Need IPv6 Ipset Setup

I need to create an ipset for ipv6 I have it for ipv4 already.  I want to use ipdeny.com and insert specific country blocks into the ipset which is connected to the iptables.
sharingsunshineAsked:
Who is Participating?
 
nociSoftware EngineerCommented:
Herewith a completely working example ( this time tested)...

$ ipset create XXXXX hash:net family inet6
$ ipset add XXXXX  2a03:2880:f106:83:face:b00c:0:25de
$ ip6tables -I INPUT -m set --match-set XXXXX src -j DROP
$ ipset -L XXXXX
Name: XXXXX
Type: hash:net
Revision: 4
Header: family inet6 hashsize 1024 maxelem 65536
Size in memory: 200
References: 1
Number of entries: 1
Members:
2400:8901::f03c:91ff:fe3b:d08

$ ip6tables-save | grep XXXXX
-A INPUT -m set --match-set XXXXX src -j DROP

Open in new window

0
 
nociSoftware EngineerCommented:
and the question is?  can ipset handle ipv6..., yes it can but it needs a different list from the Ipv4 addresses.
(ipv4 and ipv6 address cannot be mixed in one list...).
And ipv4 list cannot be used in ip6tbles also iptables cannot use ipset ipv6 address lists.
0
 
sharingsunshineAuthor Commented:
Yes, I know.  I need the steps to do it and then load it with the country blocks.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
nociSoftware EngineerCommented:
ipset create XXXXX hash:net
ipset add XXXXX 2a01:face:booc:/48
iptables -I INPUT -m ipset --match-set XXXXX src -j DROP

collect the country block and add then with ipset add XXXXX <ip6 range>
0
 
sharingsunshineAuthor Commented:
This looks great but I am getting an error

[root@ip-172-31-22-236 abc.com]# ipset add blockipv6 2a01:face:booc:/48
ipset v6.16.1: Syntax error: '48' is out of range 0-32

Open in new window

0
 
nociSoftware EngineerCommented:
booc should be b00k   o doesn't translate to a hex digit.
also an IPv6 address should be 128 bits OR have a ::  to zero fill until 128 bits.
Actual Facebook IPv6 is:

 dig facebook.com aaaa

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> facebook.com aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10004
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;facebook.com.                  IN      AAAA

;; ANSWER SECTION:
facebook.com.           261     IN      AAAA    2a03:2880:f106:83:face:b00c:0:25de

;; Query time: 19 msec

iptables command should be ip6tables as well...
0
 
arnoldCommented:
you should add family inet6 to note that ipv6 is in use not the default inet4.

see example http://ipset.netfilter.org/ipset.man.html
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.