Skip to content

Using ipset

Jump to bottom
François KUBLER edited this page Jun 21, 2018 · 2 revisions

The following document should help you configure ipset (and iptables) so that Ellis can interact with it via the ipset.ban Action.

Disclaimer

WARNING: make sure you know what you do !

Building a complete ruleset for your firewall is out of the scope of this documentation. We consider that you have an existing, working ruleset and that you know what you do.

This documentation focuses on iptables but you might be able to use the tool of your choice as long as it's able to read ipsets.

Preamble

ipset doesn't ban IP addresses itself. It allows you to create sets of IP addresses. Combined with a firewall able to read ipsets, we have a powerful way to ban multiple IP addresses without adding a firewall rule for each IP address we want to ban.

So, using ipset has these benefits:

  • Better performances,
  • Firewall ruleset is easier to maintain,
  • Built-in timeout.

Setting up ipset

Ellis uses two ipsets to ban IP addresses: one for IPv4 addresses and one for IPv6 addresses. These two sets are configured with a default timeout. When an IP address is added to the set, the timeout starts to decrease. When it reaches zero, the IP address is automatically removed from the set (and thus, unbanned).

Please note that you have to respect the names of the ipsets.

To setup the two needed ipsets, run the following as root:

ipset create ellis_blacklist4 family inet hash:ip timeout 86400 counters
ipset create ellis_blacklist6 family inet6 hash:ip timeout 86400 counters

Check that everything is allright:

ipset list

You should see the two sets (empty for now).

It is highly recommended to save this ipset configuration so you don't have to create them after every reboot:

# Path to the ipset configuration file may change depending on your Linux distro.
ipset save > /etc/ipset.conf

It is also highly recommended to start ipset automatically:

systemctl enable --now ipset

That's it ! You're good to go !

Setting up your firewall

iptables

First we are going to ask iptables to drop all traffic coming from IP addresses stored in the ellis_blacklist4 ipset. To do this, update the INPUT chain with the following rule:

iptables -I INPUT -m set --match-set ellis_blacklist4 src -m comment --comment "Ellis blacklist" -j DROP

The same logic applies for IPv6:

ip6tables -I INPUT -m set --match-set ellis_blacklist6 src -m comment --comment "Ellis blacklist" -j DROP

Once you are satisfied with your ruleset, it is recommended to save it ! As root:

# Path to your iptables rules may change depending on your Linux distro.
iptables-save > /etc/iptables/iptables.v4
ip6tables-save > /etc/iptables/iptables.v6

And finally restart iptables:

systemctl restart iptables
systemctl restart ip6tables

Ellis | Copyright © 2016 François Kubler (@fkubler)

Getting started

Available Actions

Clone this wiki locally