Skip to content

Latest commit

 

History

History
64 lines (57 loc) · 3.71 KB

ipset.md

File metadata and controls

64 lines (57 loc) · 3.71 KB
Raw

Ipset

Ipset is a system inside the Linux kernel, which can very efficiently store and match IPv4 and IPv6 addresses. This can be used to dramatically increase performance of iptables firewall. The Ipset header designation follows the Iptables format above, but uses the target platform of 'ipset':

target:: ipset [INPUT|OUTPUT|FORWARD|custom] {ACCEPT|DROP} {truncatenames} {nostate} {inet|inet6}

Term Format

  • action:: The action to take when matched. See Actions section for valid options.
  • comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
  • counter:: Update a counter for matching packets
  • destination-address:: One or more destination address tokens
  • destination-exclude:: Exclude one or more address tokens from the specified destination-address
  • destination-interface:: Specify specific interface a term should apply to (e.g. destination-interface:: eth3)
  • destination-port:: One or more service definition tokens
  • destination-prefix:: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
  • expiration:: stop rendering this term after specified date. YYYY-MM-DD
  • fragement-offset:: specify a fragment offset of a fragmented packet
  • icmp-code:: Specifies the ICMP code to filter on.
  • icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
  • logging:: Specify that this packet should be logged via syslog.
  • name:: Name of the term.
  • option:: See platforms supported Options section.
  • owner:: Owner of the term, used for organizational purposes.
  • packet-length:: specify packet length.
  • platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
  • protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
  • routing-instance:: specify routing instance for matching packets.
  • source-address:: one or more source address tokens.
  • source-exclude:: exclude one or more address tokens from the specified source-address.
  • source-interface:: specify specific interface a term should apply to (e.g. source-interface:: eth3).
  • source-port:: one or more service definition tokens.
  • source-prefix:: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
  • verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

  • ack:: Match on ACK flag being present.
  • all:: Matches all protocols.
  • established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • fin:: Match on FIN flag being present.
  • first-fragment:: Only match on first fragment of a fragmented pakcet.
  • initial:: Only matches on initial packet.
  • is-fragment:: Matches on if a packet is a fragment.
  • none:: Matches none.
  • psh:: Match on PSH flag being present.
  • rst:: Match on RST flag being present.
  • sample:: Samples traffic for netflow.
  • syn:: Match on SYN flag being present.
  • tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • tcp-initial:: Only match initial packet for TCP protocol.
  • urg:: Match on URG flag being present.