IPSET of Linux

Posted on Edited on In , , Symbols count in article: 2.9k Reading time ≈ 3 mins.

Wolf

When dealing with network attacks, using iptables to block IP is a common and simple way. Sometimes it may be necessary to block tens of thousands of IPs, adding tens of thousands of rules will greatly affect the performance of the server. ipset was born to solve this problem.

Backgroupd

IP sets are a framework inside the Linux kernel, which can be administered by the ipset utility. Depending on the type, an IP set may store IP addresses, networks, (TCP/UDP) port numbers, MAC addresses, interface names or combinations of them in a way, which ensures lightning speed when matching an entry against a set.

If you want to

  • store multiple IP addresses or port numbers and match against the collection by iptables at one swoop;
  • dynamically update iptables rules against IP addresses or ports without performance penalty;
  • express complex IP address and ports based rulesets with one single iptables rule and benefit from the speed of IP sets

then ipset may be the proper tool for you.

Install

In Debian:

1
:~$ sudo apt-get install ipset

Create IPSET Rules

  • Create Rules of IPs
    1
    2
    3
    4
    5
    6
    :~$ ipset create test hash:ip
    :~$ ipset add test 114.114.114.114
    :~$ ipset add test 8.8.8.8
    :~$ ipset add test 1.1.1.1
    :~$ ipset add test 2.2.2.2
    :~$ ipset add test 3.3.3.3
  • Create Rules of net
    1
    2
    3
    :~$ ipset create test hash:net
    :~$ ipset add test 224.0.0.0/4
    :~$ ipset add test 192.168.1.0/24

Use IPset

1
:~$ iptables -I INPUT --match set --match-set test src --jump DROP

if package’s source ip belong to hash table test, then drop it.
We use the set module of iptables to enable references to ipset.
src matches the source address of a packet, and dst matches the destination address.

Add comment

1
2
3
4
5
6
7
8
9
10
11
12
13
:~$ ipset create test hash:ip comment
:~$ ipset add test 1.1.1.1 comment "Black IP"
:~$ ipset list test
Name: test
Type: hash:ip
Revision: 0
Header: hashsize 1024 maxelem 65536 comment
Size in memory: 2619
References: 3
Number of entries: 14
Members:
1.1.1.1 comment "Black IP"
...

Add counter

1
2
3
4
5
6
7
8
9
10
11
12
13
:~$ ipset create test hash:ip comment counters
:~$ ipset add test 1.1.1.1 comment "Black IP"
:~$ ipset list test
Name: test 
Type: hash:ip
Revision: 0
Header: hashsize 1024 maxelem 65536 counters comment
Size in memory: 2619
References: 3
Number of entries: 14
Members:
1.1.1.1 packets 0 bytes 0 comment "Black IP"
...

Save and Restore IPSet Rules

1
2
:~$ ipset save -f blacklist
:~$ ipset restore -f blacklist

Example

If there are 10,000 IP addresses to be blocked here, we can only do this with iptables

1
2
3
4
5
6
iptables -I INPUT --source 1.1.1.1 --jump DROP
iptables -I INPUT --source 2.2.2.2 --jump DROP
iptables -I INPUT --source 3.3.3.3 --jump DROP
iptables -I INPUT --source 4.4.4.4 --jump DROP
...
...

iptables is matched in the order of the rules, so each data packet needs 10,000 times to read and match the source IP. The time complexity is O (1000), which seriously affects the performance of iptables.

Now we use IPSET to match this 10,000 IP addresses.

1
2
3
4
5
6
7
8
ipset create test hash:ip
ipset add test 1.1.1.1
ipset add test 2.2.2.2
ipset add test 3.3.3.3
ipset add test 4.4.4.4
...
...
iptables -I INPUT --match set --match-set test src --jump DROP

Now we only use one iptables rule. At this time, we only need to read the source IP once and then perform IP matching in the hash table of IP Sets. The time complexity becomes O (1). We can be seen that the performance of iptables is greatly improved at this time.

References: