Setting and Controlling IP sets using firewalld

Today we see the list of IP set types supported by firewalld, enter the following command as root.

~]# firewall-cmd --get-ipset-types hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net

5.12.1. Configuring IP Set Options with the Command-Line Client

IP sets can be used in firewalld zones as sources and also as sources in rich rules. In Red Hat Enterprise Linux 7, the preferred method is to use the IP sets created with firewalld in a direct rule.
To list the IP sets known to firewalld in the permanent environment, use the following command as root:
~]# firewall-cmd --permanent --get-ipsets
To add a new IP set, use the following command using the permanent environment as root:
~]# firewall-cmd --permanent --new-ipset=blacklist --type=hash:net success
The previous command creates a new IP set with the name test and the hash:net type for IPv4. To create an IP set for use with IPv6, add the --option=family=inet6 option. To make the new setting effective in the runtime environment, reload firewalld. List the new IP set with the following command as root:
~]# firewall-cmd --permanent --get-ipsets blacklist
To get more information about the IP set, use the following command as root:
~]# firewall-cmd --permanent --info-ipset=blacklist test type: hash:net options: entries:
Note that the IP set does not have any entries at the moment. To add an entry to the test IP set, use the following command as root:
~]# firewall-cmd --permanent --ipset=blacklist --add-entry=192.168.0.1
success
The previous command adds the IP address 192.168.0.1 to the IP set. To get the list of current entries in the IP set, use the following command as root:
~]# firewall-cmd --permanent --ipset=blacklist --get-entries 192.168.0.1
Generate a file containing a list of IP addresses, for example:
~]# cat > iplist_blacklst.txt <<EOL 192.168.0.2 192.168.0.3 192.168.1.0/24 192.168.2.254 EOL
The file with the list of IP addresses for an IP set should contain an entry per line. Lines starting with a hash, a semi-colon, or empty lines are ignored.
To add the addresses from the iplist.txt file, use the following command as root:
~]# firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=iplist_blacklst.txt success
To see the extended entries list of the IP set, use the following command as root:
~]# firewall-cmd --permanent --ipset=blacklist --get-entries
192.168.0.1
192.168.0.2
192.168.0.3
192.168.1.0/24
192.168.2.254
To remove the addresses from the IP set and to check the updated entries list, use the following commands as root:
~]# firewall-cmd --permanent --ipset=blacklist --remove-entries-from-file=iplist_blacklst.txt
success
~]# firewall-cmd --permanent --ipset=blacklist --get-entries 192.168.0.1
You can add the IP set as a source to a zone to handle all traffic coming in from any of the addresses listed in the IP set with a zone. For example, to add the test IP set as a source to the drop zone to drop all packets coming from all entries listed in the test IP set, use the following command as root:
~]# firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist success
The ipset: prefix in the source shows firewalld that the source is an IP set and not an IP address or an address range.
Only the creation and removal of IP sets is limited to the permanent environment, all other IP set options can be used also in the runtime environment without the --permanent option.

5.12.2. Configuring a Custom Service for an IP Set

To configure a custom service to create and load the IP set structure before firewalld starts:
  1. Using an editor running as root, create a file as follows:

    ~]# vi /etc/systemd/system/ipset_name.service [Unit] Description=ipset_name Before=firewalld.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/local/bin/ipset_name.sh start ExecStop=/usr/local/bin/ipset_name.sh stop [Install] WantedBy=basic.target
  2. Use the IP set permanently in firewalld:

    ~]# vi /etc/firewalld/direct.xml <?xml version="1.0" encoding="utf-8"?> <direct> <rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-m set --match-set <replaceable>ipset_name</replaceable> src -j DROP</rule> </direct>
  3. A firewalld reload is required to activate the changes:

    ~]# firewall-cmd --reload

    This reloads the firewall without losing state information (TCP sessions will not be terminated), but service disruption is possible during the reload.

Leave a Reply

Your email address will not be published. Required fields are marked *