-
Notifications
You must be signed in to change notification settings - Fork 187
Working with IPSETs
ipset
is a command line utility that allows the firewall admins to manage large lists of IPs.
ipset
is independent of iptables
. Once a collection of IPs has been created with ipset
, iptables
and FireHOL can use it.
Adding or removing IPs to/from the collection, does not need any change at the firewall. Collections are manipulated by the ipset
command and the firewall will automatically and immediately use the new IPs, without altering a single iptables
statement.
An ipset
collection of IPs is defined by its name. To create a new collection run on a shell:
ipset create NAME hash:ip
-
NAME
is the name of the collection. -
hash:ip
is the method of storing and searching the collection.
Mainly 2 types are used:
-
hash:ip
for a collection of individual IPs, and -
hash:net
for a collection of networks
The difference is how efficient the storage of the collection will be and how fast the kernel will search in the collection for matching packets.
To see the active collections, run:
ipset list -n
-n
is required to show just the names. Without it, ipset
will also dump the entire collection.
To add IPs to our collection, run:
ipset add NAME 1.2.3.4
to delete IPs from our collection, run:
ipset del NAME 1.2.3.4
Check the manual page of ipset
for more information.
FireHOL support for ipset
has two aspects:
FireHOL can use ipset collections for matching packets in all its statements. They are part of the src
and dst
keywords. For example, to allow smtp requests from all the clients in a collection, use:
server smtp accept src ipset:NAME
To all the servers IPs of a collection:
server smtp accept dst ipset:NAME
Matching both clients' and servers' IPs is also possible:
server smtp accept src ipset:NAME1 dst ipset:NAME2
You can actually use ipset:NAME
like an IP, in all statements:
blacklist full ipset:BADGUYS
...
transparent_squid 3128 "root squid proxy" inface eth0 \
src ipset:mylans \
dst not ipset:servers_that_dont_like_proxies
...
mark 1 OUTPUT dst "ipset:NAME 1.2.3.4"
...
server smtp accept src "1.2.3.4 ipset:NAME1 ipset:NAME2" \
dst not "ipset:NAME3 5.6.7.8 ipset:NAME4 10.1.2.3"
The good thing about ipset
is that you can manipulate the IPs without restarting the firewall. Just add or remove IPs or networks with the ipset
command, and immediately the firewall will use the new IPs.
The bad thing is that the ipset
collection must exist before activating the firewall. This is why FireHOL can initialize the ipset
collections for you:
FireHOL has an ipset
helper. It is a wrapper around the real ipset
command and is handled internally within FireHOL in such a way so that the ipset collections defined in the configuration will be activated before activating the firewall.
FireHOL is also smart enough to restore the ipsets after a reboot, before it restores the firewall, so that everything will work as seamlessly as possible.
The ipset
helper has the same syntax with the real ipset
command. So in FireHOL you just add the ipset
statements you need, and FireHOL will do the rest.
Keep in mind that each ipset
collection is either IPv4 or IPv6. In FireHOL prefix ipset
with either ipv4
or ipv6
and FireHOL will choose the right IP version.
The features below are extensions of ipset
that can only be used from within firehol.conf
. They will not work on a terminal.
The FireHOL helper allows mass import of ipset collections from files. This is done with ipset addfile
command.
The ipset addfile
command will get a filename, remove all comments (anything after a #
on the same line), trim any empty lines and spaces, and add all the remaining lines to ipset
, as if each line of the file was run with ipset add COLLECTION_NAME IP_FROM_FILE [other options]
.
The syntax of the ipset addfile
command is:
ipset addfile COLLECTION_NAME [ip|net] filename [other ipset add options]
-
COLLECTION_NAME
is the collection to add the IPs -
ip
is optional and will select all the lines of the file that do not contain a/
-
net
is optional and will select all the lines of the file that contain a/
-
filename
is the filename to read. You can give absolute filenames and relative filenames (to/etc/firehol
) -
other ipset add options
is whatever elseipset add
supports, that you are willing to give for each line
Example in firehol.conf
ipv4 ipset create badguys hash:ip
ipv4 ipset add badguys 1.2.3.4
ipv4 ipset addfile badguys file-with-the-bad-guys-ips.txt
...
ipv4 blacklist full ipset:badguys
The ipset add
command implemented in FireHOL also allows you to give multiple IPs separated by comma or enclosed in quotes and separated by space.
ipv4 ipset create badguys hash:ip
ipv4 ipset add badguys 1.2.3.4,5.6.7.8,9.10.11.12 # << comma separated
ipv4 ipset add badguys "11.22.33.44 55.66.77.88" # << space separated in quotes
A complete solution to update ipsets is update-ipsets
. This program can download and update all the publicly available IP lists (check iplists.firehol.org).
FireHOL installation
-
Install the whole FireHOL suite - An installer script to automatically install
iprange
,firehol
,fireqos
,update-ipsets
,vnetbuild
,netdata
-
FireHOL Dependencies
FireQOS
-
FireQOS reference page
-
FireQOS Tutorial - learn how to write your own
fireqos.conf
-
FireQOS Use Scenarios - advanced QoS scenarios
Link Balancer - routing tables with inheritance, multiple balancing gateways, routing rules
- Link Balancer How-To
FireHOL & iptables marks
FireHOL & ipsets
- Working with IPSETs
- iprange: optimizing ipsets for iptables
- dnsbl-ipset.sh generate an ipset out of your firewall logs
FireHOL & SYNPROXY (DDoS mitigation)
FireHOL with basic IDS - just with plain iptables and ipsets