Created Thu Jun, 18 2020 at 07:15PM
Start by creating a new "set" of network addresses. This creates a new "hash" set of "net" network addresses named "myset".
ipset create myset hash:net
or
ipset -N myset nethash
Add any IP address that you'd like to block to the set.
ipset add myset 14.144.0.0/12
ipset add myset 27.8.0.0/13
ipset add myset 58.16.0.0/15
ipset add myset 1.1.1.0/24
Finally, configure iptables to block any address in that set. This command will add a rule to the top of the "INPUT" chain to "-m" match the set named "myset" from ipset (--match-set) when it's a "src" packet and "DROP", or block, it.
# iptables -I INPUT -m set --match-set myset src -j DROP
Start by creating a new "set" of ip addresses. This creates a new "hash" set of "ip" addresses named "myset-ip".
ipset create myset-ip hash:ip
or
ipset -N myset-ip iphash
Add any IP address that you'd like to block to the set.
ipset add myset-ip 1.1.1.1
ipset add myset-ip 2.2.2.2
Finally, configure iptables to block any address in that set.
# iptables -I INPUT -m set --match-set myset-ip src -j DROP
The ipset you have created is stored in memory and will be gone after reboot. To make the ipset persistent you have to do the followings:
First save the ipset to /etc/ipset.conf:
ipset save > /etc/ipset.conf
To restore them
ipset restore < /etc/ipset.conf
Then enable ipset.service
, which works similarly to iptables.service
for restoring iptables rules.
The pg2ipset-gitAUR tool by the author of Maeyanie.com, coupled with the ipset-update.sh script can be used with cron to automatically update various blocklists. Currently, by default, blocking of: country, tor exit node and Bluetrack pg2 list are implemented.
To view the sets:
ipset list
or
ipset -L
To delete a set named "myset":
ipset destroy myset
or
ipset -X myset
To delete all sets:
ipset destroy
Please see the man page for ipset for further information. ref: https://wiki.archlinux.org