How Remove IP from IPset?

How do I remove an ip from a country block using ipset?  I am on Centos 6.
sharingsunshineAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nanji ReddyUnix System AdministratorCommented:
ipset list  it can list the sets

for example

pset del SET1 91.83.231.25 - deletes a single line from a set
ipset flush SET1 - deletes a whole set
ipset destroy - deletes all the sets
0
sharingsunshineAuthor Commented:
I am getting this message

[root@ip-172-31-22-236 fail2ban]# ipset del abc 1.1.1.1
ipset v6.16.1: Element cannot be deleted from the set: it's not added
[root@ip-172-31-22-236 fail2ban]# ipset test abc 1.1.1.1            
1.1.1.1 is in set abc
0
Nanji ReddyUnix System AdministratorCommented:
ip is not  added your abc set due to that reason you are getting that error
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

sharingsunshineAuthor Commented:
its in the ipset already based on this test statement

[root@ip-172-31-22-236 fail2ban]# ipset test abc 1.1.1.1            
1.1.1.1 is in set abc
0
Nanji ReddyUnix System AdministratorCommented:
can you provide these outputs
uname -a ;cat /etc/redhat_release
0
nociSoftware EngineerCommented:
Is it possible the set is a network hash list?
then the set entry might be 1.0.0.0/8   (which WILL match 1.1.1.1 as in the set, but you cannot delete 1.1.1.1 from sucha set.

ipset -L abc
should show the list & settings.

If you dont' want to or are not able to modify the list, then add an iptables rule BEFORE the one that blocks using the ipset and
make a rule to Allow according to another set. Add individual ip addresses to that set.
somethign along:

ipset create ALLOW-abc hash:net
ipset add ALLOW-abc 1.1.1.1.
iptables -A INPUT -m set --match-set ALLOW-abc -j ACCEPT    # This line insert before the one that block traffic on abc list.
iptables -A INPUT -m set --match-set abc -j DROP
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sharingsunshineAuthor Commented:
Noci, I ran your command but there are too many entries to see the beginning of the content.
0
sharingsunshineAuthor Commented:
[root@ip-172-31-22-236 fail2ban]# uname -a
Linux ip-172-31-22-236 4.9.85-38.58.amzn1.x86_64 #1 SMP Wed Mar 14 01:17:26 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/redhat_release
cat: /etc/redhat_release: No such file or directory
0
nociSoftware EngineerCommented:
This should only show the header..... (first 20 lines of output)  First 8-10 are set description.
ipset -L abc | head -n 20

Open in new window


This should make a list browsable:
ipset -L abc | less 

Open in new window


Looking for address range 1 in a set...
ipset -L abc | grep '^1\.'

Open in new window

0
sharingsunshineAuthor Commented:
Name: abc
Type: hash:net
Revision: 2
Header: family inet hashsize 8192 maxelem 65536
Size in memory: 558144
References: 1

Open in new window


I tried the /8 but that didn't work.  It said not in the list but without the /8 it is saying it is there.
0
nociSoftware EngineerCommented:
what does this tell?

ipset -L abc | grep '^1\.'

Open in new window


Example:
ipset create test hash:net
ipset add test 1.1.1.3
ipset add test 2.1.1.3
ipset add test 1.1.1.0/30
ipset test test 1.1.1.1
ipset del test 1.1.1.1
ipset -L test | grep '^2\.'
ipset flush test
ipset destroy test

Open in new window


There is no need for /8 can be /1 .. /31  (or /32 or omit = ip addres is equivalent.)
0
sharingsunshineAuthor Commented:
it doesn't show anything using the real ip number.  It just acts like it accepts it and then provides the next ssh prompt.

I am not sure what you want me to do with the example?
0
nociSoftware EngineerCommented:
wrt. the Example
Try the commands, (if you already have an ipset test , then rename it in the example commands...)
otherwise use litteral...

It shows the possiblities with hash:net.. adds 2 addresses and an address range (off beat from 1.0.0.0/8... 1.1.1.0/30 also matches 1.1.1.1
[ see example ]  and it will destrpy in the end.   To show the grep command there is the 2.... address

w.th respect to the real IP number 1.1.1.1 isn't in my list aswell, try an equivalent grep with only the first numbergroup (byte) of the ipaddress.
like i did with 2.   say the ip address is 213.10.11.12, then the first number is 213, use    
ipset -L abc | grep '^213\.'

Open in new window

0
sharingsunshineAuthor Commented:
I believe this is the approach I want to follow.  Because many times I may need to whitelist an individual ip.  Looking at this code I understand everything but the last line.

ipset create ALLOW-abc hash:net
ipset add ALLOW-abc 1.1.1.1.
iptables -A INPUT -m set --match-set ALLOW-abc -j ACCEPT    # This line insert before the one that block traffic on abc list.
iptables -A INPUT -m set --match-set abc -j DROP

Open in new window


Won't this last line drop my entire ipset?
0
nociSoftware EngineerCommented:
The last line should already be in your firewall...... (otherwise it won't block traffic..., check the chains please...)

the last line reads:
Add to the INPUT chain, use module "set"  test source against  setname "abc" if ip-adfdress matches this set then DROP packet.

you can check if the set is in the rules with:

iptables-save | grep abc

Open in new window


If you use that setup you can also whitelist address ranges... next to individual IP addresses.
0
sharingsunshineAuthor Commented:
I understand now.  How do I make the rule insert before the existing ipset rule?
0
nociSoftware EngineerCommented:
try the next: (I assume INPUT, & abc, use the actual rules you have)

iptables -L INPUT -n --line 

Open in new window

Say this shows:

Chain INPUT (policy DROP)
num  target     prot opt source               destination
...
20   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            match-set abc src
...

Open in new window


The insert code would be:
iptables -I INPUT 20 -m set --match-set ALLOW-abc -j ACCEPT

Open in new window


iptables -L -n --line 

Open in new window

can be used to verify
0
sharingsunshineAuthor Commented:
I am getting this error:

[root@ip-172-31-22-236 fail2ban]# iptables -I INPUT 38638 -m set --match-set ALLOW-abc -j ACCEPT
iptables v1.4.18: --match-set requires two args.
Try `iptables -h' or 'iptables --help' for more information.

this is the existing entry
38638 2213K DROP       all  --  any    any     anywhere             anywhere             match-set g
abc src
0
sharingsunshineAuthor Commented:
OOPS - skip the extra g after match-set
0
sharingsunshineAuthor Commented:
it needed src before the -j
1
sharingsunshineAuthor Commented:
Thanks for the help.
0
nociSoftware EngineerCommented:
np.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
CentOS

From novice to tech pro — start learning today.