I found a question from another post that is close answering what I'm seeking. In short, I want to be able to setup a rule via ipset
that times out automatically, but I want to whitelist specific IPs and ranges, and block everything else (on all ports).
Original code: Ban 1.1.1.2 for 400 seconds.
ipset create temp_hosts hash:ip timeout 0
iptables -I INPUT 1 -m set -j DROP --match-set temp_hosts src
iptables -I FORWARD 1 -m set -j DROP --match-set temp_hosts src
ipset add temp_hosts 1.1.1.2 timeout 400
I would like to change this to whitelist just 192.168.2.123
and 192.168.1.0/255.255.255.0
for 3600 seconds (one hour), and ban everyone else. How would I modify this script to accomplish this?
Additionally, how could I modify this to allow separate port ranges for 192.168.2.123
versus 192.168.1.0/255.255.255.0
?
Work So Far
I've tried this, which works temporarily:
sudo ipset create temp_hosts hash:ip timeout 3600
sudo iptables -I INPUT 1 -m set -j ACCEPT --match-set temp_hosts src
sudo iptables -I FORWARD 1 -m set -j ACCEPT --match-set temp_hosts src
sudo iptables -A INPUT -m set ! --match-set temp_hosts src -j DROP
However, when it completes, everyone is banned indefinitely until I reset the box.
Thank you.
Edit
Is this the proposed/suggested change?
1| sudo ipset create temp_hosts hash:ip timeout 3600
2| sudo iptables -I INPUT 2 -m set -j ACCEPT --match-set temp_hosts src
3| sudo iptables -I FORWARD 1 -m set -j ACCEPT --match-set temp_hosts src
4| sudo iptables -A INPUT -m set ! --match-set temp_hosts src -j DROP
5| sudo iptables -I INPUT 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT