Blocking a list of addresses
Start by creating a new "set" of network addresses. This creates a new "hash" set of "net" network addresses named "myset".
# ipset create myset hash:net
Add any IP address that you'd like to block to the set.
# ipset add myset 22.214.171.124/12 # ipset add myset 126.96.36.199/13 # ipset add myset 188.8.131.52/15
Finally, configure iptables to block any address in that set. This command will add a rule to the top of the "INPUT" chain to "-m" match the set named "myset" from ipset (--match-set) when it's a "src" packet and "DROP", or block, it.
# iptables -I INPUT -m set --match-set myset src -j DROP
Making ipset persistent
ipset you have created is stored in memory and will be gone after reboot. To make the ipset persistent you have to do the followings:
First save the ipset to /etc/ipset.conf:
# ipset save > /etc/ipset.conf
Blocking With PeerGuardian and Other Blocklists
The pg2ipset tool by the author of maeyanie.com, coupled with the ipset-update.sh script can be used with cron to automatically update various blocklists. Currently, by default country blocking, tor exit node blocking, and pg2 list blocking from Bluetack are implemented. Currently these tools aren't available in the AUR, but are easy enough to setup in a location of your choice.
These tools can be found at github: https://github.com/ilikenwf/pg2ipset
To view the sets:
# ipset list
To delete a set named "myset":
# ipset destroy myset
To delete all sets:
# ipset destroy
Trouble Shooting (Cannot open session to kernel)
> ipset list ipset v6.24: Cannot open session to kernel.
Just reboot the machine and it will work fine.
Please see the man page for ipset for further information.