ipset using to speedup iptables

Hello! Now i want to explain how to integrate ipset to iptables rule.
In this way if you have one hundred or higher identical rules your CPU will be overloaded (each packet will be checked in each rule)

1) yum install ipset
2) place this to /etc/init.d/ipset

#!/bin/sh
#
# ipset Start ipset
#
# chkconfig: 2345 07 93
# description: Starts, stops and saves ipsets rules
#
# config: /etc/sysconfig/ipset
# config: /etc/sysconfig/ipset-rules
#
### BEGIN INIT INFO
# Provides: ipset
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop ipset rules
# Description: Start, stop and save ipset rules
### END INIT INFO

# Source function library.
. /etc/init.d/functions

IPSET=ipset
IPSET_DATA=/etc/sysconfig/$IPSET
IPSET_CONFIG=/etc/sysconfig/${IPSET}-config
VAR_SUBSYS_IPSET=/var/lock/subsys/$IPSET

if [ ! -x /usr/sbin/$IPSET ]; then
echo -n $"${IPSET}: /usr/sbin/$IPSET does not exist."; warning; echo
exit 5
fi

# Load firewall configuration.
[ -f "$IPSET_CONFIG" ] && . "$IPSET_CONFIG"

start() {
# Do not start if there is no config file.
[ ! -f "$IPSET_DATA" ] && return 6

echo -n $"${IPSET}: Applying firewall rules: "

$IPSET -R < $IPSET_DATA
if [ $? -eq 0 ]; then
success; echo
else
failure; echo; return 1
fi

touch $VAR_SUBSYS_IPSET
return $ret
}

stop() {
# Do not stop if iptables module is not loaded.
/usr/sbin/ipset -F
/usr/sbin/ipset -X

rm -f $VAR_SUBSYS_IPSET
return 0
}

save() {

echo -n $"${IPSET}: Saving firewall rules to $IPSET_DATA: "

ret=0
TMP_FILE=$(/bin/mktemp -q /tmp/$IPSET.XXXXXX) \
&& chmod 600 "$TMP_FILE" \
&& $IPSET -S > $TMP_FILE 2>/dev/null \
&& size=$(stat -c '%s' $TMP_FILE) && [ $size -gt 0 ] \
|| ret=1
if [ $ret -eq 0 ]; then
if [ -e $IPSET_DATA ]; then
cp -f $IPSET_DATA $IPSET_DATA.save \
&& chmod 600 $IPSET_DATA.save \
|| ret=1
fi
if [ $ret -eq 0 ]; then
cp -f $TMP_FILE $IPSET_DATA \
&& chmod 600 $IPSET_DATA \
|| ret=1
fi
fi
[ $ret -eq 0 ] && success || failure
echo
rm -f $TMP_FILE
return $ret
}

restart() {
[ "x$IPSET_SAVE_ON_RESTART" = "xyes" ] && save
stop
start
}
case "$1" in
start)
[ -f "$VAR_SUBSYS_IPSET" ] && exit 0
start
RETVAL=$?
;;
stop)
[ "x$IPSET_SAVE_ON_STOP" = "xyes" ] && save
stop
RETVAL=$?
;;
restart|force-reload)
restart
RETVAL=$?
;;
condrestart|try-restart)
[ ! -e "$VAR_SUBSYS_IPSET" ] && exit 0
restart
RETVAL=$?
;;
status)
status
RETVAL=$?
;;
save)
save
RETVAL=$?
;;
*)
echo $"Usage: ${IPSET} {start|stop|restart|condrestart|status|panic|save}"
RETVAL=2
;;
esac

exit $RETVAL

2) chkconfig –add iptables
3) Create ipset table mysql for example
ipset create mysql hash:net
4) Place any IPs to this table (or whole networks)
ipset add mysql 172.16.8.1/32
ipset add mysql 172.16.8.2/32

5) If we want to ACCEPT policy for this IPs, we should create iptables rule such as
iptables -A INPUT -p tcp -m tcp --dport 3306 -m set --match-set mysql src -j ACCEPT
6) Place configuration file to /etc/sysconfig/ipset-config
IPSET_SAVE_ON_STOP=yes
IPSET_SAVE_ON_RESTART=yes

7) All Done! Lets go to drink some beer 🙂

To RedHat devs (CentOS team): Would be nice if you are add init scripts for ipset in default RPM package.
Thanks

Leave a Reply