This repository contains an application that can be used to read IP addresses and subnets from a text/JSON/YAML file and convert the entries into entries in an ipset set. Its primary function is to allow webmasters without root permissions to easily define a blacklist of IPs and have the server administrator use that list to automatically manage the firewall. Therefore the goal is to make it near impossible to fuck up the firewall by inexperienced webmasters and to separate system permissions.

In its current state, mkipset should be run as a regular cronjob (the more frequent, the better). A daemon mode that permanently watches blacklist files may be added in the future.

Entries in the blacklists can have a start and/or ending date, but these do not map to ipset's native timing functionality. Instead they only serve as a hint to mkipset. Likewise, it is assumed that mkipset runs as a cronjob, so there is currently no support for saving/restoring ipset sets on server restores.

Create a configuration file by copying the config.yaml.dist and adjust to your liking. Note that the set name can be at most 20 characters long, even though ipset allows 31 characters. This is to allow mkipset to generate unique names during set swaps.

After creating the config file, define a blacklist file. You can use Text/JSON/YAML and its type will be determined by the file extension (.txt, .json or .yml/.yaml). Look at the same blacklist files in the examples/ directory for more information.

Set up a cronjob to run mkipset and make sure that your PATH is set up properly so that it can find the ipset binary:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# update ipsets
* * * * * mkipset -config /etc/mkipset/web-config.yaml /etc/mkipset/web-blacklist.txt

And finally create as many iptables rules as you like, referencing your set. In this example, the set is named blacklist-web because it contains IPs that we want to deny HTTP/HTTPS access to.

iptables -A INPUT -p tcp --dport 80  -m set --match-set blacklist-web src -j DROP
iptables -A INPUT -p tcp --dport 443 -m set --match-set blacklist-web src -j DROP

You can feed multiple files into mkipset, for example if you want to manage blacklist entries on a root level and then also load additional entries defined by a user on your system. Use the -ignore-missing flag if you don't care if some of the blacklist files could not be found, but be aware that you must load at least one file successfully no matter what.

If you manage multiple ipset sets, it can be helpful to have a single configuration file instead of one per set. To do so, use the -set-name parameter to override the set you defined in your configuration file. A crontab could then look like this:

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# update ipsets
* * * * * mkipset -config /etc/mkipset/config.yaml -set-name web /etc/mkipset/web-blacklist.txt
* * * * * mkipset -config /etc/mkipset/config.yaml -set-name ssh /etc/mkipset/ssh-blacklist.txt
* * * * * mkipset -config /etc/mkipset/config.yaml -set-name mail /etc/mkipset/mail-blacklist.txt

In case you don't know beforehand which files you need, you can also just give mkipset a base text file and include others from there. Every line in a text file that begins with include will trigger a recursive include, like so:

# this is a.txt

1.2.3.4
include b.json

As you can see, you can include all supported file types, but include directives can only appear in text files (assuming text files are written manually and JSON/YAML are managed by other tools, so these other tools should handle inclusions).

Note that there is a hardcoded limit of 100 includes per input file (so if you run mkipset a.txt b.txt, both files would get an allowance of 100 includes). This is just to prevent accidental include loops.

MIT