ipset

Issues related to configuring your network
robkalmeijer
Posts: 34
Joined: 2012/03/27 00:15:55
Contact:

ipset

Post by robkalmeijer » 2019/11/17 17:33:41

I use ipset with ip blocking.

The problem is that I need to change the init script so it will restore the blacklist before iptables is loaded.

My problem is that when there is an update for ipset the script might be changed. So where to put the restore so in wouldn't be lost?

User avatar
TrevorH
Forum Moderator
Posts: 27156
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: ipset

Post by TrevorH » 2019/11/17 21:06:13

There is already an ipset initscript that reloads the sets from /etc/sysconfig/ipset and it runs before the similar job to start iptables. You don't need to do anything other than

service ipset save
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

robkalmeijer
Posts: 34
Joined: 2012/03/27 00:15:55
Contact:

Re: ipset

Post by robkalmeijer » 2019/11/26 23:33:33

I have the initscript but I cannot see how the the blacklist is saved.

I make a list called blacklist4 and blacklist6 and add manual ip adresses.

#! /bin/bash
# Add a ip4 address to the blacklist.

ipset add blacklist4 $1
ipset save blacklist4 > /etc/sysconfig/blacklist4

the restore code should be: ipset restore /etc/sysconfig/blacklist4

User avatar
TrevorH
Forum Moderator
Posts: 27156
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: ipset

Post by TrevorH » 2019/11/27 07:30:11

That's not how it works. You adjust the running ipsets using the ipset command. When you want to save those sets you run service ipsset save and it saves them to /etc/sysconfig/ipset and makes a backup copy and makes sure that permissions and selinux contexts on the file are correct. When you (or the system) starts the ipset service, it will automatically restore the ipsets from /etc/sysconfig/ipset.

So your job is to amend the ipsets and then run service ipset save and then that's it. All done.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

robkalmeijer
Posts: 34
Joined: 2012/03/27 00:15:55
Contact:

Re: ipset

Post by robkalmeijer » 2019/12/04 01:31:33

I used service ipset save and it made the same file. Only difference is the name.

If I understand correct is that both balcklist4 and blacklist6 are stored in the same file.

After changing the lists are now loaded at boottime.

I made a webpage about iptabels and ipset:
https://www.robkalmeijer.nl/techniek/co ... index.html

Please read it and if errors please notify.

Thanks for your help.

User avatar
jlehtone
Posts: 2432
Joined: 2007/12/11 08:17:33
Location: Finland

Re: ipset

Post by jlehtone » 2019/12/04 09:44:48

You don't mention the operating system (version) where your method applies. You should.

robkalmeijer
Posts: 34
Joined: 2012/03/27 00:15:55
Contact:

Re: ipset

Post by robkalmeijer » 2019/12/05 02:24:47

This run on Centos6

User avatar
jlehtone
Posts: 2432
Joined: 2007/12/11 08:17:33
Location: Finland

Re: ipset

Post by jlehtone » 2019/12/05 06:04:33

On your blog. How would a reader of your web know whether the text applies to them?

Your prompts reveal that you run as root. That is not a best practice.

robkalmeijer
Posts: 34
Joined: 2012/03/27 00:15:55
Contact:

Re: ipset

Post by robkalmeijer » 2019/12/06 00:57:07

The use of su takes more passwords entering.

I always login as root. Works easier. I do have user account for normal access.

User avatar
TrevorH
Forum Moderator
Posts: 27156
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: ipset

Post by TrevorH » 2019/12/06 09:56:05

On CentOS 6 the ipset code is older and saves the ipsets as a single file and restores them all from that file. In later versions, ipset saves each ipset to a separately named file in /etc/sysconfig/ipset.d. If you're on CentOS 6 then you have to save and restore them all in one go.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 6 - Networking Support”