CentOS / RHEL: Install ipset Administration Tool For IP Sets and IPTables

Author: Last updated: December 10, 2012 3 comments
How do I install the ipset extension to Netfilter/iptables on Red Hat Enterprise Linux / CentOS Linux v6.x?

Tutorial details
DifficultyAdvanced (rss)
Root privilegesYes
RequirementsRHEL/CentOS 6.x
EPEL repo
TimeN/A
IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel, which can be administered by the ipset utility. Depending on the type, currently an IP set may store IP addresses, (TCP/UDP) port numbers or IP addresses with MAC addresses in a way, which ensures lightning speed when matching an entry against a set. If you want to

ADVERTISEMENTS

  1. Store multiple IP addresses or port numbers and match against the collection by iptables at one swoop;
  2. Dynamically update iptables rules against IP addresses or ports without performance penalty;
  3. Express complex IP address and ports based rulesets with one single iptables rule and benefit from the speed of IP sets then ipset may be the proper tool for you.

Installation

First turn on EPEL repo and type the following yum command:
# yum install ipset
Sample outputs:

Loaded plugins: auto-update-debuginfo, protectbase, rhnplugin
0 packages excluded due to repository protections
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ipset.x86_64 0:6.11-1.el6 will be installed
--> Processing Dependency: libmnl.so.0(LIBMNL_1.0)(64bit) for package: ipset-6.11-1.el6.x86_64
--> Processing Dependency: libmnl.so.0()(64bit) for package: ipset-6.11-1.el6.x86_64
--> Running transaction check
---> Package libmnl.x86_64 0:1.0.3-4.el6 will be installed
--> Finished Dependency Resolution
 
Dependencies Resolved
 
===================================================================================
 Package       Arch          Version             Repository                   Size
===================================================================================
Installing:
 ipset         x86_64        6.11-1.el6          rhel-x86_64-server-6         61 k
Installing for dependencies:
 libmnl        x86_64        1.0.3-4.el6         epel                         22 k
 
Transaction Summary
===================================================================================
Install       2 Package(s)
 
Total download size: 82 k
Installed size: 46 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): ipset-6.11-1.el6.x86_64.rpm                          |  61 kB     00:00     
(2/2): libmnl-1.0.3-4.el6.x86_64.rpm                        |  22 kB     00:00     
-----------------------------------------------------------------------------------
Total                                              172 kB/s |  82 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : libmnl-1.0.3-4.el6.x86_64                                       1/2 
  Installing : ipset-6.11-1.el6.x86_64                                         2/2 
  Verifying  : libmnl-1.0.3-4.el6.x86_64                                       1/2 
  Verifying  : ipset-6.11-1.el6.x86_64                                         2/2 
 
Installed:
  ipset.x86_64 0:6.11-1.el6                                                        
 
Dependency Installed:
  libmnl.x86_64 0:1.0.3-4.el6                                                      
 
Complete!

Examples

Type the following commands:

 ## create ip set called badips (-N)    ##
## Uses a hash to  store IP  host  addresses or  network ## 
## addresses. Zero valued IP address cannot be stored    ##
## in a iphashtype of set. ##
ipset -N badips iphash
 
## add IP address ##
ipset -A badips 202.54.1.2
ipset -A badips 203.54.1.2
 
## drop all ip address stored in ipset called badips ##
iptables -A INPUT -m set --set badips src -j DROP

The recommended syntax is as follows:
# ipset create myblacklist hash:ip hashsize 4096
# iptables -A INPUT -m set --set myblacklist src -j DROP
Now, you can add IP address as follows:
# ipset add myblacklist 192.168.1.2
# ipset add myblacklist 202.54.1.1
# ipset add myblacklist 202.54.1.3
ipset has command has many more options. See man page for more details:
# man ipsets

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
UP NEXT
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
3 comments… add one
  • Jalal Hajigholamali Dec 11, 2012 @ 13:39

    Hi,

    Thanks a lot, very nice article..

    Reply Link
  • Raul Feb 28, 2014 @ 11:18

    Hello, I need a step by step tutorial about blocking countries with ipset on CentOS 6.
    Thank you.

    Reply Link
    • Jacques Mar 26, 2014 @ 8:24

      Raul, if you get that info, please let me know too. I use shorewall and would live to do exactly that.

      Reply Link

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.

Next FAQ:

Previous FAQ: