Created Thu Jun, 18 2020 at 07:15PM

Configuration

Blocking a list of network

Start by creating a new "set" of network addresses. This creates a new "hash" set of "net" network addresses named "myset".

# ipset create myset hash:net

or

# ipset -N myset nethash

Add any IP address that you'd like to block to the set.

# ipset add myset 14.144.0.0/12
# ipset add myset 27.8.0.0/13
# ipset add myset 58.16.0.0/15
# ipset add myset 1.1.1.0/24

Finally, configure iptables to block any address in that set. This command will add a rule to the top of the "INPUT" chain to "-m" match the set named "myset" from ipset (--match-set) when it's a "src" packet and "DROP", or block, it.

# iptables -I INPUT -m set --match-set myset src -j DROP

Blocking a list of IP addresses

Start by creating a new "set" of ip addresses. This creates a new "hash" set of "ip" addresses named "myset-ip".

# ipset create myset-ip hash:ip

or

# ipset -N myset-ip iphash

Add any IP address that you'd like to block to the set.

# ipset add myset-ip 1.1.1.1
# ipset add myset-ip 2.2.2.2

Finally, configure iptables to block any address in that set.

# iptables -I INPUT -m set --match-set myset-ip src -j DROP

Making ipset persistent

The ipset you have created is stored in memory and will be gone after reboot. To make the ipset persistent you have to do the followings:

First save the ipset to /etc/ipset.conf:

# ipset save > /etc/ipset.conf

Then enable ipset.service, which works similarly to iptables.service for restoring iptables rules.

Blocking With PeerGuardian and Other Blocklists

The pg2ipset-gitAUR tool by the author of Maeyanie.com, coupled with the ipset-update.sh script can be used with cron to automatically update various blocklists. Currently, by default, blocking of: country, tor exit node and Bluetrack pg2 list are implemented.

Other Commands

To view the sets:

# ipset list

or

# ipset -L

To delete a set named "myset":

# ipset destroy myset

or

# ipset -X myset

To delete all sets:

# ipset destroy

Please see the man page for ipset for further information. ref: https://wiki.archlinux.org