Highest Voted 'ipset' Questions

5

votes

1 answer

Why FirewallD is not blocking IPs with 'reject' rules?

My setup is the follow: fail2ban with some jails (working fine) using FirewallD to block the caught IPs. Here is my default Firewall: myzone target: default icmp-block-inversion: no interfaces: sources: services: rcsa dhcpv6-client http…

asked Jan 28 '19 at 17:43

acs-f

51

4

votes

1 answer

How to block both IPv4 and IPv6 with ipset on Ubuntu 16.04?

So I have the following script that blocks IPs: #!/bin/bash # here's your list of IPS CURRENT_BL=/path/to/my/ip_black_list.txt # create/flush recreate the tables iptables -F BLACKHOLE iptables -N BLACKHOLE for BAD_IP in $(cat $CURRENT_BL) do …

ubuntu iptables ipset

asked Feb 21 '19 at 08:05

Emmanuel-Ab

225

4

votes

1 answer

Can I use iptables to rate limit an ipset?

Is it possible to use iptable tables to rate limit an ipset ? I know you can use ipset to create a block list named blacklist i.e. ipset create blacklist hash:ip iptables -I INPUT -m set --match-set blacklist src -j DROP ipset add blacklist…

iptables ipset

asked Apr 29 '14 at 06:30

p4guru

963
1
8
17

4

votes

0 answers

IPsets in FirewallD with Nftables backend

I upgraded my server to Fedora 32. Firewalld has switched the backend to Nftables. My setup is pretty simple. Just HTTP, HTTPS, SSH, SMTP ports open and multiple IPsets (IPv4, IPv6) to block a preset list of IP addresses. Earlier I used to do…

fedora firewalld nftables ipset firewalld-zone

asked Jun 05 '20 at 14:52

user213598

3

votes

0 answers

GeoIP vs IPset performance in iptables

I would like to ask you what is faster in term of performance GeoIP or IPset. Let me explain, imagine that I have rule: iptables -A INPUT -m geoip ! --src-cc US,UK,CA -j DROP And imagine that I have IPset of hash:net and I put all these IPs (from…

iptables performance geoip ipset

asked Sep 07 '18 at 08:44

tomsk

299

3

votes

1 answer

Why does the 'nomatch' option of ipset not work in this case?

I am using ipset 6.23-2 on Debian Jessie. I created a hash:net set for and an iptables rule to drop all traffic for addresses in the set. Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- anywhere …

linux debian iptables ipset

asked Sep 15 '17 at 06:55

Kanra

31

3

votes

2 answers

In Linux how to add a route to a prefix via a specific device with certain destinations in that prefix going via default route?

I'm currently dealing with a VPN which connection endpoint lies within the subnet which prefix shall be tunneled via that specific VPN. Essentially the problem thus boils down to match against a (larger) set of destination addresses (/16 mask),…

linux vpn routing iproute2 ipset

asked Mar 14 '22 at 22:25

datenwolf

299

2

votes

1 answer

Why does ipset succeed on adding ipv4 ranges, but fail on adding ipv6 range?

Using ipset to clean up bulky iptable rulesets does not seem so different between IPv4 and IPv6: # ipset create TEST hash:net family inet # ipset create DEMO hash:net family inet6 # iptables -A INPUT -m set --match-set TEST src -j DROP # ip6tables…

iptables ipv6 ipset

asked Sep 02 '18 at 21:23

anx

10,888

2

votes

1 answer

ipset not being applied to iptables

I'm trying to filter out a country that keeps probing my SMTP server (CentOS6) and I can't seem to get the ipset to work out right in iptables. I downloaded that countries IP addresses from ipdeny.com and installed the list as a text file. …

iptables spam ipset

asked Jul 26 '15 at 18:40

pathrider

135

2

votes

3 answers

IPTables add an IP to IPSet list

How to correctly add an IP address to ipset from an iptables rule? Or isn't that possible at all? This rule doesn't work for me: -A INPUT -m recent --name IP_LIST --set Type of IP_LIST is hash:net IP_LIST was created using command ipset create…

iptables ip-address blacklist ipset

asked May 11 '13 at 20:47

RIscRIpt

43

2

votes

1 answer

Iptables: Redirect IP matched request to dedicated server port

I have an iptables configuration problem that I cannot seem to solve. I have a list of known, bad ip address that I block access to my server via ipset and iptables. The original approach has been to simply drop the connection via iptables if an IP…

nginx iptables docker redirect ipset

asked Apr 17 '24 at 19:55

pete19

33

2

votes

0 answers

Where can I find ipv6 blacklists

We have blacklists in place to stop traffic from known bad actors. There are plenty of resources such as the lists below but I am not finding any results for ipv6 blacklists. Does anyone know where I can find such lists? …

iptables ipv6 ipset

asked Jun 22 '21 at 11:38

Dovid Bender

507

2

votes

1 answer

firewalld, `--add-rich-rule` and missing blacklist set

My server uses Centos8 quite recently installed (~1 year). After trying to ban an IP: firewall-cmd --permanent --zone=extz --add-rich-rule='rule family="ipv4" source address="49.88.112.70" drop' My system seams to be corrupt: # firewall-cmd…

centos firewall centos7 firewalld ipset

asked Jun 13 '20 at 09:36

PeptideChain

135

1

vote

3 answers

Using fail2ban, ipset and iptables to block bad IP addresses on Google Compute Engine

I am running Ubuntu Linux 16.04 on a GCP Compute Engine VM instance. This is hosting a web server for a web application. I need feedback from the community about verification that what I have set up on Ubuntu Linux is correct and that I can…

iptables google-compute-engine fail2ban ipset

asked Jul 14 '19 at 13:12

Jack Stein

11

1

vote

1 answer

How to use iptables and ipset for destination host redirect to another server?

How to block access to the list of the sites and show a notification page? This example blocking without a page, work correctly: iptables -I FORWARD -m set --match-set site src,dst -j DROP I try to use the next rule for hosts redirect to another…

linux iptables ipset

asked Mar 01 '19 at 17:48

Kvartu

11

Questions tagged [ipset]