LinuxQuestions.org - iptables and ipset lists

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - iptables and ipset lists (https://www.linuxquestions.org/questions/linux-security-4/iptables-and-ipset-lists-4175688482/)

iptables and ipset lists

How do I create ipset lists before iptables is restored on machine start up? Right now, when I start up my server, iptables rules fail to load because the ipset lists do not exist that are referred to in iptables rules.

Your question answers itself... "create ipset lists before iptables is restored".

The ipset sets must exist before any rules which reference them can be added, as you are aware. They can be empty and populated later, but they must exist. So as you want to do this at boot time arrange your init system to run your ipset create scripts before loading the iptables rules. How that is done is distro specific and subject to much variation/customization.

To get more specific help on how you may do that you should at least provide a better description including your distro, how your iptables rules are initialized, how your ipsets are created and populated, etc.

Try a script with something like this:

Code:

ipset create some_ipset_to_drop hash:net

for i in $(cat /path/on/a/disk/to/someiplist.file ); do ipset -A some_ipset_to_drop $i; done

/sbin/iptables-restore < /path/on/a/disk/to/firewall_rules.file

File with addresses to block is required. Or create empty sets to populate later.