Thank you again for your help! If I find within these 3 days any problem with this setup (script and filtering system) I will return, but so far it works great. The iptables-nft package contains different tools such as iptables, ip6tables, ebtables and arptables.These tools will no longer receive new features and using them for new deployments is not recommended. The ipset and iptables-nft packages have been deprecated in RHEL. Just as you said yesterday, to ‘force-feed’ it without cleaning The ipset and iptables-nft packages have been deprecated.
I still have the -! argument because even if I use the strictest sorting, ipset will still throw a parsing error from time to time and leave the ip set incomplete. Sudo iptables -I INPUT -m set -match-set ipmaster src -j DROP & sudo ip6tables -I INPUT -m set -match-set ipmaster6 src -j DROP Sudo ipset restore -! < /tmp/ipmaster.txt & sudo ipset restore -! < /tmp/ipmaster6.txt Option ban_src_rset '/^((' /tmp/ips.txt > /tmp/ipmaster6.txt Option ban_src_desc 'Always allow these IPs (IPv4/IPv6)' Option ban_src_6 '/etc/banip/banip.whitelist' Option ban_src '/etc/banip/banip.whitelist' Here is the configuration file of OpenWrt’s BanIP, it shows exactly how it formats the text for those particular sources of IPsets: openwrt/packages/blob/openwrt-19.07/net/banip/files/nf Indeed, there were more sources suggesting that the restore feature of ipset is better to batch block the 100.000+ IP’s I need.
0 kommentar(er)
