Ipset

Ipset is a system inside the Linux kernel, which can very efficiently store and match IPv4 and IPv6 addresses. This can be used to dramatically increase performance of iptables firewall.

Header Format

The Ipset header designation follows the Iptables format above, but uses the target platform of 'ipset':

targets:
    ipset: [INPUT|OUTPUT|FORWARD|custom] {ACCEPT|DROP} {truncatenames} {nostate} {inet|inet6}

Term Format

  • for common keys see common.md

  • counter: Update a counter for matching packets

  • destination-exclude: Exclude one or more address tokens from the specified destination-address
  • destination-interface: Specify specific interface a term should apply to (e.g. destination-interface:: eth3)
  • destination-prefix: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
  • fragement-offset: specify a fragment offset of a fragmented packet
  • icmp-code: Specifies the ICMP code to filter on.
  • logging: Specify that this packet should be logged via syslog.
  • owner: Owner of the term, used for organizational purposes.
  • packet-length: specify packet length.
  • routing-instance: specify routing instance for matching packets.
  • source-exclude: exclude one or more address tokens from the specified source-address.
  • source-interface: specify specific interface a term should apply to (e.g. source-interface:: eth3).
  • source-prefix: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
  • verbatim: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

  • ack: Match on ACK flag being present.
  • all: Matches all protocols.
  • established: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • fin: Match on FIN flag being present.
  • first-fragment: Only match on first fragment of a fragmented pakcet.
  • initial: Only matches on initial packet.
  • is-fragment: Matches on if a packet is a fragment.
  • none: Matches none.
  • psh: Match on PSH flag being present.
  • rst: Match on RST flag being present.
  • sample: Samples traffic for netflow.
  • syn: Match on SYN flag being present.
  • tcp-established: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • tcp-initial: Only match initial packet for TCP protocol.
  • urg: Match on URG flag being present.