Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

5.12. Setting and Controlling IP sets using firewalld

To see the list of IP set types supported by firewalld, enter the following command as root. 
~]# firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net

5.12.1. Configuring IP Set Options with the Command-Line Client

IP sets can be used in firewalld zones as sources and also as sources in rich rules. In Red Hat Enterprise Linux 7, the preferred method is to use the IP sets created with firewalld in a direct rule.
To list the IP sets known to firewalld in the permanent environment, use the following command as root: 
~]# firewall-cmd --permanent --get-ipsets
To add a new IP set, use the following command using the permanent environment as root: 
~]# firewall-cmd --permanent --new-ipset=test --type=hash:net
success
The previous command creates a new IP set with the name test and the hash:net type for IPv4. To create an IP set for use with IPv6, add the --option=family=inet6 option. To make the new setting effective in the runtime environment, reload firewalld. List the new IP set with the following command as root: 
~]# firewall-cmd --permanent --get-ipsets
test
To get more information about the IP set, use the following command as root: 
~]# firewall-cmd --permanent --info-ipset=test
test
type: hash:net
options:
entries:
Note that the IP set does not have any entries at the moment. To add an entry to the test IP set, use the following command as root: 
~]# firewall-cmd --permanent --ipset=test --add-entry=192.168.0.1
success
The previous command adds the IP address 192.168.0.1 to the IP set. To get the list of current entries in the IP set, use the following command as root: 
~]# firewall-cmd --permanent --ipset=test --get-entries
192.168.0.1
Generate a file containing a list of IP addresses, for example: 
~]# cat > iplist.txt <<EOL
192.168.0.2
192.168.0.3
192.168.1.0/24
192.168.2.254
EOL
The file with the list of IP addresses for an IP set should contain an entry per line. Lines starting with a hash, a semi-colon, or empty lines are ignored.
To add the addresses from the iplist.txt file, use the following command as root: 
~]# firewall-cmd --permanent --ipset=test --add-entries-from-file=iplist.txt
success
To see the extended entries list of the IP set, use the following command as root: 
~]# firewall-cmd --permanent --ipset=test --get-entries
192.168.0.1
192.168.0.2
192.168.0.3
192.168.1.0/24
192.168.2.254
To remove the addresses from the IP set and to check the updated entries list, use the following commands as root: 
~]# firewall-cmd --permanent --ipset=test --remove-entries-from-file=iplist.txt
success
~]# firewall-cmd --permanent --ipset=test --get-entries
192.168.0.1
You can add the IP set as a source to a zone to handle all traffic coming in from any of the addresses listed in the IP set with a zone. For example, to add the test IP set as a source to the drop zone to drop all packets coming from all entries listed in the test IP set, use the following command as root: 
~]# firewall-cmd --permanent --zone=drop --add-source=ipset:test
success
The ipset: prefix in the source shows firewalld that the source is an IP set and not an IP address or an address range.
Only the creation and removal of IP sets is limited to the permanent environment, all other IP set options can be used also in the runtime environment without the --permanent option.

5.12.2. Configuring a Custom Service for an IP Set

To configure a custom service to create and load the IP set structure before firewalld starts:
  1. Using an editor running as root, create a file as follows: 
    ~]# vi /etc/systemd/system/ipset_name.service
[Unit]
Description=ipset_name
Before=firewalld.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/bin/ipset_name.sh start
ExecStop=/usr/local/bin/ipset_name.sh stop

[Install]
WantedBy=basic.target
  2. Use the IP set permanently in firewalld: 
    ~]# vi /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
	<rule ipv="ipv4" table="filter" chain="INPUT" priority="0">-m set --match-set <replaceable>ipset_name</replaceable> src -j DROP</rule>
</direct>
  3. A firewalld reload is required to activate the changes: 
    ~]# firewall-cmd --reload
    This reloads the firewall without losing state information (TCP sessions will not be terminated), but service disruption is possible during the reload.

Warning

Red Hat does not recommend using IP sets that are not managed through firewalld. To use such IP sets, a permanent direct rule is required to reference the set, and a custom service must be added to create these IP sets. This service needs to be started before firewalld starts, otherwise firewalld is not able to add the direct rules using these sets. You can add permanent direct rules with the /etc/firewalld/direct.xml file.