IP set home >
 Features >
 Download & Install >
 Tips & Examples >
 ipset(8) >
 iptables(8) >
 ChangeLog >

 

Tips and Examples

Unordered list of some tips and examples:

  • In order to drop traffic to-from banned networks or IP addresses, use IP sets in the raw table of netfilter.
  • If you want a fixed size iphash type of set, then define it with zero valued resize parameter:
    ipset -N foo iphash --resize 0
  • The probes parameter of iphash type is a two-edge sword: by setting it to a small number (1-3), you optimize for speed; by setting it to a a bigger number (4-8), you optimize for filling in the possible holes in the hash.
  • If you want to change a set without disturbing your existing iptables rules and bindings referring to the given set, simply swap it with the new set: 
    # Create the new set and add the entries to it
ipset -N new-set ....
ipset -A new-set ....
...
# Define the bindings
ipset -B new-set ....
...
# Swap the old and new sets
ipset -W old-set new-set
# Get rid of the old set, which is now under new-set
ipset -X new-set
  • If you generate a saved session by script, don't forget about the last line containing 'COMMIT'.

All the documentation on this site is released under the GNU/GPL license terms.