Ubuntu – How to Block Both IPv4 and IPv6 with Ipset on Ubuntu 16.04

So I have the following script that blocks IPs:

#!/bin/bash
# here's your list of IPS
CURRENT_BL=/path/to/my/ip_black_list.txt
# create/flush recreate the tables
iptables -F BLACKHOLE
iptables -N BLACKHOLE 
for BAD_IP in $(cat $CURRENT_BL)
do
        ipset add ipset-blacklist $BAD_IP 2>/dev/null || \
                echo "Failed to add ${BAD_IP}"
done
# REJECT the matching target
iptables -A BLACKHOLE -p all -m set --match-set ipset-blacklist src -j REJECT 
iptables -A BLACKHOLE -j RETURN
# assume your nginx is on 80 and 443
iptables -A INPUT -p tcp -m multiport --destination-ports 80,443 -j BLACKHOLE
iptables -A INPUT -p tcp -m multiport --destination-ports 80,443 -j ACCEPT

The ipset was created with the following command:

ipset create ipset-blacklist hash:ip

It is all working fine with IPv4 now but the problem is wiht IPv6, I am getting the following error – Syntax error: cannot parse 2003:e6:6f03:7b80:21dc:54c8:ac26:552b: resolving to IPv4 address failed

How can I make this script to read both types of IPs?

Best Answer

You need to create the ipset using the following command:

$ sudo ipset create ipset-blacklist hash:ip family inet6

The option family { inet | inet6 } defines the protocol family of the IP addresses to be stored in the set. By default it is inet (IPv4). For more info, you can see man ipset.

Also, you need to use ip6tables instead of iptables. Otherwise, you will get an error similar to this (I created a test6 ipset with family inet6)

iptables v1.6.0: The protocol family of set test6 is IPv6, which is not applicable.

Best Answer

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Linux – Trying to make iptables stateless is causing unforeseen filtering

Related Topic