Page 1 of 2

ipset

Posted: 2019/11/17 17:33:41
by robkalmeijer
I use ipset with ip blocking.

The problem is that I need to change the init script so it will restore the blacklist before iptables is loaded.

My problem is that when there is an update for ipset the script might be changed. So where to put the restore so in wouldn't be lost?

Re: ipset

Posted: 2019/11/17 21:06:13
by TrevorH
There is already an ipset initscript that reloads the sets from /etc/sysconfig/ipset and it runs before the similar job to start iptables. You don't need to do anything other than

service ipset save

Re: ipset

Posted: 2019/11/26 23:33:33
by robkalmeijer
I have the initscript but I cannot see how the the blacklist is saved.

I make a list called blacklist4 and blacklist6 and add manual ip adresses.

#! /bin/bash
# Add a ip4 address to the blacklist.

ipset add blacklist4 $1
ipset save blacklist4 > /etc/sysconfig/blacklist4

the restore code should be: ipset restore /etc/sysconfig/blacklist4

Re: ipset

Posted: 2019/11/27 07:30:11
by TrevorH
That's not how it works. You adjust the running ipsets using the ipset command. When you want to save those sets you run service ipsset save and it saves them to /etc/sysconfig/ipset and makes a backup copy and makes sure that permissions and selinux contexts on the file are correct. When you (or the system) starts the ipset service, it will automatically restore the ipsets from /etc/sysconfig/ipset.

So your job is to amend the ipsets and then run service ipset save and then that's it. All done.

Re: ipset

Posted: 2019/12/04 01:31:33
by robkalmeijer
I used service ipset save and it made the same file. Only difference is the name.

If I understand correct is that both balcklist4 and blacklist6 are stored in the same file.

After changing the lists are now loaded at boottime.

I made a webpage about iptabels and ipset:
https://www.robkalmeijer.nl/techniek/co ... index.html

Please read it and if errors please notify.

Thanks for your help.

Re: ipset

Posted: 2019/12/04 09:44:48
by jlehtone
You don't mention the operating system (version) where your method applies. You should.

Re: ipset

Posted: 2019/12/05 02:24:47
by robkalmeijer
This run on Centos6

Re: ipset

Posted: 2019/12/05 06:04:33
by jlehtone
On your blog. How would a reader of your web know whether the text applies to them?

Your prompts reveal that you run as root. That is not a best practice.

Re: ipset

Posted: 2019/12/06 00:57:07
by robkalmeijer
The use of su takes more passwords entering.

I always login as root. Works easier. I do have user account for normal access.

Re: ipset

Posted: 2019/12/06 09:56:05
by TrevorH
On CentOS 6 the ipset code is older and saves the ipsets as a single file and restores them all from that file. In later versions, ipset saves each ipset to a separately named file in /etc/sysconfig/ipset.d. If you're on CentOS 6 then you have to save and restore them all in one go.