Today we see the list of IP set types supported by firewalld
, enter the following command as root.
~]# firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
5.12.1. Configuring IP Set Options with the Command-Line Client
firewalld
zones as sources and also as sources in rich rules. In Red Hat Enterprise Linux 7, the preferred method is to use the IP sets created with firewalld
in a direct rule.firewalld
in the permanent environment, use the following command as root
:~]# firewall-cmd --permanent --get-ipsets
root
:~]# firewall-cmd --permanent --new-ipset=blacklist --type=hash:net
success
hash:net
type for IPv4
. To create an IP set for use with IPv6
, add the --option=family=inet6
option. To make the new setting effective in the runtime environment, reload firewalld
. List the new IP set with the following command as root
:~]# firewall-cmd --permanent --get-ipsets
blacklist
root
:~]# firewall-cmd --permanent --info-ipset=
blacklist test type: hash:net options: entries:
root
:~]# firewall-cmd --permanent --ipset=blacklist --add-entry=192.168.0.1 success
root
:~]# firewall-cmd --permanent --ipset=blacklist --get-entries
192.168.0.1
~]# cat > iplist_blacklst.txt <<EOL
192.168.0.2 192.168.0.3 192.168.1.0/24 192.168.2.254 EOL
root
:~]# firewall-cmd --permanent --ipset=blacklist --add-entries-from-file=iplist_blacklst.txt
success
root
:~]# firewall-cmd --permanent --ipset=blacklist --get-entries 192.168.0.1 192.168.0.2 192.168.0.3 192.168.1.0/24 192.168.2.254
root
:~]# firewall-cmd --permanent --ipset=blacklist --remove-entries-from-file=iplist_blacklst.txt
success
~]# firewall-cmd --permanent --ipset=blacklist --get-entries 192.168.0.1
root
:~]# firewall-cmd --permanent --zone=drop --add-source=ipset:
blacklist success
ipset:
prefix in the source shows firewalld
that the source is an IP set and not an IP address or an address range.--permanent
option.5.12.2. Configuring a Custom Service for an IP Set
firewalld
starts:-
Using an editor running as
root
, create a file as follows:~]#
vi /etc/systemd/system/ipset_name.service
[Unit] Description=ipset_name Before=firewalld.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/local/bin/ipset_name.sh start ExecStop=/usr/local/bin/ipset_name.sh stop [Install] WantedBy=basic.target -
Use the IP set permanently in firewalld:
~]# vi
/etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?> <direct> <rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-m set --match-set <replaceable>ipset_name</replaceable> src -j DROP</rule> </direct> -
A
firewalld
reload is required to activate the changes:~]#
firewall-cmd --reload
This reloads the firewall without losing state information (TCP sessions will not be terminated), but service disruption is possible during the reload.