Introduction to ipset with Core-Admin
In the case you want to block a large amount of IPs (more that 500 ips/networks), then you might notice that default block-by-iptables setting is not fast enough, and it tends to create a large iptables rule set with a bad performance.
If this is your case, here is how to configure your #IpBlocker tool to use linux kernel ipset.
Prerequisites for ipset with Core-Admin
This option is not available for Debian Lenny, Debian Squeeze and Centos 6 due to poor or missing ipset support.
How to enable it ipset with Core-Admin
#IpBlocker is prepared to switch to block-by-ipset from block-by-iptables and viceversa anytime you need it. This includes cases where the firewall is already enabled and working with a working set of blocking rules.
To enable it, just follow next steps. Open #IpBlocker tool as shown (it needs administrator permissions):
Then, open configuration:
Then, select block-by-ipset in block mode and then save. If it is not available, please, update your core-admin installation. Depending on the number of rules your machine has, it might take a few minutes to switch to ipset:
If everything went ok, you will use #IpBlocker as usual (and the rest of the system too). No additional step is required because once it is done, it is transparent to the user and system.
Some internal details on how is used ipset with Core-Admin
Under ipset mode, core-admin install only a few rules inside iptables and ip6tables chain to link ipsets created.
>> iptables -S | grep set -A INPUT -m set --match-set core_admin_blacklist_ipv4_net src -j DROP -A INPUT -m set --match-set core_admin_blacklist_ipv4 src -j DROP -A FORWARD -m set --match-set core_admin_blacklist_ipv4_net src -j DROP -A FORWARD -m set --match-set core_admin_blacklist_ipv4 src -j DROP -A OUTPUT -m set --match-set core_admin_blacklist_ipv4_net src -j DROP -A OUTPUT -m set --match-set core_admin_blacklist_ipv4 src -j DROP
These “sets” are accesible running common ipset commands (do not minipulate them directly, use #IpBlocker application or crad-ip-blocker.pyc command line tool):
>> ipset list