I cannot take credit.
My thanks to Anthony, Thomas, and Jiri on this list for their help.
I just worked out the kinks for my particular use.
Here are what I use:
/etc/firewalld/direct.xml (from Anthony)
<!-- /etc/firewalld/direct.xml --> <direct> <!-- IPset Blacklisting --> <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough> <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough> </direct>
/etc/systemd/system/ipset.service (from Anthony)
Description=ipset - IP set restore & save Documentation=man:ipset(8) Before=network.target firewalld.service iptables.service ip6tables.service ConditionFileNotEmpty=/etc/sysconfig/ipset.save
[Service] Type=oneshot ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save RemainAfterExit=yes StandardOutput=journal+console UMask=0177
[Install] WantedBy=basic.target
This is from the email from Anthony:
The way I did this was to create a minimal ipset configuration and execute '/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules are stored in /etc/sysconfig/ipset.save prior to enabling ipset.service
My initial ipset.save without any ip addresses added looks like:
create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536 create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536 create blacklist list:set size 8 add blacklist blacklist_ipv4 add blacklist blacklist_ipv6
Then do 'systemctl enable ipset && systemctl start ipset'
Together, the additions to the direct.xml configuration and the ipset.service have allowed me to add or remove ip addresses from the blacklist without the worry of what happens upon restart, etc.
My own ipset save file is a bit more complex:
create blacklist_ipv4_permanent hash:ip family inet hashsize 4096 maxelem 65536 create blacklist_ipv4_semipermanent hash:ip family inet hashsize 4096 maxelem 65536 create blacklist_ipv4_current hash:ip family inet hashsize 4096 maxelem 65536 create blacklist_ipv6_permanent hash:ip family inet6 hashsize 4096 maxelem 65536 create blacklist_ipv6_semipermanent hash:ip family inet6 hashsize 4096 maxelem 65536 create blacklist_ipv6_current hash:ip family inet6 hashsize 4096 maxelem 65536 create blacklist list:set size 8 add blacklist blacklist_ipv4_permanent add blacklist blacklist_ipv4_semipermanent add blacklist blacklist_ipv4_current add blacklist blacklist_ipv6_permanent add blacklist blacklist_ipv6_semipermanent add blacklist blacklist_ipv6_current
It is up to you how you want to add IPs to the ipsets.
I have another script that runs periodically to parse various log files to determine IPs to blacklist and add them to blacklist_ipv4_current. Once a day, the script reads IPs that are in the current list and which have been in historical lists of 'current' IPs and adds them to semipermanent or discards them if not. Does the same for historical semipermanent and adds them to permanent. It keeps the firewall up to date with 'bad guys.' That script is pretty complex and I'd rather not post it. I am not working with IPv6 to any extent yet.
I currently have 8616 IPs in my blacklist.
Nathanael, Hope this helps you and others.
John
On 07/16/2014 01:46 PM, Nathanael d. Noblet wrote:
Hello John,
Once you have this working, would you mind posting your config/scripts for others to benefit from? I'd like to use ipsets as well but haven't had a chance to look deeply into them. Your setup sounds like it would be a great start.