$linuxjunkies
>

ipset(8)

Manage IP sets – collections of IP addresses, networks, ports, or MAC addresses for use with netfilter firewall rules.

UbuntuDebianFedoraArch

Synopsis

ipset [OPTIONS] COMMAND [COMMAND-OPTIONS] SETNAME [ELEMENTS]

Description

ipset is a userspace utility that manages IP sets in the kernel. IP sets are efficient data structures for storing and matching collections of IP addresses, networks, ports, or MAC addresses. They are commonly used with iptables/netfilter to quickly match traffic against large lists of addresses without the performance penalty of many individual rules.

IP sets support various data types (hash:ip, hash:net, hash:port, list:set, etc.) and can be referenced by iptables rules for efficient filtering. Sets persist in kernel memory and can be saved/restored for persistence across reboots.

Common options

FlagWhat it does
-N, --createCreate a new IP set with specified name and type
-X, --destroyDestroy specified IP set (all sets if none given)
-A, --addAdd one or more elements to a set
-D, --delDelete one or more elements from a set
-L, --listList contents of specified set or all sets
-S, --saveSave IP sets to stdout in a format suitable for restoration
-R, --restoreRestore IP sets from stdin (batch mode)
-F, --flushFlush (empty) specified set or all sets
-e, --existExit silently if set already exists (with -N) or does not exist (with -X)
-q, --quietSuppress output and error messages
-n, --nameList only set names (with -L)
-t, --terseOutput in terse form, one set per line (with -L)

Examples

Create a new set named 'blacklist' to store IP addresses

ipset create blacklist hash:ip

Add two IP addresses to the blacklist set

ipset add blacklist 192.168.1.100 192.168.1.101

Add multiple network ranges to a whitelist set

ipset add whitelist 10.0.0.0/8 10.1.0.0/16

Display all members and statistics for the blacklist set

ipset list blacklist

Save all current IP sets to a file for persistence

ipset save > /etc/ipset.conf

Restore IP sets from a saved configuration file

ipset restore < /etc/ipset.conf

Use an ipset with iptables to drop traffic from blacklisted IPs

iptables -A INPUT -m set --match-set blacklist src -j DROP

Delete the blacklist set from kernel memory

ipset destroy blacklist

Related commands

iptablesufw
← All commands