What is and how to create an IpSet? (Firewalld/Iptables)

About

An IPset ¹⁾ is a set of IP or MAC addresses grouped together under a name.

You can use an IPset in every source with the ipset: prefix.

Example

Add source

--add-source=ipset:ipsetName

List of IP v4

A IPset called white-list

<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
  <short>white-list</short>
  <entry>1.2.3.4</entry>
  <entry>1.2.3.5</entry>
  <entry>1.2.3.6</entry>
</ipset>

List of mac

List of mac address

<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:mac">
  <short>mac-list</short>
  <entry>00:11:22:33:44:55</entry>
</ipset>

Properties

IpSet Type

The ipset-type defines the store. ie

• its file format type (hash, …) that has an impact on the execution time (linear or not)
• and the syntax of its content (ie IP or subnet that has an impact on its size)

The ipset type determine then the memory size of the set.

Syntax:

method:data_type

where:

• method is one of bitmap, hash, and list
• data type is:
  • ip - one line, one ip
  • net - one line, one subnet
  • mac - one line, one mac
  • port - one line, one port
  • iface

See the details at Ipset netfilter)

firewall-cmd --get-ipset-types

hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net

Family

IP addresses in an ipset must be either IPv4 or IPv6.

This is defined by the family setting of the ipset. It can be either:

• inet (the default)
• or inet6.

<ipset type="hash:net">
  <option name="family" value="inet"/>
  <entry>173.245.48.0/20</entry>
  ...

Command

Creation by file

You can create ipset at the command line or via gui but also via configuration files located at:

• /etc/firewalld/ipsets/*.xml (built-in)
• /usr/lib/firewalld/ipsets/yourIpSet.xml (custom)

Example from the cloudflare howto:

• to create the ipset named cloudflare-ipv4,
• you would put the file in /etc/firewalld/ipsets/cloudflare-ipv4.xml
• with the following content (and reload)

<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
  <option name="family" value="inet"/>
  <entry>173.245.48.0/20</entry>
  <entry>103.21.244.0/22</entry>
  <entry>103.22.200.0/22</entry>
  <entry>103.31.4.0/22</entry>
  <entry>141.101.64.0/18</entry>
  <entry>108.162.192.0/18</entry>
  <entry>190.93.240.0/20</entry>
  <entry>188.114.96.0/20</entry>
  <entry>197.234.240.0/22</entry>
  <entry>198.41.128.0/17</entry>
  <entry>162.158.0.0/15</entry>
  <entry>172.64.0.0/13</entry>
  <entry>131.0.72.0/22</entry>
  <entry>143.176.206.82/32</entry>
  <entry>104.16.0.0/13</entry>
  <entry>104.24.0.0/14</entry>
</ipset>

List Ipset

firewall-cmd --permanent --get-ipsets

Test your ipset

ipset test ipsetName x.x.x.x

Example with a cloudflare subnet

ipset test cloudflare-ipv4 167.114.98.233

Add IpSet

• new for ipv4

firewall-cmd --permanent --new-ipset=ipSetName --type=hash:net

• new for ipv6

firewall-cmd --permanent --new-ipset=ipSetName --type=hash:net --option=family=inet6

Delete IpSet

firewall-cmd --permanent --delete-ipset=ipSetName

Info IpSet

• info - entyr and option

firewall-cmd --permanent --info-ipset=ipSetName
# the option are the begining in case of a big list
firewall-cmd --permanent --info-ipset=ipSetName | head
# memory size

• With ipset

ipset -t list ipsetName

Name: nl
Type: hash:ip
Revision: 4
Header: family inet hashsize 32768 maxelem 65536
Size in memory: 1444728
References: 0
Number of entries: 65536

Add Entry Ipset

• add Entry manually

firewall-cmd --permanent --ipset=ipSetName --add-entry=192.168.0.1

• add entry from a file

# add
firewall-cmd --permanent --ipset=ipSetName --add-entries-from-file=iplist.txt

Remove Entry Ipset

• remove Entry manually

firewall-cmd --permanent --ipset=ipSetName --remove-entry=192.168.0.1

• remove entry from a file

# add
firewall-cmd --permanent --ipset=ipSetName --remove-entries-from-file=iplist.txt

Remove Ipset

firewall-cmd \
    --permanent \
    --ipset=ipSetName \
    --remove-entries-from-file=iplist.txt