Capturing a C Class range dynamically into an ipset table within iptables. Possible?‏

Capturing a C Class range dynamically into an ipset table within iptables. Possible?‏

[José Pablo Pérez]

Currently with ipset iam able to send to a table the inidivual (/32)  
source IP of a connection...

I need a way to send to iptables the C Class to an ipset .

In other words I need the historical list of last 30 min of C class  
ranges that have requested my server.

I need this preferably done without something outside of iptables  
(such as a daemon).

Re: Capturing a C Class range dynamically into an ipset table within iptables. Possible?‏

[Aidas Kasparas]

On 2012.06.15 01:34, José Pablo Pérez wrote:
> Currently with ipset iam able to send to a table the inidivual (/32)
> source IP of a connection...
> 
> I need a way to send to iptables the C Class to an ipset .
> 
> In other words I need the historical list of last 30 min of C class
> ranges that have requested my server.
> 
> I need this preferably done without something outside of iptables (such
> as a daemon).
> 

just use parameter netmask 24 while creating ipset and you're done.

test:~# ipset create test hash:ip timeout 60 netmask 24
test:~# ipset add test 127.0.1.2
test:~# ipset add test 127.3.4.5
test:~# ipset list test
Name: test
Type: hash:ip
Header: family inet hashsize 1024 maxelem 65536 netmask 24 timeout 60
Size in memory: 16632
References: 0
Members:
127.0.1.0 timeout 50
127.3.4.0 timeout 55
test:~# ipset test test 127.0.1.1
127.0.1.1 is in set test.
test:~#



-- 
Aidas Kasparas

Re: Capturing a C Class range dynamically into an ipset table within iptables. Possible?‏

[José Pablo Pérez]

Thanks.. but this would be outside of iptables ruleset.

I need a way to dynamically feed the ipset as traffic cones in via the  
ruleset.





Aidas Kasparas <a.kasparas@gmc.lt> ha escrito:

> On 2012.06.15 01:34, José Pablo Pérez wrote:
>> Currently with ipset iam able to send to a table the inidivual (/32)
>> source IP of a connection...
>>
>> I need a way to send to iptables the C Class to an ipset .
>>
>> In other words I need the historical list of last 30 min of C class
>> ranges that have requested my server.
>>
>> I need this preferably done without something outside of iptables (such
>> as a daemon).
>>
>
> just use parameter netmask 24 while creating ipset and you're done.
>
> test:~# ipset create test hash:ip timeout 60 netmask 24
> test:~# ipset add test 127.0.1.2
> test:~# ipset add test 127.3.4.5
> test:~# ipset list test
> Name: test
> Type: hash:ip
> Header: family inet hashsize 1024 maxelem 65536 netmask 24 timeout 60
> Size in memory: 16632
> References: 0
> Members:
> 127.0.1.0 timeout 50
> 127.3.4.0 timeout 55
> test:~# ipset test test 127.0.1.1
> 127.0.1.1 is in set test.
> test:~#
>
>
>
> --
> Aidas Kasparas
>
>

Re: Capturing a C Class range dynamically into an ipset table within iptables. Possible?‏

[Aidas Kasparas]

On 2012.06.15 08:39, José Pablo Pérez wrote:
> Thanks.. but this would be outside of iptables ruleset.
> 
> I need a way to dynamically feed the ipset as traffic cones in via the
> ruleset.
> 
> 

You send to this ipset the same way you did for individual source
addresses. If ipset is created with ommitted netmask parameter, it
stores ip addresses individually. If netmask parameter is present,
ipsets will store and check just a network part of ip address supplied
by iptables. Commands to add, list and test addresses were provided just
for illustration. iptables rules should work the same.


> 
> 
> 
> Aidas Kasparas <a.kasparas@gmc.lt> ha escrito:
> 
>> On 2012.06.15 01:34, José Pablo Pérez wrote:
>>> Currently with ipset iam able to send to a table the inidivual (/32)
>>> source IP of a connection...
>>>
>>> I need a way to send to iptables the C Class to an ipset .
>>>
>>> In other words I need the historical list of last 30 min of C class
>>> ranges that have requested my server.
>>>
>>> I need this preferably done without something outside of iptables (such
>>> as a daemon).
>>>
>>
>> just use parameter netmask 24 while creating ipset and you're done.
>>
>> test:~# ipset create test hash:ip timeout 60 netmask 24
>> test:~# ipset add test 127.0.1.2
>> test:~# ipset add test 127.3.4.5
>> test:~# ipset list test
>> Name: test
>> Type: hash:ip
>> Header: family inet hashsize 1024 maxelem 65536 netmask 24 timeout 60
>> Size in memory: 16632
>> References: 0
>> Members:
>> 127.0.1.0 timeout 50
>> 127.3.4.0 timeout 55
>> test:~# ipset test test 127.0.1.1
>> 127.0.1.1 is in set test.
>> test:~#
>>
>>
>>
>> -- 
>> Aidas Kasparas
>>
>>
> 
> 
> 
> -- 
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 
Aidas Kasparas