of ip,iface)

Here are some examples of creating a list (where test is the name of the list):

ipset -N test nethash
ipset create test nethash
ipset create test hash:net
ipset create test hash:ip
ipset create test hash:ip,port
ipset create test hash:ip,iface
ipset create test hash:mac

I will give examples of adding data to the lists:

ipset add test 192.168.5.5/24
ipset add test 192.168.5.5
ipset add test 192.168.5.5,80
ipset add test 192.168.5.5,udp:1812
ipset add test 192.168.5.5,eth0
ipset add test 11:22:33:44:55:66

An example of removing an item from the list:

ipset del test 192.168.5.5

If the same elements are added, for example, by scripts, and in order not to display extra messages that the element has already been added, add to the command “-exist”, for example:

ipset add test 192.168.5.5 -exist

ipset will not add the same items to the list, if you add several identical items, there will still be one in the list.

Example of viewing lists:

ipset -L
ipset -L | wc -l
ipset --list

View a specific list (where test is the name of the list):

ipset -L test

You can rename the list like this:

ipset –e OLDNAME NEWNAME

Now when we have a list created, manually or it fills the script using ipset and iptables for example, it is very convenient to deny access to the server to all addresses that are in the list:

iptables -I INPUT -m set --match-set test src -j DROP

Or so (allow access to everyone except the addresses in the list):

iptables -I INPUT -m set ! --match-set test src -j ACCEPT

See also my articles:
The script for adding IP addresses from a file to ipset
Configure IPTables

Did my article help you? How about buying me a cup of coffee as an encouragement? Buy me a coffe.

Leave a comment

Leave a Reply