Linux Security: Working with IP sets and iptables

Linux Security: Working with IP sets and iptables

IP Sets can facilitate the management of a complex firewall ruleset. This exercise refreshes basic skills with the iptables command and begins developing an understanding of working with IP Sets. 

Create a new IP set called ‘clienthosts’ that contains the IP and Port combinations for each client server. Be sure the ‘ipset’ is configured to persist a reboot

Run the following commands:

  • ipset create clienthosts hash:ip,port
  • ipset add clienthosts 10.0.1.100,80
  • ipset add clienthosts 10.0.1.200,80
  • ipset save clienthosts > /etc/sysconfig/ipset

Add a new rule to the INPUT chain that accepts traffic from all IP/Port combinations as source IP/destination port in the ‘clienthostsIP’ set. The rule should persist a reboot.

Run the following commands:

  • iptables -I INPUT -m set --match-set clienthosts src,dst -j ACCEPT
  • Iptables-save > /etc/sysconfig/iptables