Unordered list of some tips and examples:

  • In order to drop traffic to-from banned networks or IP addresses, use IP sets in the raw table of netfilter.
  • If you want a fixed size iphash type of set, then define it with zero valued resize parameter:
    	ipset -N foo iphash --resize 0
    	
  • The probes parameter of iphash type is a two-edge sword: by setting it to a small number (1-3), you optimize for speed; by setting it to a a bigger number (4-8), you optimize for filling in the possible holes in the hash.
  • If you want to change a set without disturbing your existing iptables rules and bindings referring to the given set, simply swap it with the new set:
    	# Create the new set and add the entries to it
    	ipset -N new-set ....
    	ipset -A new-set ....
    	...
    	# Define the bindings
    	ipset -B new-set ....
    	...
    	# Swap the old and new sets
    	ipset -W old-set new-set
    	# Get rid of the old set, which is now under new-set
    	ipset -X new-set
    	
  • If you generate a saved session by script, don't forget about the last line containing 'COMMIT'.