How Remove IP from IPset?

sharingsunshine
sharingsunshine used Ask the Experts™
on
How do I remove an ip from a country block using ipset?  I am on Centos 6.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Nanji ReddyUnix System Administrator

Commented:
ipset list  it can list the sets

for example

pset del SET1 91.83.231.25 - deletes a single line from a set
ipset flush SET1 - deletes a whole set
ipset destroy - deletes all the sets

Author

Commented:
I am getting this message

[root@ip-172-31-22-236 fail2ban]# ipset del abc 1.1.1.1
ipset v6.16.1: Element cannot be deleted from the set: it's not added
[root@ip-172-31-22-236 fail2ban]# ipset test abc 1.1.1.1            
1.1.1.1 is in set abc
Nanji ReddyUnix System Administrator

Commented:
ip is not  added your abc set due to that reason you are getting that error
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

Author

Commented:
its in the ipset already based on this test statement

[root@ip-172-31-22-236 fail2ban]# ipset test abc 1.1.1.1            
1.1.1.1 is in set abc
Nanji ReddyUnix System Administrator

Commented:
can you provide these outputs
uname -a ;cat /etc/redhat_release
Software Engineer
Distinguished Expert 2018
Commented:
Is it possible the set is a network hash list?
then the set entry might be 1.0.0.0/8   (which WILL match 1.1.1.1 as in the set, but you cannot delete 1.1.1.1 from sucha set.

ipset -L abc
should show the list & settings.

If you dont' want to or are not able to modify the list, then add an iptables rule BEFORE the one that blocks using the ipset and
make a rule to Allow according to another set. Add individual ip addresses to that set.
somethign along:

ipset create ALLOW-abc hash:net
ipset add ALLOW-abc 1.1.1.1.
iptables -A INPUT -m set --match-set ALLOW-abc -j ACCEPT    # This line insert before the one that block traffic on abc list.
iptables -A INPUT -m set --match-set abc -j DROP

Author

Commented:
Noci, I ran your command but there are too many entries to see the beginning of the content.

Author

Commented:
[root@ip-172-31-22-236 fail2ban]# uname -a
Linux ip-172-31-22-236 4.9.85-38.58.amzn1.x86_64 #1 SMP Wed Mar 14 01:17:26 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

cat /etc/redhat_release
cat: /etc/redhat_release: No such file or directory
nociSoftware Engineer
Distinguished Expert 2018
Commented:
This should only show the header..... (first 20 lines of output)  First 8-10 are set description.
ipset -L abc | head -n 20

Open in new window


This should make a list browsable:
ipset -L abc | less 

Open in new window


Looking for address range 1 in a set...
ipset -L abc | grep '^1\.'

Open in new window

Author

Commented:
Name: abc
Type: hash:net
Revision: 2
Header: family inet hashsize 8192 maxelem 65536
Size in memory: 558144
References: 1

Open in new window


I tried the /8 but that didn't work.  It said not in the list but without the /8 it is saying it is there.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
what does this tell?

ipset -L abc | grep '^1\.'

Open in new window


Example:
ipset create test hash:net
ipset add test 1.1.1.3
ipset add test 2.1.1.3
ipset add test 1.1.1.0/30
ipset test test 1.1.1.1
ipset del test 1.1.1.1
ipset -L test | grep '^2\.'
ipset flush test
ipset destroy test

Open in new window


There is no need for /8 can be /1 .. /31  (or /32 or omit = ip addres is equivalent.)

Author

Commented:
it doesn't show anything using the real ip number.  It just acts like it accepts it and then provides the next ssh prompt.

I am not sure what you want me to do with the example?
nociSoftware Engineer
Distinguished Expert 2018

Commented:
wrt. the Example
Try the commands, (if you already have an ipset test , then rename it in the example commands...)
otherwise use litteral...

It shows the possiblities with hash:net.. adds 2 addresses and an address range (off beat from 1.0.0.0/8... 1.1.1.0/30 also matches 1.1.1.1
[ see example ]  and it will destrpy in the end.   To show the grep command there is the 2.... address

w.th respect to the real IP number 1.1.1.1 isn't in my list aswell, try an equivalent grep with only the first numbergroup (byte) of the ipaddress.
like i did with 2.   say the ip address is 213.10.11.12, then the first number is 213, use    
ipset -L abc | grep '^213\.'

Open in new window

Author

Commented:
I believe this is the approach I want to follow.  Because many times I may need to whitelist an individual ip.  Looking at this code I understand everything but the last line.

ipset create ALLOW-abc hash:net
ipset add ALLOW-abc 1.1.1.1.
iptables -A INPUT -m set --match-set ALLOW-abc -j ACCEPT    # This line insert before the one that block traffic on abc list.
iptables -A INPUT -m set --match-set abc -j DROP

Open in new window


Won't this last line drop my entire ipset?
nociSoftware Engineer
Distinguished Expert 2018

Commented:
The last line should already be in your firewall...... (otherwise it won't block traffic..., check the chains please...)

the last line reads:
Add to the INPUT chain, use module "set"  test source against  setname "abc" if ip-adfdress matches this set then DROP packet.

you can check if the set is in the rules with:

iptables-save | grep abc

Open in new window


If you use that setup you can also whitelist address ranges... next to individual IP addresses.

Author

Commented:
I understand now.  How do I make the rule insert before the existing ipset rule?
nociSoftware Engineer
Distinguished Expert 2018
Commented:
try the next: (I assume INPUT, & abc, use the actual rules you have)

iptables -L INPUT -n --line 

Open in new window

Say this shows:

Chain INPUT (policy DROP)
num  target     prot opt source               destination
...
20   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            match-set abc src
...

Open in new window


The insert code would be:
iptables -I INPUT 20 -m set --match-set ALLOW-abc -j ACCEPT

Open in new window


iptables -L -n --line 

Open in new window

can be used to verify

Author

Commented:
I am getting this error:

[root@ip-172-31-22-236 fail2ban]# iptables -I INPUT 38638 -m set --match-set ALLOW-abc -j ACCEPT
iptables v1.4.18: --match-set requires two args.
Try `iptables -h' or 'iptables --help' for more information.

this is the existing entry
38638 2213K DROP       all  --  any    any     anywhere             anywhere             match-set g
abc src

Author

Commented:
OOPS - skip the extra g after match-set

Author

Commented:
it needed src before the -j

Author

Commented:
Thanks for the help.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
np.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial