IPTables add an IP to IPSet list

blacklistip addressipsetiptables

How to correctly add an IP address to ipset from an iptables rule?
Or isn't that possible at all?

This rule doesn't work for me: -A INPUT -m recent --name IP_LIST --set

Type of IP_LIST is hash:net
IP_LIST was created using command ipset create IP_LIST hash:net

But checking the same list for an IP to drop it, works:
-A INPUT -m set --match-set IP_LIST src -j DROP

Best Answer

So, since -j SET is what you wanted:

Within iptables, -m set is used when you want to compare a packet against an ipset (-m stands for match) it can be used multiple times within a single rule.

-j SET on the other hand is used to insert an entry into an ipset, it is a non-terminating target, meaning that rule traversal will continue.

You should read the iptables manpage for a full explanation of the expected syntax.

Related Solutions

CentOS Iptables Fail2Ban – Fix ‘Set Does Not Exist’ Error in Fail2Ban

The ipset command requires IP SET support in the kernel. Specifically, you would be looking for the following settings:

CONFIG_IP_SET=m
CONFIG_IP_SET_HASH_IP=m

And it seems that your kernel is built without ipset support, or at the least, it cannot find these modules. Solve that issue and your error should go away.

Try running find /lib/modules/$(uname -r) -name ip_set.ko to see if you current kernel supports them, and also find /lib/modules -name ip_set.ko to see if any of the installed kernel supports them.

If you need more help, you would have to tell us:

What version of CentOS you are using
What kernel you are running
How you installed fail2ban (from the EPEL repository or manually?)

I should also note that the version of ipset reported in your question (6.19) is what CentOS 7 comes with, so if you are using the original kernel and fail2ban from the EPEL repo everything should just work.

CentOS 6.5 also has support for ip sets and fail2ban is available in EPEL for CentOS 6. These should also work fine.

However, if you are running CentOS 5, then you are likely out of luck. You may have some luck building the modules that ipset comes with, but I am not sure the CentOS 5 kernel is supported at all. If you actually managed to pull that off, and later upgraded the kernel, then it is just a matter of rebuilding the modules for the new kernel.

Iptables – Configure Iptables with Ipset

I may have to answer my own question as it looks like that nobody at serverfault knows the answer. Well, this is really simple. Since iptable rules work successively then all that was needed was to change from -A INPUT to -I INPUT in my code above. Problem solved.

It created amended (-A) rules in my input chain and put them at the back which seemed to conflict with the other rules that came before it. The trick was to do insert (-I) which created a new rule and put it in front that stopped the conflict with the others and started working perfectly well.

Hope it will help someone out as well.

Best Answer

Related Solutions

CentOS Iptables Fail2Ban – Fix ‘Set Does Not Exist’ Error in Fail2Ban

Iptables – Configure Iptables with Ipset

Related Topic