Previously we learned how we can restrict or allow a particular country using GeoIP but in this article, we'll cover how we can block large IP ranges using ipset module with iptables. IPset is a command line based utility which is used to administer the framework called IP sets inside the Linux kernel. An IP set may store IP addresses, networks, (TCP/UDP) port numbers, MAC addresses, interface names or combinations of them in a way, which ensures lightning speed when matching an entry against a set. It is an associative application for the iptables Linux firewall which allows us to setup rules quickly and easily to block a set of IP addresses. Here, we'll see how we can use ipset module with iptables to block a large ranges of IP addresses in our linux based machine.
Updating our system
First of all, we'll need to upgrade our packages in our linux machine so that we have our software packages upto-date. In order to upgrade our system, we'll need to make sure that we're running as sudo or root user. In order to switch to sudo or root access, we'll run the following command.
$ sudo -s
Once we're in root, we'll now move ahead for updating and upgrading our system.
Debian based system
# apt update && apt upgrade
Redhat based system
# yum update
Most linux distributions like Ubuntu, Debian come with ipset preinstalled these days. But some distributions like Centos doesn't have preinstalled so, we'll need to install on them. We can install it by running the following command depending on the distribution you are running.
Debian based system
# apt install ipset
Redhat based system
# yum install ipset
Creating IP sets
Now, as we have ipset installed in our machine, we'll now move ahead for creating the IP sets. Here we'll need to create an ipset which contains the network subnets we're willing to block or restrict. So, first we'll need to get the list of the network subnets we're willing to add into the ip sets. In order to get the latest network subnets we'll use one of the most popular site Country IP Blocks and we can get the lists of the subnets from the Country Selection page of the site. Here, we've selected few network subnets of China for testing purpose.
220.127.116.11/24 18.104.22.168/23 22.214.171.124/21 126.96.36.199/19 188.8.131.52/24 184.108.40.206/23 220.127.116.11/23 18.104.22.168/15 22.214.171.124/29 126.96.36.199/30 188.8.131.52/29
Here's a sample of network subnets that we'll be blocking in this article but in real world, we'll have a huge numbers of subnets. So, we'll use any scripting/programming language and generate the list of command as follows.
# ipset create countryblock nethash # ipset add countryblock 184.108.40.206/24 # ipset add countryblock 220.127.116.11/23 # ipset add countryblock 18.104.22.168/21 # ipset add countryblock 22.214.171.124/24 # ipset add countryblock 126.96.36.199/23 # ipset add countryblock 188.8.131.52/23 # ipset add countryblock 184.108.40.206/15 # ipset add countryblock 220.127.116.11/29 # ipset add countryblock 18.104.22.168/30 # ipset add countryblock 22.214.171.124/29
Applying the IP set
Now, as our ip sets are ready, we'll now apply those ip sets to get blocked using ipset module with iptables.
# iptables -A INPUT -m set --match-set countryblock src -j DROP
The above command blocks the traffics originating from ip ranges defined by the subnets in the above generated set called countryblock. So, all the IPs listed there will be blocked.
Applying the rules permanently
If we are ready testing our configurations and rules, we may wanna make the changes persistent so that the rules gets applied in every reboot. In order to do so, we'll need to run the following commands respective to our firewall controller.
On Debian based system
# ipset save > /etc/ipset.up.rules # iptables-save > /etc/iptables/rules.v4
Once we run the above comand to save the rules, we'll now make the rules loaded in each reboot by adding the following lines in /etc/rc.local .
ipset restore < /etc/ipset.up.rules iptables-restore < /etc/iptables/rules.v4
On RHEL based system
#ipset save > /etc/ipset.up.rules # iptables-save > /etc/sysconfig/iptables
Once we save the rules of both ipset and iptables, we'll now add the restore commands similarly as we did for Debian. We'll just add the following commands inside /etc/rc.local file.
ipset restore < /etc/ipset.up.rules iptables-restore < /etc/sysconfig/iptables
In this way, we can block certain blocks of ips using ipset module with iptables. We can create ip sets of different countries so that we can apply them according to the need. This kinda method are highly efficient when we need to block a certain traffic originating from a specific country or region but allow the IP ranges that we need. There are plenty of firewall and iptables modules for these but it is pretty easy, fast and handy to use. So, if you have any questions, suggestions, feedback please write them in the comment box below. Thank you ! Enjoy :-)