Mastering ipset: Create, Save, and Manage Rules with Ease

What is ipset?Ipset is an extension of iptables that allows you to create rules matching entire sets of addresses. Unlike the regular iptables chain which can only match single IPs, the IP sets are stored in indexed data structures, allowing efficient lookup even when the set is large. Aside from some common applications, such as blocking dangerous hosts to reduce system resource consumption or network congestion, IP sets also offer new firewall design methods and simplify configuration.Official website: http://ipset.netfilter.org/1. Ipset Installation

yum installation: yum install ipsetSource code installation: Download ipset-6.30.tar.bz2 from the official website,yum -y install libmnl-devel libmnltar -jxvf ipset-6.30.tar.bz2 && cd ipset-6.30 && ./configure --prefix=/usr/local/ipset && make && make install to complete the installation

2. Create an ipset set:

[root@localhost ~]# which ipset/usr/sbin/ipset[root@localhost ~]# ipset --list[root@localhost ~]# ipset create zabbix_server hash:net[root@localhost ~]# ipset add zabbix_server 192.168.1.20[root@localhost ~]# ipset create mysql_server hash:net[root@localhost ~]# ipset add mysql_server 192.168.1.20[root@localhost ~]# ipset --listName: zabbix_serverType: hash:netHeader: family inet hashsize 1024 maxelem 65536 Size in memory: 16784References: 0Members:192.168.1.20Name: mysql_serverType: hash:netHeader: family inet hashsize 1024 maxelem 65536 Size in memory: 16784References: 0Members:192.168.1.20

3. Save rules to an ipset file:

[root@localhost ~]# /etc/init.d/ipset saveipset: Saving IP sets to /etc/sysconfig/ipset:             [OK][root@localhost ~]# cat /etc/sysconfig/ipset create zabbix_server hash:net family inet hashsize 1024 maxelem 65536 add zabbix_server 192.168.1.20create mysql_server hash:net family inet hashsize 1024 maxelem 65536 add mysql_server 192.168.1.20

4. Iptables rule file:

[root@localhost ~]# cat /etc/sysconfig/iptables#Generated by iptables-save v1.4.7 on Wed Jul 31 10:21:39 2019*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [10988:6938377]-A INPUT -s 118.32.234.103/32 -j DROP -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 80,81,82,443 -m state --state NEW -j ACCEPT -A INPUT -s 211.144.68.140/32 -p tcp -m multiport --dports 10050,3306 -j ACCEPT -A INPUT -p tcp -m set --match-set zabbix_server src -m tcp --dport 10050 -j ACCEPT -A INPUT -p tcp -m set --match-set mysql_server src -m tcp --dport 3306 -j ACCEPT -A INPUT -p tcp -m multiport --dports 570,21,1038 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT -A INPUT -j DROP COMMIT

5. Add iptables rules via command line and save:

iptables -I INPUT -m set --match-set mysql_server src -p tcp -m multiport --dports 10050,3306 -j ACCEPT iptables -I INPUT -m set --match-set rsync_server src -p tcp --dport 873 -j ACCEPTservice iptables save/etc/init.d/iptables save

6. Usage of ipset del:

When deleting rules with ipset del, you must restart the iptables service for the changes to take effect

ipset del jump_mysql 111.206.110.202Must restart iptables for changes to take effect

When adding rules with ipset add, changes take effect without restarting iptables