What is and how to create an IpSet? (Firewalld/Iptables)

About

An IPset 1) is a set of IP or MAC addresses grouped together under a name.

You can use an IPset in every source with the ipset: prefix.

Example

Add source

--add-source=ipset:ipsetName

To make the new setting effective in the runtime environment, reload firewalld

List of IP v4

A IPset called white-list

<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
  <short>white-list</short>
  <entry>1.2.3.4</entry>
  <entry>1.2.3.5</entry>
  <entry>1.2.3.6</entry>
</ipset>

List of mac

List of mac address

<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:mac">
  <short>mac-list</short>
  <entry>00:11:22:33:44:55</entry>
</ipset>

Properties

IpSet Type

The ipset-type defines the store. ie

  • its file format type (hash, …) that has an impact on the execution time (linear or not)
  • and the syntax of its content (ie IP or subnet that has an impact on its size)

The ipset type determine then the memory size of the set.

Syntax:

method:data_type

where:

  • method is one of bitmap, hash, and list
  • data type is:
    • ip - one line, one ip
    • net - one line, one subnet
    • mac - one line, one mac
    • port - one line, one port
    • iface

See the details at Ipset netfilter)

firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net

Family

IP addresses in an ipset must be either IPv4 or IPv6.

This is defined by the family setting of the ipset. It can be either:

  • inet (the default)
  • or inet6.
<ipset type="hash:net">
  <option name="family" value="inet"/>
  <entry>173.245.48.0/20</entry>
  ...

Command

Creation by file

You can create ipset at the command line or via gui but also via configuration files located at:

  • /etc/firewalld/ipsets/*.xml (built-in)
  • /usr/lib/firewalld/ipsets/yourIpSet.xml (custom)

Example from the cloudflare howto:

  • to create the ipset named cloudflare-ipv4,
  • you would put the file in /etc/firewalld/ipsets/cloudflare-ipv4.xml
  • with the following content (and reload)
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
  <option name="family" value="inet"/>
  <entry>173.245.48.0/20</entry>
  <entry>103.21.244.0/22</entry>
  <entry>103.22.200.0/22</entry>
  <entry>103.31.4.0/22</entry>
  <entry>141.101.64.0/18</entry>
  <entry>108.162.192.0/18</entry>
  <entry>190.93.240.0/20</entry>
  <entry>188.114.96.0/20</entry>
  <entry>197.234.240.0/22</entry>
  <entry>198.41.128.0/17</entry>
  <entry>162.158.0.0/15</entry>
  <entry>172.64.0.0/13</entry>
  <entry>131.0.72.0/22</entry>
  <entry>143.176.206.82/32</entry>
  <entry>104.16.0.0/13</entry>
  <entry>104.24.0.0/14</entry>
</ipset>

List Ipset

firewall-cmd --permanent --get-ipsets

Test your ipset

ipset test ipsetName x.x.x.x

Example with a cloudflare subnet

ipset test cloudflare-ipv4 167.114.98.233

Add IpSet

  • new for ipv4
firewall-cmd --permanent --new-ipset=ipSetName --type=hash:net
  • new for ipv6
firewall-cmd --permanent --new-ipset=ipSetName --type=hash:net --option=family=inet6

Delete IpSet

firewall-cmd --permanent --delete-ipset=ipSetName

Info IpSet

  • info - entyr and option
firewall-cmd --permanent --info-ipset=ipSetName
# the option are the begining in case of a big list
firewall-cmd --permanent --info-ipset=ipSetName | head
# memory size
  • With ipset
ipset -t list ipsetName
Name: nl
Type: hash:ip
Revision: 4
Header: family inet hashsize 32768 maxelem 65536
Size in memory: 1444728
References: 0
Number of entries: 65536

Add Entry Ipset

  • add Entry manually
firewall-cmd --permanent --ipset=ipSetName --add-entry=192.168.0.1
  • add entry from a file
# add
firewall-cmd --permanent --ipset=ipSetName --add-entries-from-file=iplist.txt

Remove Entry Ipset

  • remove Entry manually
firewall-cmd --permanent --ipset=ipSetName --remove-entry=192.168.0.1
  • remove entry from a file
# add
firewall-cmd --permanent --ipset=ipSetName --remove-entries-from-file=iplist.txt

Remove Ipset

firewall-cmd \
    --permanent \
    --ipset=ipSetName \
    --remove-entries-from-file=iplist.txt





Discover More
Firewalld

Cheatsheet on the usage of Firewalld
Chrome Site Cant Be Reached
How to allow only the HTTP traffic from a subnet such as Cloudflare with Firewalld?

This article is a step by step that shows you how to configure the firewall Firewalld to allow the network packet traffic from a subnet such as Cloudflare
Source

This page is the source definition of traffic in a firewalld zone. The source value can be seen in the zone options Is an optional empty-element tag and can be used several times. It's used to...



Share this page:
Follow us:
Task Runner