Tips and Examples

Unordered list of some tips and examples:

  • In order to drop traffic to-from banned networks or IP addresses, use IP sets in the raw table of netfilter.
  • If you want a fixed size iphash type of set, then define it with zero valued resize parameter:
    ipset -N foo iphash --resize 0
        
  • The probes parameter of iphash type is a two-edge sword: by setting it to a small number (1-3), you optimize for speed; by setting it to a a bigger number (4-8), you optimize for filling in the possible holes in the hash.
  • If you want to change a set without disturbing your existing iptables rules and bindings referring to the given set, simply swap it with the new set:
    # Create the new set and add the entries to it
    ipset -N new-set ....
    ipset -A new-set ....
    ...
    # Define the bindings
    ipset -B new-set ....
    ...
    # Swap the old and new sets
    ipset -W old-set new-set
    # Get rid of the old set, which is now under new-set
    ipset -X new-set
        
  • If you generate a saved session by script, don't forget about the last line containing 'COMMIT'.