How to Use Ipset to Block IPs from Country

ipset block ip address

Previously we learned how we can restrict or allow a particular country using GeoIP but in this article, we'll cover how we can block large IP ranges using ipset module with iptables. IPset is a command line based utility which is used to administer the framework called IP sets inside the Linux kernel. An IP set may store IP addresses, networks, (TCP/UDP) port numbers, MAC addresses, interface names or combinations of them in a way, which ensures lightning speed when matching an entry against a set. It is an associative application for the iptables Linux firewall which allows us to setup rules quickly and easily to block a set of IP addresses. Here, we'll see how we can use ipset module with iptables to block a large ranges of IP addresses in our linux based machine.

Updating our system

First of all, we'll need to upgrade our packages in our linux machine so that we have our software packages upto-date. In order to upgrade our system, we'll need to make sure that we're running as sudo or root user. In order to switch to sudo or root access, we'll run the following command.

$ sudo -s

Once we're in root, we'll now move ahead for updating and upgrading our system.

Debian based system

# apt update && apt upgrade

Redhat based system

# yum update

Installing IPset

Most linux distributions like Ubuntu, Debian come with ipset preinstalled these days. But some distributions like Centos doesn't have preinstalled so, we'll need to install on them. We can install it by running the following command depending on the distribution you are running.

Debian based system

# apt install ipset

Redhat based system

# yum install ipset

Creating IP sets

Now, as we have ipset installed in our machine, we'll now move ahead for creating the IP sets. Here we'll need to create an ipset which contains the network subnets we're willing to block or restrict. So, first we'll need to get the list of the network subnets we're willing to add into the ip sets. In order to get the latest network subnets we'll use one of the most popular site  Country IP Blocks  and we can get the lists of the subnets from the Country Selection page of the site. Here, we've selected few network subnets of China for testing purpose.

Here's a sample of network subnets that we'll be blocking in this article but in real world, we'll have a huge numbers of subnets. So, we'll use any scripting/programming language and generate the list of command as follows.

# ipset create countryblock nethash
# ipset add countryblock
# ipset add countryblock
# ipset add countryblock
# ipset add countryblock
# ipset add countryblock
# ipset add countryblock
# ipset add countryblock
# ipset add countryblock
# ipset add countryblock
# ipset add countryblock
IPset add subnet

Applying the IP set

Now, as our ip sets are ready, we'll now apply those ip sets to get blocked using ipset module with iptables.

# iptables -A INPUT -m set --match-set countryblock src -j DROP

The above command blocks the traffics originating from ip ranges defined by the subnets in the above generated set called countryblock. So, all the IPs listed there will be blocked.

Applying the rules permanently

If we are ready testing our configurations and rules, we may wanna make the changes persistent so that the rules gets applied in every reboot. In order  to do so, we'll need to run the following commands respective to our firewall controller.

On Debian based system

# ipset save > /etc/ipset.up.rules
# iptables-save > /etc/iptables/rules.v4

Once we run the above comand to save the rules, we'll now make the rules loaded in each reboot by adding the following lines in /etc/rc.local .

ipset restore < /etc/ipset.up.rules
iptables-restore < /etc/iptables/rules.v4
ipset persistent debian

On RHEL based system

#ipset save > /etc/ipset.up.rules
# iptables-save > /etc/sysconfig/iptables

Once we save the rules of both ipset and iptables, we'll now add the restore commands similarly as we did for Debian. We'll just add the following commands inside /etc/rc.local file.

ipset restore < /etc/ipset.up.rules
iptables-restore < /etc/sysconfig/iptables

In this way, we can block certain blocks of ips using ipset module with iptables. We can create ip sets of different countries so that we can apply them according to the need. This kinda method are highly efficient when we need to block a certain traffic originating from a specific country or region but allow the IP ranges that we need. There are plenty of firewall and iptables modules for these but it is pretty easy, fast and handy to use.  So, if you have any questions, suggestions, feedback please write them in the comment box below. Thank you ! Enjoy :-)

4 Comments... add one

    • Hello Sam,
      Thank you very much for your comment. I have updated the article with how we can make the rules persistent after reboot. I hope that works for you. If you find any problem, do let us know so that we can help you fix your issues.
      Arun Pyasi

  1. The rc.local procedure above works well with older versions of Linux however RHEL7 and newer use systemd. A better method is to create a script to restore the ruleset and put @reboot in cron to execute this script. This will work across all Linux versions.


Leave a Comment