How to block all ip's which are not in ipset list
5,436
Solution 1
Solution:
Following is the correct command line:
iptables -A INPUT -m set ! --match-set geoblock src -j DROP
Explanation:
javier@equipo-javier:~$ sudo ipset create geoblock hash:net
javier@equipo-javier:~$ sudo iptables -A INPUT -m set --set '!geoblock' src -j DROP
--set option deprecated, please use --match-set
iptables v1.4.21: Set !geoblock doesn't exist.
Try `iptables -h' or 'iptables --help' for more information.
1st correction:
javier@equipo-javier:~$ sudo iptables -A INPUT -m set --match-set '!geoblock' src -j DROP
iptables v1.4.21: Set !geoblock doesn't exist.
Try `iptables -h' or 'iptables --help' for more information.
2nd correction:
javier@equipo-javier:~$ sudo iptables -A INPUT -m set ! --match-set geoblock src -j DROP
javier@equipo-javier:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m set ! --match-set geoblock src -j DROP
Now works
Solution 2
As Zoredache mentioned the bash error indicates this is a quoting issue. Putting that argument in single quotes or using backslash to escape the exclamation will get around the immediate issue:
iptables -A INPUT -m set --set '!geoblock' src -j DROP
or
iptables -A INPUT -m set --set \!geoblock src -j DROP
Related videos on Youtube
18 : 06
Changing Firewall With Iptables to Block Specific IP Addresses
03 : 34
How to Block and Allow IP Addresses Using Windows Firewall – Easy
31 : 02
iptables Complete Guide | HackerSploit Linux Security
11 : 25
Linux How To Block IP Addresses Using IPTABLES And IPset
23 : 59
Advanced Linux firewall config. with firewalld rich rules and IPset - rich rules + ipset
01 : 00 : 30
IPTables - Blacklisting IP's and Ports - Stop the Badguys
03 : 11
S'pore insurers raising number of specialists on their IP insurance panels | THE BIG STORY
09 : 29
Iptables/Netfilter - Blocking Entire Countries using Ipset and Iptables
Author by
Shubham Jairath
Updated on September 18, 2022Comments
-
Shubham Jairath almost 2 years
I am trying to block all traffic except US and Canada. I added all US and Canada IP's to ipset geoblock and when i am trying this command. I am getting an error.
iptables -A INPUT -m set --set !geoblock src -j DROP -bash: !geoblock: event not foundbut when i run this command
ipset listI am getting all the IP's, so there is nothing wrong with the name and the ipset. I am using iptables v1.4.21 on cent os 7.3.1611
-
kingmilo about 7 yearsThis is the correct answer. If you tried putting a space between ! and geoblock then iptables would have also informed you of the correct syntax. -
Javier Dev almost 7 yearsSorry, but I am not able to get that iptables' output suggesting the correct syntax. Could you copy an example here?
-
kingmilo almost 7 yearsSure, my ipset lists are called whitelist and geoblock. I'm using ipset v6.11 and iptables 1.4.7
/sbin/iptables -I INPUT 1 -m set --match-set whitelist src,dst -j ACCEPT /sbin/iptables -I INPUT 2 -m set --match-set geoblock src,dst -j DROP
