Need IPv6 Ipset Setup

I need to create an ipset for ipv6 I have it for ipv4 already.  I want to use and insert specific country blocks into the ipset which is connected to the iptables.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
and the question is?  can ipset handle ipv6..., yes it can but it needs a different list from the Ipv4 addresses.
(ipv4 and ipv6 address cannot be mixed in one list...).
And ipv4 list cannot be used in ip6tbles also iptables cannot use ipset ipv6 address lists.
sharingsunshineAuthor Commented:
Yes, I know.  I need the steps to do it and then load it with the country blocks.
nociSoftware EngineerCommented:
ipset create XXXXX hash:net
ipset add XXXXX 2a01:face:booc:/48
iptables -I INPUT -m ipset --match-set XXXXX src -j DROP

collect the country block and add then with ipset add XXXXX <ip6 range>
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

sharingsunshineAuthor Commented:
This looks great but I am getting an error

[root@ip-172-31-22-236]# ipset add blockipv6 2a01:face:booc:/48
ipset v6.16.1: Syntax error: '48' is out of range 0-32

Open in new window

nociSoftware EngineerCommented:
booc should be b00k   o doesn't translate to a hex digit.
also an IPv6 address should be 128 bits OR have a ::  to zero fill until 128 bits.
Actual Facebook IPv6 is:

 dig aaaa

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10004
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1280
;                  IN      AAAA

;; ANSWER SECTION:           261     IN      AAAA    2a03:2880:f106:83:face:b00c:0:25de

;; Query time: 19 msec

iptables command should be ip6tables as well...
you should add family inet6 to note that ipv6 is in use not the default inet4.

see example
nociSoftware EngineerCommented:
Herewith a completely working example ( this time tested)...

$ ipset create XXXXX hash:net family inet6
$ ipset add XXXXX  2a03:2880:f106:83:face:b00c:0:25de
$ ip6tables -I INPUT -m set --match-set XXXXX src -j DROP
$ ipset -L XXXXX
Type: hash:net
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 1
Number of entries: 1

$ ip6tables-save | grep XXXXX
-A INPUT -m set --match-set XXXXX src -j DROP

Open in new window


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.