Difference between revisions of "Ipset"

From ArchWiki
Jump to: navigation, search
(Initial version)
 
(Added usage information)
Line 10: Line 10:
 
{{Article summary end}}
 
{{Article summary end}}
  
[http://ipset.netfilter.org/ ipset] is a companion application for the [[iptables]] Linux [[firewall]]. It allows you to setup rules to quicly and easily block a set of IP addresses, among other things.
+
[http://ipset.netfilter.org/ ipset] is a companion application for the [[iptables]] Linux [[firewall]]. It allows you to setup rules to quickly and easily block a set of IP addresses, among other things.
  
 
== Installation ==
 
== Installation ==
 +
 +
A [https://aur.archlinux.org/packages.php?ID=16553 package for ipset] can be installed from the [[AUR]].
  
 
== Configuration ==
 
== Configuration ==
 +
 +
=== Blocking a list of addresses ===
 +
 +
Start by creating a new "set" of network addresses. This creates a new "hash" set of "net" network addresses named "myset".
 +
 +
# ipset create myset hash:net
 +
 +
Add any IP address that you'd like to block to the set.
 +
 +
  # ipset add myset 14.144.0.0/12
 +
  # ipset add myset 27.8.0.0/13
 +
  # ipset add myset 58.16.0.0/15
 +
 +
Finally, configure [[iptables]] to block any address in that set. This command will add a rule to the "INPUT" chain to "-m" match the set named "myset" from ipset (--match-set) when it's a "src" packet and "DROP", or block, it.
 +
 +
  # iptables -I INPUT -m set --match-set myset src -j DROP
 +
 +
== Other Commands ==
 +
 +
To view the sets:
 +
 +
  # ipset list
 +
 +
To delete a set named "myset":
 +
 +
  # ipset destroy myset
 +
 +
To delete all sets:
 +
 +
  # ipset destroy
 +
 +
Please see the man page for ipset for further information.

Revision as of 03:40, 23 November 2011

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:Ipset#)

This template has only maintenance purposes. For linking to local translations please use interlanguage links, see Help:i18n#Interlanguage links.


Local languages: Català – Dansk – English – Español – Esperanto – Hrvatski – Indonesia – Italiano – Lietuviškai – Magyar – Nederlands – Norsk Bokmål – Polski – Português – Slovenský – Česky – Ελληνικά – Български – Русский – Српски – Українська – עברית – العربية – ไทย – 日本語 – 正體中文 – 简体中文 – 한국어


External languages (all articles in these languages should be moved to the external wiki): Deutsch – Français – Română – Suomi – Svenska – Tiếng Việt – Türkçe – فارسی

Summary help replacing me
Information regarding the setup and configuration of ipset.
Related
Firewalls
Iptables

ipset is a companion application for the iptables Linux firewall. It allows you to setup rules to quickly and easily block a set of IP addresses, among other things.

Installation

A package for ipset can be installed from the AUR.

Configuration

Blocking a list of addresses

Start by creating a new "set" of network addresses. This creates a new "hash" set of "net" network addresses named "myset".

# ipset create myset hash:net

Add any IP address that you'd like to block to the set.

 # ipset add myset 14.144.0.0/12
 # ipset add myset 27.8.0.0/13
 # ipset add myset 58.16.0.0/15

Finally, configure iptables to block any address in that set. This command will add a rule to the "INPUT" chain to "-m" match the set named "myset" from ipset (--match-set) when it's a "src" packet and "DROP", or block, it.

 # iptables -I INPUT -m set --match-set myset src -j DROP

Other Commands

To view the sets:

 # ipset list

To delete a set named "myset":

 # ipset destroy myset

To delete all sets:

 # ipset destroy

Please see the man page for ipset for further information.