Ipset: Difference between revisions
m (Remove stub flag.) |
(clarify what the ipset-translate tool does, add a more relevant link for nftables sets and remove unrelated details) |
||
| (39 intermediate revisions by 19 users not shown) | |||
| Line 1: | Line 1: | ||
{{Lowercase title}} | |||
[[Category:Firewalls]] | [[Category:Firewalls]] | ||
[[es:Ipset]] | |||
[[ru:Ipset]] | |||
[[ja:Ipset]] | [[ja:Ipset]] | ||
[[zh- | [[zh-hans:Ipset]] | ||
{{Related articles start}} | {{Related articles start}} | ||
{{Related| | {{Related|Firewall}} | ||
{{Related| | {{Related|iptables}} | ||
{{Related articles end}} | {{Related articles end}} | ||
[ | [https://ipset.netfilter.org/ ipset] is a companion application for the [[iptables]] Linux [[firewall]]. It allows you to setup rules to quickly and easily block a set of IP addresses, among other things. | ||
The iptables successor [[nftables]] has a [https://wiki.nftables.org/wiki-nftables/index.php/Sets built-in infrastructure for using sets]. The ''ipset-translate'' tool can be used to transform "ipsets" (for iptables) into nftables sets, see [https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_ipset_to_nftables Moving from ipset to nftables] for details. | |||
== Installation == | == Installation == | ||
[[Install]] {{pkg|ipset}} | [[Install]] the {{pkg|ipset}} package. | ||
== Configuration == | == Configuration == | ||
=== Blocking a list of | === Blocking a list of networks === | ||
Start by creating a new "set" of network addresses. This creates a new "hash" set of "net" network addresses named "myset". | Start by creating a new "set" of network addresses. This creates a new "hash" set of "net" network addresses named "myset". | ||
| Line 20: | Line 25: | ||
# ipset create myset hash:net | # ipset create myset hash:net | ||
Add any IP address that you | or | ||
# ipset -N myset nethash | |||
Add any IP address that you would like to block to the set. | |||
# ipset add myset 14.144.0.0/12 | # ipset add myset 14.144.0.0/12 | ||
# ipset add myset 27.8.0.0/13 | # ipset add myset 27.8.0.0/13 | ||
# ipset add myset 58.16.0.0/15 | # ipset add myset 58.16.0.0/15 | ||
# ipset add myset 1.1.1.0/24 | |||
Finally, configure [[iptables]] to block any address in that set. This command will add a rule to the top of the "INPUT" chain to "-m" match the set named "myset" from ipset (--match-set) when it | Finally, configure [[iptables]] to block any address in that set. This command will add a rule to the top of the "INPUT" chain to "-m" match the set named "myset" from ipset (--match-set) when it is a "src" packet and "DROP", or block, it. | ||
# iptables -I INPUT -m set --match-set myset src -j DROP | # iptables -I INPUT -m set --match-set myset src -j DROP | ||
=== Blocking a list of IP addresses === | |||
Start by creating a new "set" of ip addresses. This creates a new "hash" set of "ip" addresses named "myset-ip". | |||
# ipset create myset-ip hash:ip | |||
or | |||
# ipset -N myset-ip iphash | |||
Add any IP address that you would like to block to the set. | |||
# ipset add myset-ip 1.1.1.1 | |||
# ipset add myset-ip 2.2.2.2 | |||
Finally, configure [[iptables]] to block any address in that set. | |||
# iptables -I INPUT -m set --match-set myset-ip src -j DROP | |||
=== Making ipset persistent === | === Making ipset persistent === | ||
ipset you have created is stored in memory and will be gone after reboot. To make the ipset persistent you have to do the followings: | The ipset you have created is stored in memory and will be gone after reboot. To make the ipset persistent you have to do the followings: | ||
First save the ipset to /etc/ipset.conf: | First, save the ipset to {{ic|/etc/ipset.conf}}: | ||
# ipset save > /etc/ipset.conf | # ipset save > /etc/ipset.conf | ||
Then [[enable]] {{ic|ipset.service}}, which works similarly to {{ic|iptables.service}} for restoring [[Iptables# | Then [[enable]] {{ic|ipset.service}}, which works similarly to {{ic|iptables.service}} for restoring [[Iptables#Configuration and usage|iptables rules]]. | ||
{{Warning|A (rare) bug {{Bug|79674}} has been observed once which resulted in {{ic|iptables.service}} failing due to missing ipsets despite {{ic|ipset.service}} succeeding. Use redundant security and consider a monitoring script if you need 100% assurance that your firewall is intact.}} | |||
{{Note|There is currently a bug with {{ic|ipset save > /etc/ipset.conf}} that writes the output in the same format as {{ic|ipset list}} and when ipset is enabled in systemd it will fail to restore your ipsets. A workaround is to use: {{ic|ipset -o save save > /etc/ipset.conf}}. This issue is currently open at https://gitlab.archlinux.org/archlinux/packaging/packages/ipset/-/issues/2}} | |||
== Other | === Blocking with PeerGuardian and other blocklists === | ||
The {{AUR|pg2ipset-git}} tool by the author of Maeyanie.com, coupled with the [https://github.com/ilikenwf/pg2ipset/blob/master/ipset-update.sh ipset-update.sh] script, can be used with cron to automatically update various blocklists. Currently, by default, blocking of: country, tor exit node and Bluetrack pg2 list are implemented. | |||
== Other commands == | |||
To view the sets: | To view the sets: | ||
| Line 50: | Line 83: | ||
# ipset list | # ipset list | ||
or | |||
# ipset destroy myset | # ipset -L | ||
To delete a set: | |||
# ipset destroy ''myset'' | |||
or | |||
# ipset -X ''myset'' | |||
To delete all sets: | To delete all sets: | ||
| Line 58: | Line 99: | ||
# ipset destroy | # ipset destroy | ||
Please see the man | Please see the {{man|8|ipset}} for further information. | ||
== Optimization == | == Optimization == | ||
The {{AUR|iprange}} tool can help to reduce entries in ipset.conf by merging adjacent ranges or eliminating overlapped ranges. This can improve the router/firewall performance if the table size is huge. This tool can also convert a list of hostnames to IPs. | The {{AUR|iprange}} tool can help to reduce entries in ipset.conf by merging adjacent ranges or eliminating overlapped ranges. This can improve the router/firewall performance if the table size is huge. This tool can also convert a list of hostnames to IPs. | ||
Although ipset is designed to be able to scale well, that does not mean infinitely. In particular, some nations have very large IP address spaces, which will cause geoblocking to be inefficient. | |||
Latest revision as of 21:22, 16 April 2024
ipset is a companion application for the iptables Linux firewall. It allows you to setup rules to quickly and easily block a set of IP addresses, among other things.
The iptables successor nftables has a built-in infrastructure for using sets. The ipset-translate tool can be used to transform "ipsets" (for iptables) into nftables sets, see Moving from ipset to nftables for details.
Installation
Configuration
Blocking a list of networks
Start by creating a new "set" of network addresses. This creates a new "hash" set of "net" network addresses named "myset".
# ipset create myset hash:net
or
# ipset -N myset nethash
Add any IP address that you would like to block to the set.
# ipset add myset 14.144.0.0/12 # ipset add myset 27.8.0.0/13 # ipset add myset 58.16.0.0/15 # ipset add myset 1.1.1.0/24
Finally, configure iptables to block any address in that set. This command will add a rule to the top of the "INPUT" chain to "-m" match the set named "myset" from ipset (--match-set) when it is a "src" packet and "DROP", or block, it.
# iptables -I INPUT -m set --match-set myset src -j DROP
Blocking a list of IP addresses
Start by creating a new "set" of ip addresses. This creates a new "hash" set of "ip" addresses named "myset-ip".
# ipset create myset-ip hash:ip
or
# ipset -N myset-ip iphash
Add any IP address that you would like to block to the set.
# ipset add myset-ip 1.1.1.1 # ipset add myset-ip 2.2.2.2
Finally, configure iptables to block any address in that set.
# iptables -I INPUT -m set --match-set myset-ip src -j DROP
Making ipset persistent
The ipset you have created is stored in memory and will be gone after reboot. To make the ipset persistent you have to do the followings:
First, save the ipset to /etc/ipset.conf:
# ipset save > /etc/ipset.conf
Then enable ipset.service, which works similarly to iptables.service for restoring iptables rules.
iptables.service failing due to missing ipsets despite ipset.service succeeding. Use redundant security and consider a monitoring script if you need 100% assurance that your firewall is intact.ipset save > /etc/ipset.conf that writes the output in the same format as ipset list and when ipset is enabled in systemd it will fail to restore your ipsets. A workaround is to use: ipset -o save save > /etc/ipset.conf. This issue is currently open at https://gitlab.archlinux.org/archlinux/packaging/packages/ipset/-/issues/2Blocking with PeerGuardian and other blocklists
The pg2ipset-gitAUR tool by the author of Maeyanie.com, coupled with the ipset-update.sh script, can be used with cron to automatically update various blocklists. Currently, by default, blocking of: country, tor exit node and Bluetrack pg2 list are implemented.
Other commands
To view the sets:
# ipset list
or
# ipset -L
To delete a set:
# ipset destroy myset
or
# ipset -X myset
To delete all sets:
# ipset destroy
Please see the ipset(8) for further information.
Optimization
The iprangeAUR tool can help to reduce entries in ipset.conf by merging adjacent ranges or eliminating overlapped ranges. This can improve the router/firewall performance if the table size is huge. This tool can also convert a list of hostnames to IPs.
Although ipset is designed to be able to scale well, that does not mean infinitely. In particular, some nations have very large IP address spaces, which will cause geoblocking to be inefficient.