Problems of Netfilter/IPtables
In Linux, banning an IP address can be done very easily with netfilter/iptables framework:
$ sudo iptables -A INPUT -s 220.127.116.11 -p TCP -j DROP
If you want to ban a whole IP address block, you can also do it as easily:
$ sudo iptables -A INPUT -s 18.104.22.168/24 -p TCP -j DROP
However, what if you have 1,000 independent IP addresses with no common CIDR prefix that you want to ban? You would have 1,000 iptables rules! Clearly this does not scale.
What are IP Sets?
That is when IP sets come in handy. IP sets are a kernel feature which allows multiple (independent) IP addresses, MAC addresses or even port numbers to be encoded and stored efficiently within bitmap/hash kernel data structures. Once an IP set is created, you can create an iptables rule which matches against the set.
You should immediately see the benefit of using IP sets, which is that you can match against multiple IP addresses in an IP set by using a single iptables rule! You can construct IP sets using combinations of multiple IP addresses and port numbers, and can dynamically update iptables rules with IP sets without any performance impact.
Install IPset Tool on Linux
To create and manage IP sets, you need to use a userspace tool called ipset.
To install ipset on Debian, Ubuntu or Linux Mint:
$ sudo apt-get install ipset
To install ipset on Fedora or CentOS/RHEL 7:
$ sudo yum install ipset
Ban IP Addresses using IPset Command
Let me walk you through on how to use ipset command using simple examples.
First, let’s create a new IP set named banthis (name can be arbitrary):
$ sudo ipset create banthis hash:net
The second argument (hash:net) in the above is required, and represents the type of a set being created. There are multiple types of IP sets. An IP set of hash:net type uses a hash to store multiple CIDR blocks. If you want to store individual IP addresses in a set, you can use hash:ip type instead.
Once you have created an IP set, you can check up on the set with:
$ sudo ipset list
Read more from source: xmodulo.com