home | list info | list archive | date index | thread index

ipset-blacklist: A bash script to ban large numbers of IP addresses published in blacklists

At last week's online meeting I mentioned that I have been using a tool to block large numbers of undesired network accesses to my servers.

ipset-blacklist is "A Bash shell script which uses ipset and iptables to ban a large number of IP addresses published in IP blacklists. ipset uses a hashtable to store/fetch IP addresses and thus the IP lookup is a lot (!) faster than thousands of sequentially parsed iptables ban rules."

Clear instructions and download at

I use this to block access from several countries I have no desired interactions with and from which the vast majority of logged access attempts originated.

This is trivial to do by just adding the desired country code e.g. .cn into a shell variable.

There are other blacklists maintained by third parties which can be easily loaded too.

I currently have 16921 ipset blocking rules loaded, all by just selecting desired rulesets.

I have been using ipset-blacklist for at least two years on multiple servers (in datacentres and on my home DSL connection) without issue. 100K or more attempted accesses on my DSL connection are blocked weekly. I just rebooted after a kernel update and 320 acceses were blocked just as I wrote this.


To unsubscribe send a blank message to linux+unsubscribe [ at ] linux-ottawa [ dot ] org
To get help send a blank message to linux+help [ at ] linux-ottawa [ dot ] org
To visit the archives: https://lists.linux-ottawa.org