Anthony,

Thank you.

John


On 08/22/2013 09:19 PM, Anthony Messina wrote:
On Thursday, August 22, 2013 07:01:32 PM John Griffiths wrote:

Thomas,

Thank you.

IPSETS are new to me to as well.

They were new to me a few weeks back as well.  I am using the following 
systemd unit to initilize my ipsets at boot, and save any changes at shutdown 
for the next boot.  This unit file won't create the initial ip sets, you kind 
of need to do that manually, then issue

/usr/sbin/ipset -file /etc/sysconfig/ipset.save save

after you have the rules you want so you have a starting set.  After that, 
this service takes care of the rest.  If you want to add an ip address to the 
set, do so via the normal ipset routine and it will be preserved for the next 
reboot.

# /usr/lib/systemd/system/ipset.service
[Unit]
Description=ipset - IP set restore & save
Documentation=man:ipset(8)
Before=network.target firewalld.service iptables.service ip6tables.service
ConditionFileNotEmpty=/etc/sysconfig/ipset.save

[Service]
Type=oneshot
ExecStart=/usr/sbin/ipset -exist -file /etc/sysconfig/ipset.save restore
ExecStop=/usr/sbin/ipset -file /etc/sysconfig/ipset.save save
RemainAfterExit=yes
StandardOutput=journal+console
UMask=0177

[Install]
WantedBy=basic.target


And I use the following in /etc/firewalld/direct.xml to insert the proper 
iptables rules which use the ipsets I created.  For now, I am only using 
ipsets to blacklist some pain in the butt scanners:

<?xml version="1.0" encoding="utf-8"?>
<direct>
  <!-- IPset Blacklisting -->
  <chain ipv="ipv4" table="raw" chain="PREROUTING_blacklist"/>
  <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -m limit --limit 
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
  <passthrough ipv="ipv4">-t raw -A PREROUTING_blacklist -j DROP</passthrough>
  <passthrough ipv="ipv4">-t raw -A PREROUTING -m set --match-set blacklist 
src -j PREROUTING_blacklist</passthrough>
  <chain ipv="ipv6" table="raw" chain="PREROUTING_blacklist"/>
  <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -m limit --limit 
3/min -j LOG --log-prefix BLACKLIST_DROP: --log-level 6</passthrough>
  <passthrough ipv="ipv6">-t raw -A PREROUTING_blacklist -j DROP</passthrough>
  <passthrough ipv="ipv6">-t raw -A PREROUTING -m set --match-set blacklist 
src -j PREROUTING_blacklist</passthrough>
</direct>


Also for clarification, I've created two ipsets which I join in an ipset list:

'blacklist_ipv4' and 'blacklist ipv6' are joined into the 'blacklist' ipset 
which simplifies the above iptables rules to only have to check the 
'blacklist' superset.

I hope to extend this feature in the future by dynamically adding and removing 
addresses from the ipset by using the 'timeout' parameter, but I need to 
investigate that further.

For quick reference, to create your *initial* empty ipsets as above, you can 
issue the following commands:

create blacklist_ipv6 hash:net family inet6
create blacklist_ipv4 hash:net family inet
create blacklist list:set size 8
add blacklist blacklist_ipv4
add blacklist blacklist_ipv6

Then do...

ipset -file /etc/sysconfig/ipset.save save
systemctl enable ipset.service

I know it seems like a lot, but this revolutionized the crazy Bash scripts I 
was using before, which worked well, but required a lot of startup time and 
were less manageable.

I hope this helps.  I do look forward to ipset functionality being built into 
firewalld soon ;)

-A





_______________________________________________
firewalld-users mailing list
firewalld-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/firewalld-users