wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


configuration:firewall:ipset

IPset

IP Sets” allow for optimised use of complex sets of filters used with the IPTables firewall. There are many types of sets available which provide various options to configure and extend IPTables. It is possible to store large quantities of IP addresses (IPv4 and IPv6), TCP/UDP port numbers, IP and MAC address pairs and IP address and port number pairs in an efficient way.

IP Sets can significantly improve the performance of the IPTables software so that it remains responsive even when several thousand entries are present.

The ipset utility is used to create, change and display “IP sets” which are a framework inside the Linux kernel.

Installation

IPset is included in IPFire Core Update 95 and newer.

If you are using an older version (you really should update for security reasons!) check that the appropriate kernel module has been loaded:

lsmod | grep ip_set

If no output is displayed, you should manually load the kernel module by running:

modprobe ip_set

Features

IP sets deliver different types of set structures which includes:

Types Explanation Example
bitmap:ip uses a memory range, where each bit represents one IP address and can store up to 65535 (B-class network) entries. ipset add set1 192.168.0.1
bitmap:ip,mac uses a memory range, where each 8 bytes represents one IP and a MAC addresses. A bitmap:ip,mac set type can store up to 65535 (B-class network) IP addresses with MAC. Only source MAC ipset add set2 192.168.1.1,00:01:23:45:67:89
bitmap:port uses a memory range, where each bit represents one TCP/UDP port. A bitmap:port type of set can store up to 65535 ports. ipset add set3 22
hash:ip uses a hash to store IP addresses where clashing is resolved by storing the clashing elements in an array and, as a last resort, by dynamically growing the hash. Same size network addresses can be stored in an hash:ip type of set as well. ipset add set4 10.0.1.1
hash:net uses a hash to store CIDR netblocks, which may be of different sizes. The same techique is used to avoid clashes as at the hash:ip set type. ipset add set5 192.168.1.0/24
hash:ip,port is similar to hash:ip but you can store IP address and protocol-port pairs in it. TCP, SCTP, UDP, UDPLITE, ICMP and ICMPv6 are supported with port numbers/ICMP(v6) types and other protocol numbers without port information. ipset add set6 192.168.1.1,icmp:ping
hash:ip,port,ip can store IP address, port number, and IP address triples in an hash:ip,port,ip type of set. ipset add set7 192.168.0.1,22,10.0.1.1
hash:ip,port,net can store IP address, port number and network address triples in this kind of set. ipset add set8 192.168.0.1,22,10.0.1.0/24
hash:net,port type supports to store network address and port number pairs. ipset add set9 192.168.1.0/24,tcp:443
hash:net,iface can store network address and interface name pairs. ipset add set10 192.168.1.0/24,red0
list:set a list:set kind can store other sets. It is like an ordered union of different sets. ipset add set1 set3 set5

How it works

Since IPset do not deliver a configure possibility over the web interface the whole configuration needs to be done over the console/ssh. The first step should be to create an appropriate set with the above listed types of sets. As an example for an network addresses set which stores CIDR notated addresses the following example can be used:

ipset create newset hash:net

the new created set can now be filled with network addresses in CIDR format.

ipset add newset 12.23.34.45/16
ipset add newset 23.34.45.56/12
ipset add newset 34.45.56.67/15

the next step to activates the set also in the firewall is to create an appropriate rule in IPTables.

As the IPFire web user interface for IPTables currently does not allow configuration of IP sets, you must add rules manually.

To make the firewall rules persistent, the usage of the firewall.local is advised. As an example that the above added network addresses should be blocked for INPUT (if services are provided), FORWARD (direct client access are prevented {no proxy}) and OUTPUT (IPFire itself) as a source or destination for all ports and all protocols, the following rules can be used. In start) section:

    ## add your 'start' rules here
    # IPSET FW entries in start
    # IPSET add rules for CIDR list
    /sbin/iptables -I CUSTOMFORWARD -m set --match-set newset dst -j REJECT
    /sbin/iptables -I CUSTOMINPUT -m set --match-set newset src -j REJECT
    /sbin/iptables -I CUSTOMOUTPUT -m set --match-set newset dst -j REJECT

in stop) section

    ## add your 'stop' rules here
    # IPSET flushing related chains
    /sbin/iptable -F CUSTOMFORWARD
    /sbin/iptable -F CUSTOMINPUT
    /sbin/iptable -F CUSTOMOUTPUT

there is also the possibility to define the addresses from the set as source but also as destination by commata separation 'dst,src' in the IPTable rules.

Dont forget to restart the firewall after editing with an

/etc/sysconfig/firewall.local reload

If you want to refresh the IP sets, you need to deactivate the IPTable rules before otherwise you will run into an error but also to flush the sets which needs to be changed is important (explanation can be found at the “Commands” section at the bottom).

Save and restore your configuration

There is the need to save the configuration manually otherwise your configuration will get lost after an reboot. IPset have his own configuration directory which can be found under /etc/ipset, so it might be a good idea to store your sets configuration in there which can be done by an

ipset save > /etc/ipset/ipset.conf

after a reboot the ipset.conf needs to be reactivated which can be done over a command placed for example into /etc/sysconfig/rc.local . The command looks in conjunction to the above handled IPset configuration directory like this:

ipset restore < /etc/ipset/ipset.conf

this will bring your whole configuration back.

Commands

There are several commands to control IPset but to list and explain all of them in detail here would sprinkle the frame, so only some major commands will be listed with a little explanation, for further infos please rever to the “Additional infos” links at the bottom.

ipset --flush {SETname}		        # empties a defined chain
ipset destroy {SETname}		        # deletes a defined chain
ipset destroy				# deletes all chains
ipset save > /etc/ipset/ipset.conf	# save chains to survive a reboot
ipset -n list				# shows all existing sets
ipset -t list				# show further infos and sets
ipset list				# lists all sets with further infos
ipset save > /tmp/ipsetbck		# makes a bakup also in other directories
ipset restore < /tmp/ipsetbck		# restores the backup
ipset -W old-set new-set		# renames the sets and copy content from old to new set

There is a lot more of informations which should not be documented in here but there are good further knowledge findable in the internet regarding to this topic. Some sources are listed in the next section.

Additional infos

configuration/firewall/ipset.txt · Last modified: 2018/09/23 21:43 by Jon