Ipset

Introduction
Ipset is an usefull tool for managing black- and whitelisting of ip-adresses for the Linux kernel firewall. A list of ip-addresses (or a "set" as they are called in the documentation) could be created, managed and destroyed by the ipset tool. The sets can be used together with Iptables to control network access.

Installation
Installation is naturally done using emerge:

To be able to use ipset you also need to make sure you have enabled the kernel support:

Getting Started
There are different kinds of sets that can be used. In these examples hash:net is used since it is easy to use and understand. For details about other kinds of sets, the ipset man-page is a good read.

Creating a Set
Creating a new set is easy, to create a new set called "badguys" just do the following:

Adding Addresses
The set is little more than useless unless it contains some address as well:

Since we are using the hash:net set we can also add entire networks using network prefixes:

Applying iptables Rules
To actually use this as a blocklist, find a suiting position in your iptables ruleset and then add a rule like so:

The match-set argument requires two parameters, the first is the name of the set and the second is either "src" or "dst" or "src,dst" depending on if you want to match the source or destination address or either. the last option is usefull if added in a chain that is used to filter both incomming and outgoing traffic.

Saving Sets
Much like the rules in iptables the sets are only present until system shutdown, so there is a need to save the ipset state. Unlike iptables there is no separate command for doing this; instead you use the "save" and "restore" arguments which writes (for save) and reads (for restore) the state to stdout.

Removing Addresses and Sets
To remove addresses from sets you can use the arguments "del", "flush" or "destroy":

The del argument removes a single entry from the set, flush removes all entries from sets and destroy removes the sets themselvs (and of course all entries in them). Both flush and destroy takes one optional argument which tells the command to only act on one specific set. Without the optional argument they will act on all sets, so be careful! A set that is referred to by an iptables rule cannot be destroyed, but it can still be flushed.

Listing Sets
Available sets can be listed in three different ways:

The first only lists the set names, the second lists more information about the sets themselvs (such as type, size and number of iptables references). The third lists the same information as the second but also all entries in the sets.

To test if an IP-address or range is present in a set there is also a "test"-argument:

Blocklist files
One of the nice features in BSD:s packet filtering system is that you can simply specify a file that contains a list of addresses to block (or whatever other action you need them for). In Linux things are not quite as simple, but the use case is still there, and with some scripting it is not very difficult to achive something similar. The following shell script will read a text file with ip-addresses and create or update a set. Please note that this script is written as an example and should not be used without fully understanding all potential security issues. update_blocklist.sh