Unordered list of some tips and examples:
- In order to drop traffic to-from banned networks or IP addresses, use IP sets in the raw table of netfilter.
- If you want a fixed size iphash type of set, then define it with
zero valued resize parameter:
ipset -N foo iphash --resize 0
- The probes parameter of iphash type is a two-edge sword: by setting it to a small number (1-3), you optimize for speed; by setting it to a a bigger number (4-8), you optimize for filling in the possible holes in the hash.
- If you want to change a set without disturbing your existing
iptables rules and bindings referring to the given set, simply
swap it with the new set:
# Create the new set and add the entries to it ipset -N new-set .... ipset -A new-set .... ... # Define the bindings ipset -B new-set .... ... # Swap the old and new sets ipset -W old-set new-set # Get rid of the old set, which is now under new-set ipset -X new-set
- If you generate a saved session by script, don't forget about the last line containing 'COMMIT'.