Feature Request: block country by ipset nethash rule table

[marcele]

Congrats on the ipset support. Great job Chirpy!

[Sergio]

+1 for ipset support in CSF. I know this is an old feature request but from reading the docs it looks like it would be great for adding any large iptables sets like country or blocklists.

The homepage:
http://ipset.netfilter.org/index.html

A good write up:
http://blog.ls20.com/securing-your-serv ... locklists/

Cheers!

It seems that second link is not working any more, Do you have another url?

[marcele]

The second link works for me. So far in my tests the new ipset stuff works great on Centos 6 (the required packages are in the epel repo (ipset libmnl)).

It is going to be harder to get ipset working on Centos 5 however. It looks like it requires a newer iptables than the default. None of the third party rpm's I found (flexbox or centalt) for centos 5 provided both ipset and a new enough iptables (It would complain iptables v1.3.5: Unknown arg `--match-set'). You will likely have to compile it from source.

[Sergio]

I have installed IPSET in all my servers with CloudLINUX, RedHat and Centos 6, all of them worked great. Unfortunately it didn't work with the VPS area.

[marcele]

You won't see ipset support in Openvz / Virtuozzo 2.6.32-x kernels. It might land in the 3.10-x kernels:

https://bugzilla.openvz.org/show_bug.cgi?id=2644

[Sergio]

thanks, I don't use those I use a different one, but is not an issue. By the moment, are the dedicated servers the ones that we protect most and they are working great whit IPSET.

What I liked a lot is that there is nothing to configure to use it besides the installation, of course, just enable the future restart CSF+LFD and all CC_* and block list will be added automatically to IPSET. In our case we added our own list to the block list and all the IPs are set, really nice.

It will be great to be able to unblock an IP on the SEARCH IP when it is found on the IPSET, but maybe in a future when IPSET is not BETA any more.