You are welcome, glad they were helpful!

All I can tell you is that pretty much everything I have learned about both iptables and ipsets came from reading the respective man pages, and lots of experimentation!

As I recall, my web searches turned up many references for specific rules and examples for iptables, but no stand-out general help understanding it in any depth. Ditto for books, of which I bought a few that were largely dissapointments.

For ipset, I found very little online and pieced it together almost entirely from the man page. And in retrospect, I would still say that all necessary information about "how it works" is there, and mostly well written if a bit terse. What is missing is a "how to use it in the real world" guide.

Although iptables and ipset are related, neither depends on the other - you can use iptables without ipset, and you can create and manage ipset sets without any interaction with iptables (which may seem pretty useless, but perhaps not entirely so). This makes it easy to explore ipset operations without upsetting your active firewall rules. That said, obviously their intended use is to work together.

One tip I would suggest is to set up test environment for learning each more usefully. Don't try to learn them in a live remote environment - you will stumble all over yourself and learn the meaning of the word "frustration"! Instead, set up an old or non-critical system as your learning target, and learn interactively by testing rule behavior by accessing it from another local machine.

Also, the iptables rules, including their ipset interactions, are, or should be, the implementation of clear firewall policies. So it is very helpful to write out in plain human language just what those policies are! Make that a habit while learning, then manage and test your real world rules against a clear policy document. Use your own outline or graph notation, whatever helps you quickly and unambiguously understand your meaning when you look at it after a few months. When you need to add or change something, annotate the policy document first, then make the rule change.

In doing so you will not only learn it well, you will also build your own best set of reference notes and examples and quickly improve your ability to organize and script multiple, complex rules sets.

Yes, ipset sets are not affected by changes of iptables rules (other than number of references), and yes, they must be saved and restored, or initialized from a file after reboot.

I generally prefer managing my persistent set data in a text file rather than using the save/restore process, but do what is easiest for you. Dynamic sets are... dynamic, so I write those rules to take care of themselves, mostly.

You can do what works best for your uses. The main reason I suggested the top of the raw::PREROUTING chain is that if you really want to ban everything from some locations and never have to see them again, that is a single point place to do it! Doing it in both the filter::FORWARD and filter::INPUT chains allows you to manage them separately and to see separate counters for each path, which may be important to you. It also means that packets you know up front that you want to ban may traverse more rules and consume CT resources before actually being dropped which might be a consideration.

My philosophy is to drop them as early as possible, which is early in the raw::PREROUTING chain.

1 members found this post helpful.

astrogeek: Thanks again for the info. I was "fortunate" to have the attacker try again yesterday. The 'ipset -exists add' worked great and blocked the attempts. Shortly thereafter (10 seconds later) the attacker realized he was being blocked and stopped trying. So, all that works. I was using the iptables rules I stated in my previous message to block the FORWARD and INPUT chains, but next time I'll try the PREROUTING chain per your suggestion. I do want to block ASAP and do not need separate counts for FORWARD or INPUT in this case.

I do keep these ipset IPs in a script for re-adding after rebooting.

Thanks again. I think this problem is solved! (if not, I'll be back!)