For packet filtering systems in Linux Iptables, uniform rules are needed that include tens, hundreds and even thousands of IP addresses. For this, there is an ipset extension. To use ipset in the linux CentOS 7 distribution, you need to install the ipset package and ipset-service.
It is implied that the reader of this article is familiar with Linux iptables.

[root @ localhost ~] # install ipset-service

Ipset-service ipset auto-loading service for system booting. By default, it is disabled. Turn it on:

[root @ localhost ~] # systemctl enable ipset

If you have iptables-service installed and you use sets in your rules, then the ipset service must be enabled, otherwise the iptables rules simply won’t load.

To manage lists, there is an ipset console utility and the iptables extension – SET. In man pages iptables-extensions, search for the keyword ‘ipset’ there there is documentation for lists as a filter and for lists as the action ‘-j SET’ add/remove addresses to the list.

Example 1

Creation of a white list of IP addresses, which are open access to 22 ports (SSH)

[root@localhost ~]# ipset create SSH_WL hash:ip

We specified the list type ‘hash: ip’ – Only IPv4 IP addresses can be added to this list.
If there is a need to add networks (such as 192.168.0.0/24) then you will need to declare the type ‘hash: net‘. List types are defined by the Linux kernel module or can be compiled into the kernel.

To view supported views, you can enter:

[root@localhost ~]# ipset --help

The lines below:

----------------//---------------------
Supported set types:
--------------//-----------------------

There will be a list of all supported list types.

[root@localhost ~]# ipset add SSH_WL 45.67.89.101

[root@localhost ~]# ipset add SSH_WL 12.34.56.78

[root@localhost ~]# ipset add SSH_WL 123.4.56.78

[root@localhost ~]# ipset add SSH_WL 10.234.56.78

[root@localhost ~]# service ipset save

These rules, which are presented below are not recommended to be thoughtlessly copied; their behavior strongly depends on the first 3 rules of the INPUT chain!

[root@localhost ~]# iptables -I INPUT 3 -p tcp --dport 22 -m conntrack --ctstate NEW -m set --match-set SSH_WL src NEW -j ACCEPT

[root@localhost ~]# iptables -I INPUT 4 -p tcp --dport 22 --ctstate NEW -j DROP

[root@localhost ~]# service iptables save

You can see the list of addresses of all lists:

[root@localhost ~]# ipset list
Name: SSH
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16592
References: 1
Members:
45.67.89.101
12.34.56.78
123.4.56.78
10.234.56.78

Example 2

Creating a dynamic list of addresses trying to connect (or simply scanning) the 23/tcp port (telnet service) with a timeout of 2 hours (7200 seconds).

[root@localhost ~]# ipset create telnet_try hash:ip --timeout 72000

[root@localhost ~]# service ipset save

These rules, which are presented below are not recommended to be thoughtlessly copied; their behavior strongly depends on the first 3 rules of the INPUT chain!

[root@localhost ~]# iptables -I INPUT 3 -p tcp --dport 23 -m conntrack --ctstate NEW -j SET telnet_try src

If you wish, you can use IPTALBES with another timeout, say 16 hours. And you can even make the shell (bash) calculate the number of seconds in 16 hours

[root@localhost ~]# iptables -I INPUT 3 -p tcp --dport 23 -m conntrack --ctstate NEW -j SET telnet_try src --timeout $(( 60 * 60 * 16 ))

Save this rules

[root@localhost ~]# service iptables save

After some time (hour, day, week), you can see from which IPs in the last 2 there were interesting packets to the insecure telnet service

[root@localhost ~]# ipset list telnet_try
Name: telnet_try
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 65536 timeout 72000
Size in memory: 16592
References: 1
Members:
1.2.3.4 timeout 45879
5.6.7.8 timeout 71327