You are not logged in.
- Topics: Active | Unanswered
#1 2011-11-23 03:50:58
- drcouzelis
- Member
- From: Connecticut, USA
- Registered: 2009-11-09
- Posts: 4,092
- Website
ipset-init: Add ipset to the DAEMONS array
Edit: As of 10 May 2012 this package is no longer needed.
I started using ipset to block a list of known malicious IP addresses. I was disappointed to find out that:
A) There hardly any current information on the Internet about how to use the current version of ipset. I decided to start a page in the Arch Wiki for it. Also, the ipset man page is quite good.
B) There doesn't seem to be a standard way to store my ipset settings and load them at startup.
So, I created a super tiny weeny little package called ipset-init. It's designed to match nicely with the iptables configuration.
To use it, configure ipset how you'd like it, then call:
/etc/rc.d/ipset saveTo load your configuration at startup, add "ipset" to your DAEMONS array, just before "iptables". That way, the sets you loaded with ipset can be loaded with iptables.
Please let me know if you have any suggestions for it.
Yes, I understand that there's more text in this post than there is in the actual package. 
Last edited by drcouzelis (2012-05-11 00:36:09)
Offline
#2 2011-11-25 04:01:48
- llawwehttam
- Member
- From: United Kingdom
- Registered: 2010-01-19
- Posts: 181
Re: ipset-init: Add ipset to the DAEMONS array
Interesting. Your package may entice me to come back from using ufw.
Offline
#3 2012-05-11 00:35:35
- drcouzelis
- Member
- From: Connecticut, USA
- Registered: 2009-11-09
- Posts: 4,092
- Website
Re: ipset-init: Add ipset to the DAEMONS array
Update: This package is no longer needed. It's now part of the official "ipset" package.
MOVIN ON UPSTREAM AWWW YEAH
Offline
#4 2012-05-11 22:28:17
- fukawi2
- Ex-Administratorino
- From: .vic.au
- Registered: 2007-09-28
- Posts: 6,231
- Website
Re: ipset-init: Add ipset to the DAEMONS array
ipset for has been around for a while and I'm surprised how slowly it has been adopted.... It solves some simple problems in a simple way.
fail2ban with a custom action script, combined with some dumb rules in iptables makes for an easily managed blacklist:
-A INPUT -p tcp -m tcp --dport 23 -j SET --add-set blacklist src
-A INPUT -p tcp -m tcp --dport 1433 -j SET --add-set blacklist src
-A INPUT -p tcp -m tcp --dport 3306 -j SET --add-set blacklist src Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline