About
An IPset 1) is a set of IP or MAC addresses grouped together under a name.
You can use an IPset in every source with the ipset: prefix.
Example
Add source
--add-source=ipset:ipsetName
To make the new setting effective in the runtime environment, reload firewalld
List of IP v4
A IPset called white-list
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
<short>white-list</short>
<entry>1.2.3.4</entry>
<entry>1.2.3.5</entry>
<entry>1.2.3.6</entry>
</ipset>
List of mac
List of mac address
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:mac">
<short>mac-list</short>
<entry>00:11:22:33:44:55</entry>
</ipset>
Properties
IpSet Type
The ipset-type defines the store. ie
- its file format type (hash, …) that has an impact on the execution time (linear or not)
- and the syntax of its content (ie IP or subnet that has an impact on its size)
The ipset type determine then the memory size of the set.
Syntax:
method:data_type
where:
- method is one of bitmap, hash, and list
- data type is:
- ip - one line, one ip
- net - one line, one subnet
- mac - one line, one mac
- port - one line, one port
- iface
See the details at Ipset netfilter)
firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
Family
IP addresses in an ipset must be either IPv4 or IPv6.
This is defined by the family setting of the ipset. It can be either:
- inet (the default)
- or inet6.
<ipset type="hash:net">
<option name="family" value="inet"/>
<entry>173.245.48.0/20</entry>
...
Command
Creation by file
You can create ipset at the command line or via gui but also via configuration files located at:
- /etc/firewalld/ipsets/*.xml (built-in)
- /usr/lib/firewalld/ipsets/yourIpSet.xml (custom)
Example from the cloudflare howto:
- to create the ipset named cloudflare-ipv4,
- you would put the file in /etc/firewalld/ipsets/cloudflare-ipv4.xml
- with the following content (and reload)
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
<option name="family" value="inet"/>
<entry>173.245.48.0/20</entry>
<entry>103.21.244.0/22</entry>
<entry>103.22.200.0/22</entry>
<entry>103.31.4.0/22</entry>
<entry>141.101.64.0/18</entry>
<entry>108.162.192.0/18</entry>
<entry>190.93.240.0/20</entry>
<entry>188.114.96.0/20</entry>
<entry>197.234.240.0/22</entry>
<entry>198.41.128.0/17</entry>
<entry>162.158.0.0/15</entry>
<entry>172.64.0.0/13</entry>
<entry>131.0.72.0/22</entry>
<entry>143.176.206.82/32</entry>
<entry>104.16.0.0/13</entry>
<entry>104.24.0.0/14</entry>
</ipset>
List Ipset
firewall-cmd --permanent --get-ipsets
Test your ipset
ipset test ipsetName x.x.x.x
Example with a cloudflare subnet
ipset test cloudflare-ipv4 167.114.98.233
Add IpSet
- new for ipv4
firewall-cmd --permanent --new-ipset=ipSetName --type=hash:net
- new for ipv6
firewall-cmd --permanent --new-ipset=ipSetName --type=hash:net --option=family=inet6
Delete IpSet
firewall-cmd --permanent --delete-ipset=ipSetName
Info IpSet
- info - entyr and option
firewall-cmd --permanent --info-ipset=ipSetName
# the option are the begining in case of a big list
firewall-cmd --permanent --info-ipset=ipSetName | head
# memory size
- With ipset
ipset -t list ipsetName
Name: nl
Type: hash:ip
Revision: 4
Header: family inet hashsize 32768 maxelem 65536
Size in memory: 1444728
References: 0
Number of entries: 65536
Add Entry Ipset
- add Entry manually
firewall-cmd --permanent --ipset=ipSetName --add-entry=192.168.0.1
- add entry from a file
# add
firewall-cmd --permanent --ipset=ipSetName --add-entries-from-file=iplist.txt
Remove Entry Ipset
- remove Entry manually
firewall-cmd --permanent --ipset=ipSetName --remove-entry=192.168.0.1
- remove entry from a file
# add
firewall-cmd --permanent --ipset=ipSetName --remove-entries-from-file=iplist.txt
Remove Ipset
firewall-cmd \
--permanent \
--ipset=ipSetName \
--remove-entries-from-file=iplist.txt