How to block a large number of malicious IP addresses in Linux

Source: Internet
Author: User
Tags linux mint

How to block a large number of malicious IP addresses in Linux

In many cases, you may need to block IP addresses in Linux. For example, as an end user, you may want to avoid the troubles of spyware or IP tracking. Or when you are running P2P software. You may want to filter out network links for anti-P2P activities. If you are a system administrator, you may want to disable spam IP addresses from accessing your company's email server. Or you want to prohibit some countries from accessing your web services for some reason. In many cases, however, your IP address shield list may rapidly grow to tens of thousands of IP addresses. How to deal with this?

Netfilter/IPtables Problems

In Linux, you can simply use the netfilter/iptables framework to Disable IP addresses:

  1. $ Sudo iptables-a input-s TCP-j DROP

If you want to completely block an IP address segment, you can simply use the following command:

  1. $ Sudo iptables-a input-s TCP-j DROP

However, if you have 1000 independent IP addresses without the CIDR (classless Inter-Domain Routing) prefix, what should you do? You need 1000 iptable rules! This is obviously not suitable for large-scale shielding.

  1. $ Sudo iptables-a input-s TCP-j DROP
  2. $ Sudo iptables-a input-s TCP-j DROP
  3. $ Sudo iptables-a input-s TCP-j DROP
  4. ....
What is an IP address set?

At this time, the IP address set was launched. An IP address set is a kernel feature that allows multiple (independent) IP addresses, MAC addresses, or even port numbers to be encoded and effectively stored in the bitmap/HASH kernel data structure. Once an IP Set is created, you can create an iptables rule to match the set.

You will immediately see the benefits of the IP address set, which allows you to use one iptable rule to match multiple IP addresses! You can construct an IP set using multiple IP addresses and port numbers, and dynamically update rules without affecting performance.

Install IPset in Linux

To create and manage IP sets, you need to use a user space tool called ipset.

To install it on Debian, Ubuntu, or Linux Mint:

  1. $ Sudo apt-get install ipset

Install Fedora or CentOS/RHEL 7:

  1. $ Sudo yum install ipset
Use the IPset command to Disable IP addresses

Let me use a simple example to show you how to use the ipset command.

First, let's create a new IP address set named banthis (with any name ):

  1. $ Sudo ipset create banthis hash: net

The second parameter (hash: net) is required and represents the set type. The IP address set has multiple types. Hash: the IP Set of the net type uses hash to store multiple CIDR blocks. If you want to store separate ip addresses in a collection, you can use hash: ip Address type.

Once an IP address set is created, run the following command to check the IP address set:

  1. $ Sudo ipset list

This shows a list of available IP sets and contains detailed information about the set members. By default, each IP address set can contain 65536 elements (CIDR Block ). You can add a limit by appending the "maxelem N" option.

  1. $ Sudo ipset create banthis hash: net maxelem 1000000

Now let's add the IP block to this collection:

  1. $ Sudo ipset add banthis
  2. $ Sudo ipset add banthis
  3. $ Sudo ipset add banthis
  4. $ Sudo ipset add banthis

You will see that the set Member has changed.

  1. $ Sudo ipset list

Now it is time to create an iptables rule using the IP address set. The key here is to use the "-m set -- match-set" option.

Now let's create an iptable rule that prevents previous IP blocks from accessing web services through port 80. You can run the following command:

  1. $ Sudo iptables-I INPUT-m set -- match-set banthis src-p tcp -- destination-port 80-j DROP

If you want to, you can save a specific IP address set to a file, and then restore it from the file:

  1. $ Sudo ipset save banthis-f banthis.txt
  2. $ Sudo ipset destroy banthis
  3. $ Sudo ipset restore-f banthis.txt

In the preceding command, I used the destory option to delete an existing IP set to see if I can restore it.

Disable Automatic IP Address

Now you should see that the IP address set is powerful. Maintaining the IP blacklist is cumbersome and time-consuming. In fact, there are a lot of free or paid services to help you complete this. An additional benefit is that we can see how to automatically add the IP address blacklist to the IP address set.

First, let's get a free blacklist from This website has different free and paid lists. The free version is in P2P format.

Next, I will use an open-source Python tool named iblocklist2ipset to convert a P2P blacklist to an IP address set.

First, you need to install pip (refer to this Guide to install pip ).

Run the following command to install iblocklist2ipset.

  1. $ Sudo pip install iblocklist2ipset

In some releases such as Fedora, you may need to run:

  1. $ Sudo python-pip install iblocklist2ipset

To, capture the URL of any P2P list (such as the "level1" list ).

Paste the URL to the following command.

  1. $ Iblocklist2ipset generate \
  2. -- Ipset banthis " /? List = ydxerpxkpcfqjaybcssw & fileformat = p2p & archiveformat = gz "\
  3. > Banthis.txt

After the command is run, you will get a file named banthis.txt. If you view its content, you will see the following:

  1. Create banthis hash: net family inet hashsize 131072 maxelem 237302
  2. Add banthis
  3. Add banthis
  4. Add banthis
  5. Add banthis
  6. Add banthis
  7. Add banthis
  8. Add banthis

You can use the following ipset command to load the file:

  1. $ Sudo ipset restore-f banthis.txt

Now you can view the automatically created IP address set:

  1. $ Sudo ipset list banthis

At the time of writing this article, the "level1" class table contains a list of 237,000 blocked IP addresses. You can see that many IP addresses have been added to the IP address set.

Finally, create an iptables command to block these bad guys!


This article describes how to use a powerful ipset to shield unwanted IP addresses. Combined with a third-party tool iblocklist2ipset, You can smoothly maintain your IP address shield list. Those curious about ipset performance improvement show the Benchmark Test Results of iptables in use and without ipset (note the time axis ).

Tell me how much you like this. :-)

This article permanently updates the link address:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.