Using IP sets for best performance
IP sets are the best method for blocking specific countries using our IP prefix files for specific countries.
From the IPset homepage:
IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel, which can be administered by the ipset utility. Depending on the type, currently an IP set may store IP addresses, (TCP/UDP) port numbers or IP addresses with MAC addresses in a way, which ensures lightning speed when matching an entry against a set.
If you want to
- store multiple IP addresses or port numbers and match against the collection by iptables at one swoop;
- dynamically update iptables rules against IP addresses or ports without performance penalty;
express complex IP address and ports based rulesets with one single iptables rule and benefit from the speed of IP sets
If you have a network or server with high traffic and using standard iptables for traffic blocking it may affect your server/network performance. With IPsets you can “group” multiple IP sets in groups and then match these in one swoop. This will provide you top performance.
IP sets allows you to bind an entry in a set to another set, which forms a relationship between the set element and the set it is bound to. The sets may have a default binding, which is valid for every set element for which there is no binding defined at all.
ipset -N servers ipmap –network 10.10.10.0/16
ipset -A servers 10.10.10.1
ipset -A servers 10.10.10.2
ipset -N ports portmap –from 1 –to 1024
ipset -A ports 21
ipset -A ports 22
ipset -A ports 25
ipset -B servers 10.10.10.2 -b ports
iptables -A FORWARD -m set –set servers dst,dst -j ACCEPT
iptables -A FORWARD -j DROP