[`ipset`](http://ipset.netfilter.org/) is a more efficient way to deal
with large numbers of IPs or Mac addresses with Netfilter/IPTables. The
only similar module IPtables has is `iprange`, which may not be
applicable for all situations.
In this example, we'll be blocking known Chinese address blocks.
Creating a set
--------------
I'll create a set called "country\_cn" and add CIDR blocks to it.
ipset --create country_cn nethash
`nethash` is the *type* of set appropriate for CIDR-formatted IP blocks.
If you only had IP addresses, you'd use `iphash`. There are many others.
Adding IPs to the set
---------------------
```bash
#/bin/bash
for IP in $(curl http://ipdeny.com/ipblocks/data/countries/cn.zone); do
ipset --add country_cn $IP
done
```
Using the set
-------------
iptables -A INPUT -m set --match-set country_cn src -j DROP
Editing the set
---------------
# Listing IPs
ipset --list country_cn
# Removing IPs
ipset --del country_cn 1.1.0.0/16
# Flushing set
ipset --flush country_cn
# Deleting set
ipset --destroy country_cn
Sources
-------
- [Advanced Firewall Configurations with `ipset`](http://www.linuxjournal.com/content/advanced-firewall-configurations-ipset?page=0,2)
- [List of Country IP blocks](http://ipdeny.com/)