Ipset with Iptables with large list of IP ranges (CIDR)
There is a command line utilty named aggregate
. It takes a list of CIDR netblocks and aggregates consecutive blocks into the corresponding larger block. It also removes redundant netblocks.
For example:
$ aggregate -q << EOF
> 192.168.0.0/24
> 192.168.1.0/24
EOF
192.168.0.0/23
Feed it a text file containing only your CIDR blocks and it will attempt to aggregate them, reducing the size of the list.
From the man page:
DESCRIPTION
Takes a list of prefixes in conventional format on stdin, and performs
two optimisations to attempt to reduce the length of the prefix list.
The first optimisation is to remove any supplied prefixes which are su‐
perfluous because they are already included in another supplied prefix.
For example, 203.97.2.0/24 would be removed if 203.97.0.0/17 was also
supplied.
The second optimisation identifies adjacent prefixes that can be com‐
bined under a single, shorter-length prefix. For example, 203.97.2.0/24
and 203.97.3.0/24 can be combined into the single prefix 203.97.2.0/23.
aggregate
is packaged in most major Linux distributions, including Ubuntu.
(Note that I pulled a list from that web site and tried to aggregate them and nothing happened, so they may already be aggregated. You can certainly use more than one ipset, which is probably the best thing to do here.)
Usually the max length of an ipset list is 65536 elements, so you might have to use a separate list for each country you want to block.
Using a hash:net set you can directly add the CIDR records you want to ban. You might want to check https://www.ipdeny.com/ipblocks/ for country level blocks
As for your questions
- ipset shouldn't slow your system significantly - it will use some memory to keep the sets, but otherwise the load shouldn't be noticeable
- fail2ban is good to keep, since the attackers can use cloud/vps servers in any country
Finally there are a lot of similar questions about using iptables with ipset to block specific countries, so I won't go into iptables setup details - just check https://askubuntu.com/questions/868334/block-china-with-iptables or similar