[`ipset`](http://ipset.netfilter.org/) is a more efficient way to deal with large numbers of IPs or Mac addresses with Netfilter/IPTables. The only similar module IPtables has is `iprange`, which may not be applicable for all situations.

In this example, we'll be blocking known Chinese address blocks.

## Creating a set

I'll create a set called "country\_cn" and add CIDR blocks to it.

    ipset --create country_cn nethash

`nethash` is the *type* of set appropriate for CIDR-formatted IP blocks. If you only had IP addresses, you'd use `iphash`. There are many others.

## Adding IPs to the set

```bash
#/bin/bash
for IP in $(curl http://ipdeny.com/ipblocks/data/countries/cn.zone); do
  ipset --add country_cn $IP
done
```

## Using the set

    iptables -A INPUT -m set --match-set country_cn src -j DROP

## Editing the set

    # Listing IPs
    ipset --list country_cn

    # Removing IPs
    ipset --del country_cn 1.1.0.0/16

    # Flushing set
    ipset --flush country_cn

    # Deleting set
    ipset --destroy country_cn

## Sources

-   [Advanced Firewall Configurations with `ipset`](http://www.linuxjournal.com/content/advanced-firewall-configurations-ipset?page=0,2)
-   [List of Country IP blocks](http://ipdeny.com/)