Instead of adding individual IP addresses that need to be blocked to IPTables, it is easier to maintain a a single blacklist using IPSet and reference it in IPTables.
Install IPSet
1 | sudo apt-get install ipset |
Create the blacklist list
1 | sudo ipset create blacklist hash:ip hashsize 4096 |
Tell IPTables to reference the newly created list
1 2 | sudo iptables -I INPUT -m set --match-set blacklist src -j DROP sudo iptables -I FORWARD -m set --match-set blacklist src -j DROP |
Add an IP to the list to test
1 | sudo ipset add blacklist 192.168.10.10 |
Output the list
1 | sudo ipset list blacklist |
Expected output
1 2 3 4 5 6 7 8 | Name: blacklist Type: hash:ip Revision: 2 Header: family inet hashsize 4096 maxelem 65536 Size in memory: 65672 References: 2 Members: 192.168.10.10 |
Make ipset rules permanent by creating a config file
1 | sudo sh -c "ipset save > /etc/ipset.conf" |
Ensure the rules are restored on reboot by adding the following to /etc/rc.local
1 2 | # Restore ipset rules ipset restore < /etc/ipset.conf |