Ipset Notes

ipset is a more efficient way to deal
with large numbers of IPs or Mac addresses with Netfilter/IPTables. The
only similar module IPtables has is iprange, which may not be
applicable for all situations.

In this example, we’ll be blocking known Chinese address blocks.

Creating a set

I’ll create a set called “country_cn” and add CIDR blocks to it.

ipset --create country_cn nethash

nethash is the type of set appropriate for CIDR-formatted IP blocks.
If you only had IP addresses, you’d use iphash. There are many others.

Adding IPs to the set

#/bin/bash
for IP in $(curl http://ipdeny.com/ipblocks/data/countries/cn.zone); do
  ipset --add country_cn $IP
done

Using the set

iptables -A INPUT -m set --match-set country_cn src -j DROP 

Editing the set

# Listing IPs  
ipset --list country_cn  
  
# Removing IPs  
ipset --del country_cn 1.1.0.0/16  
  
# Flushing set  
ipset --flush country_cn  
  
# Deleting set  
ipset --destroy country_cn

Sources

• Advanced Firewall Configurations with ipset
• List of Country IP blocks