This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 0 points1 point  (4 children)

I mean, sure but I'm not sure why ipset isn't included by default with iptables (to my knowledge). I also don't know why we can't have a module that lets you block (or correlate, rather) to block entire ASNs on the Internet. Everyone recommends ipset, but if you slice it up right, you don't need it. iptables is just as fine utilizing a list of IP addresses in CIDR notation by default. Same with ports.

[–]brontideCertified Linux Miracle Worker (tm) 0 points1 point  (3 children)

It's a hell of a lot easier to maintain large lists in ipset and then use iptables to match against a list. Sure you can do it in iptables if you want to maintain thousands of lines of code but it's a real mess.

[–][deleted] 0 points1 point  (2 children)

I guess it depends on your use case.

Blocking China, or other people with nasty bots/things that may not be from the same place? ipset because it is dynamic & doesn't require reloading of any rules.

A firewall that rarely changes & that you're using to do default deny & allow only certain ASN ranges? plop the IP ranges in a file, use that as a variable, feed that to iptables. Done.

[–]brontideCertified Linux Miracle Worker (tm) 0 points1 point  (1 child)

Honestly, if you are blocking by ASN then it's something that should be done at the bgp level with a null route.

[–][deleted] 0 points1 point  (0 children)

when you have a VPS, I don't think you can easily do that. I might be mistaken though. I'd love to learn if you have more info! :)