Advanced Firewall Configurations with ipset

Firewalls are crucial in ensuring network security by monitoring and controlling incoming and outgoing traffic based on predetermined security rules. For Linux systems, one powerful toolset that extends the capabilities of the Netfilter project is ipset. This guide will delve into how you can leverage ipset for more efficient and manageable firewall settings, which are especially beneficial for handling large sets of IP addresses and/or port numbers.

What is ipset?

ipset is a command-line based utility that allows you to manage, store, and quickly test IP addresses, networks, or port numbers. When integrated with iptables (the traditional Linux firewall component), ipset enhances its capability to handle multiple IP addresses and network connections more efficiently. This enables administrators to create concise, highly effective rules that can improve the overall performance of the firewall.

Benefits of Using ipset

  • Performance Efficiency: Deals with numerous network connections and IP addresses without a significant performance drop.
  • Dynamic Blocking/Allowing: Quickly update IP rules without rebooting the system or disrupting existing connections.
  • Scalability: Easily scale up your rulesets without complicating the management process.
  • Versatility: Utilize various match criteria like IP addresses, port numbers, and protocols.

Step-by-Step Configuration Guide

Step 1: Installing ipset

Before diving into configurations, make sure ipset it is installed on your system. For most Linux distributions, you can install it using the package manager:

For Debian/Ubuntu:

sudo apt-get install ipset

For CentOS/RHEL:

sudo yum install ipset
Step 2: Creating an ipset List

Start by creating an ipset list. This list will hold the IP addresses that you want to block or allow. For example, to create a list for blocking IP addresses:

sudo ipset create malicious_hosts hash:ip hashsize 4096

Here, hash:ip is the type of set, and hashsize is an optimization parameter that can be adjusted based on your specific needs.

Step 3: Adding IPs to the ipset List

Add IP addresses to your newly created set:

sudo ipset add malicious_hosts
sudo ipset add malicious_hosts

You can add multiple IPs or even ranges if required.

PS.: Change those IPs and with the IPs you want to block.

Step 4: Integrating ipset with iptables

To make use of the ipset list within iptables you need to link them via rules. Here’s how you can block all traffic from the IPs listed in malicious_hosts:

sudo iptables -I INPUT -m set --match-set malicious_hosts src -j DROP

This rule is inserted in the INPUT chain, and matches packets based on the source IP existing in the malicious_hosts set, and drops them accordingly.

Step 5: Saving and Restoring Rules

Rules created in ipset and iptables can be lost on reboot if you dont save them. To save them, use the following commands for Debian/Ubuntu systems:

sudo iptables-save > /etc/iptables/rules.v4
sudo ipset save > /etc/ipset.conf

To restore them on boot, include the restore commands in your startup scripts.

sudo ipset restore < /etc/ipset.conf
sudo iptables-restore < /etc/iptables/rules.v4
Step 6: Advanced Usage and Tips

Combining ipset with additional iptables features like rate limiting, logging, and layer 7 matching can create a robust security perimeter:

  • Rate Limiting: Use iptables alongside ipset to limit connection attempts or bandwidth usage.
  • Logging: Track blocked or flagged IP addresses through iptables logging.
  • Dynamic List Updates: Continuously update your ipset lists with new threat intelligence feeds without needing to flush existing connections.


ipset is a powerful companion for iptables, providing performance and manageability when handling large or complex sets of filtering rules. With its ability to efficiently manage group-based IP addresses and integrate seamlessly into existing firewall strategies, ipset is an outstanding tool for advanced Linux firewall configurations.

Always remember to test changes in a safe environment before applying new firewall rules to production systems. Happy securing!

Recent Articles

Related Stories

Stay on op - Ge the daily news in your inbox