Comments on: Iptables Block IP

By: admin

admin — Wed, 21 Jun 2017 05:39:37 +0000

In reply to Mahon. You can download the file (CDIR output format) and add all IPs to the blacklist:

while read IP; do
    ipset add my-blacklist $IP
done < CDIR_FILE_NAME.txt

By: Mahon

Mahon — Wed, 21 Jun 2017 01:42:45 +0000

Johan, thank you for your suggestion on ipset.

I would like to block the IP address by country. I download the free list from https://www.ip2location.com/free/visitor-blocker

Can I know how can I do it using ipset?

By: Johan

Johan — Thu, 09 Apr 2015 12:10:20 +0000

If you have many blocked IP addresses adding them directly in the chain is not a very good idea. This can require quite a lot of CPU to match incoming packets to a couple of 1000’s blocked IP addresses. A better way is to use “ipset”. Create a set of IP addresses and add a rule that matches against that set.

This is magnitudes faster and can easily handle 10,000’s of blocked IP addresses with no noticable CPU degradation
This allows you to use existing blacklists (which have 10,000’s entries) for your server. For example from ipdeny . com

For example:

# Create a new map
sudo ipset -n my-blacklist hash:net

# Add ip addresses to the set
# In reality this will be a loop to read blacklists from a file
ipset -a my-blacklist 43.255.0.0/16
ipset -a my-blacklist 218.87.0.0/16
……….
……….

# Add rule to drop all packages in the blacklist
sudo iptables -A INPUT -p tcp -m set –match-set my-blacklist src -j DROP

By: Keith Sorbo

Keith Sorbo — Thu, 05 Feb 2015 15:37:45 +0000

Great article.

Saved my bacon on a DDos Attack