How To Use Ipset on CentOS 7

Paul Harris — Thu, 03 Oct 2019 08:18:35 +0000

For packet filtering systems in Linux Iptables, uniform rules are needed that include tens, hundreds and even thousands of IP addresses. For this, there is an ipset extension. To use ipset in the linux CentOS 7 distribution, you need to install the ipset package and ipset-service.
It is implied that the reader of this article is familiar with Linux iptables.

[root @ localhost ~] # install ipset-service

Ipset-service ipset auto-loading service for system booting. By default, it is disabled. Turn it on:

[root @ localhost ~] # systemctl enable ipset

If you have iptables-service installed and you use sets in your rules, then the ipset service must be enabled, otherwise the iptables rules simply won’t load.

To manage lists, there is an ipset console utility and the iptables extension – SET. In man pages iptables-extensions, search for the keyword ‘ipset’ there there is documentation for lists as a filter and for lists as the action ‘-j SET’ add/remove addresses to the list.

Example 1

Creation of a white list of IP addresses, which are open access to 22 ports (SSH)

[root@localhost ~]# ipset create SSH_WL hash:ip

We specified the list type ‘hash: ip’ – Only IPv4 IP addresses can be added to this list.
If there is a need to add networks (such as 192.168.0.0/24) then you will need to declare the type ‘hash: net‘. List types are defined by the Linux kernel module or can be compiled into the kernel.

To view supported views, you can enter:

[root@localhost ~]# ipset --help

The lines below:

----------------//--------------------- Supported set types: --------------//-----------------------

There will be a list of all supported list types.

[root@localhost ~]# ipset add SSH_WL 45.67.89.101
[root@localhost ~]# ipset add SSH_WL 12.34.56.78
[root@localhost ~]# ipset add SSH_WL 123.4.56.78
[root@localhost ~]# ipset add SSH_WL 10.234.56.78

[root@localhost ~]# service ipset save

These rules, which are presented below are not recommended to be thoughtlessly copied; their behavior strongly depends on the first 3 rules of the INPUT chain!

[root@localhost ~]# iptables -I INPUT 3 -p tcp --dport 22 -m conntrack --ctstate NEW -m set --match-set SSH_WL src NEW -j ACCEPT

[root@localhost ~]# iptables -I INPUT 4 -p tcp --dport 22 --ctstate NEW -j DROP

[root@localhost ~]# service iptables save

You can see the list of addresses of all lists:

[root@localhost ~]# ipset list Name: SSH Type: hash:ip Revision: 1 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 16592 References: 1 Members: 45.67.89.101 12.34.56.78 123.4.56.78 10.234.56.78

Example 2

Creating a dynamic list of addresses trying to connect (or simply scanning) the 23/tcp port (telnet service) with a timeout of 2 hours (7200 seconds).

[root@localhost ~]# ipset create telnet_try hash:ip --timeout 72000

[root@localhost ~]# service ipset save

These rules, which are presented below are not recommended to be thoughtlessly copied; their behavior strongly depends on the first 3 rules of the INPUT chain!

[root@localhost ~]# iptables -I INPUT 3 -p tcp --dport 23 -m conntrack --ctstate NEW -j SET telnet_try src

If you wish, you can use IPTALBES with another timeout, say 16 hours. And you can even make the shell (bash) calculate the number of seconds in 16 hours

[root@localhost ~]# iptables -I INPUT 3 -p tcp --dport 23 -m conntrack --ctstate NEW -j SET telnet_try src --timeout $(( 60 * 60 * 16 ))

Save this rules

[root@localhost ~]# service iptables save

After some time (hour, day, week), you can see from which IPs in the last 2 there were interesting packets to the insecure telnet service

[root@localhost ~]# ipset list telnet_try Name: telnet_try Type: hash:ip Revision: 1 Header: family inet hashsize 1024 maxelem 65536 timeout 72000 Size in memory: 16592 References: 1 Members: 1.2.3.4 timeout 45879 5.6.7.8 timeout 71327

How To Use The Dirname Command on Linux Bash scripts

Alex — Wed, 10 Jun 2020 07:23:31 +0000

The dirname command on Linux prints the path to the file with the last component removed. This basically gives you the directory path from the file path. The dirname command complements the basename command. The basename command retrieves the file name from the path, while dirname retrieves the directory path.

Dirname Command Examples

Dirname command has very simple syntax

dirname OPTION PATH

Using the command will give the directory path:

dirname /home/user/data/filename.txt
/home/user/data

Like the basename command, the dirname command is actually primitive. It really does not recognize the file path. It just searches for slashes (/) and prints everything that is before the last slash. In fact, you can ask him any line with / in it, and it will work with it. For example: a random string without a file name is very often used. It is possible to see that it still works the same way and displays a line, deleting the last / and the text after it

destroyer@hostry: ~$ dirname dir1/dir2/dir3/dir4
dir1/dir2/dir3
destroyer@hostry: ~$

If there is no forward slash (/) in the path, a period (.) Will be displayed, indicating the current directory

destroyer@hostry: ~$ dirname hostry.txt
.
destroyer@hostry: ~$

You can also use dirname with several paths. It will return the output for each path in a new line:

destroyer@histry: ~$ dirname dir1/file dir2/file
dir1
dir2
destroyer@hostry: ~$

You can use the -z option to get the result on the same line as the output, separated by a NULL character.

Using Dirname in a Bash Script

Some examples of using the dirname command have been shown. Now, for example, the following will be taken: you have a file path variable and you need to get the path to the directory where this file is located. It could be a very simple script

pathname="/home/dir/data/filename"
result=$(dirname "$pathname")
echo $result

As mentioned earlier, the dirname command is complemented by the basename command. Unlike dirname, the basename command prints only the last component of the path.