/etc/firewalld/direct.xml (from Anthony)My own ipset save file is a bit more complex:
<!-- /etc/firewalld/direct.xml -->/etc/systemd/system/ipset.service (from Anthony)
<direct>
<!-- IPset Blacklisting -->
<chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough>
<passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough>
<chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough>
<passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist src -j PREROUTING_blacklist</passthrough>
</direct>
Description=ipset - IP set restore & saveThis is from the email from Anthony:
Documentation=man:ipset(8)
Before=network.target firewalld.service iptables.service ip6tables.service
ConditionFileNotEmpty=/etc/sysconfig/ipset.save
[Service]
Type=oneshot
ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore
ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save
RemainAfterExit=yes
StandardOutput=journal+console
UMask=0177
[Install]
WantedBy=basic.target
The way I did this was to create a minimal ipset configuration and execute '/usr/sbin/ipset -file /etc/sysconfig/ipset.save save' -- so the rules are stored in /etc/sysconfig/ipset.save prior to enabling ipset.service My initial ipset.save without any ip addresses added looks like: create blacklist_ipv6 hash:net family inet6 hashsize 1024 maxelem 65536 create blacklist_ipv4 hash:net family inet hashsize 1024 maxelem 65536 create blacklist list:set size 8 add blacklist blacklist_ipv4 add blacklist blacklist_ipv6 Then do 'systemctl enable ipset && systemctl start ipset' Together, the additions to the direct.xml configuration and the ipset.service have allowed me to add or remove ip addresses from the blacklist without the worry of what happens upon restart, etc.
create blacklist_ipv4_permanent hash:ip family inet hashsize 4096 maxelem 65536It is up to you how you want to add IPs to the ipsets.
create blacklist_ipv4_semipermanent hash:ip family inet hashsize 4096 maxelem 65536
create blacklist_ipv4_current hash:ip family inet hashsize 4096 maxelem 65536
create blacklist_ipv6_permanent hash:ip family inet6 hashsize 4096 maxelem 65536
create blacklist_ipv6_semipermanent hash:ip family inet6 hashsize 4096 maxelem 65536
create blacklist_ipv6_current hash:ip family inet6 hashsize 4096 maxelem 65536
create blacklist list:set size 8
add blacklist blacklist_ipv4_permanent
add blacklist blacklist_ipv4_semipermanent
add blacklist blacklist_ipv4_current
add blacklist blacklist_ipv6_permanent
add blacklist blacklist_ipv6_semipermanent
add blacklist blacklist_ipv6_current
Hello John, Once you have this working, would you mind posting your config/scripts for others to benefit from? I'd like to use ipsets as well but haven't had a chance to look deeply into them. Your setup sounds like it would be a great start.