Ipset with Iptables with large list of IP ranges (CIDR)

ubuntu iptables ipset

There is a command line utilty named aggregate. It takes a list of CIDR netblocks and aggregates consecutive blocks into the corresponding larger block. It also removes redundant netblocks.

For example:

$ aggregate -q << EOF
> 192.168.0.0/24
> 192.168.1.0/24
EOF
192.168.0.0/23

Feed it a text file containing only your CIDR blocks and it will attempt to aggregate them, reducing the size of the list.

From the man page:

DESCRIPTION
       Takes  a list of prefixes in conventional format on stdin, and performs
       two optimisations to attempt to reduce the length of the prefix list.

       The first optimisation is to remove any supplied prefixes which are su‐
       perfluous because they are already included in another supplied prefix.
       For example, 203.97.2.0/24 would be removed if 203.97.0.0/17  was  also
       supplied.

       The  second  optimisation identifies adjacent prefixes that can be com‐
       bined under a single, shorter-length prefix. For example, 203.97.2.0/24
       and 203.97.3.0/24 can be combined into the single prefix 203.97.2.0/23.

aggregate is packaged in most major Linux distributions, including Ubuntu.

(Note that I pulled a list from that web site and tried to aggregate them and nothing happened, so they may already be aggregated. You can certainly use more than one ipset, which is probably the best thing to do here.)


Usually the max length of an ipset list is 65536 elements, so you might have to use a separate list for each country you want to block.

Using a hash:net set you can directly add the CIDR records you want to ban. You might want to check https://www.ipdeny.com/ipblocks/ for country level blocks

As for your questions

  • ipset shouldn't slow your system significantly - it will use some memory to keep the sets, but otherwise the load shouldn't be noticeable
  • fail2ban is good to keep, since the attackers can use cloud/vps servers in any country

Finally there are a lot of similar questions about using iptables with ipset to block specific countries, so I won't go into iptables setup details - just check https://askubuntu.com/questions/868334/block-china-with-iptables or similar

Related

Why does two different interfaces on the same machine result in two different MAC addresses?
Overriding individual websites hosted in NGINX to show a Maintenance Page
Why does my VPN add its own IP address range to my routing table with local gateway?
Hitch installation completed with insserv errors. Unable to start hitch
How does a router with DHCP and a custom DNS set deal with client DNS settings?
OpenVPN easy-rsa: Common Name set at vars
How to set hostname if hosting multiple servers on the same machine?
Samba Read-only shadow copies
running syslog-ng in verbose mode
Foreman displays a server as "out of sync", what could be the reason and what is the right way to troubleshoot such an issue?
Move files with extension in diffrent structure
brz: ERROR: unknown command "dh-make"