Skip to main content

IP Tables

The IP Tables type provides two feeds (one for IPv4 and one for IPv6, if present), compatible with ipset. These feeds contain a series of commands that allow you to create and update sets of IP addresses (ipset), making it easier to apply iptables rules to entire groups of IPs simultaneously. This way, you can avoid adding a rule for each individual IP, improving efficiency and management.

Type

Feed - Seer Box exposes the rule file via HTTP, it does not allow you to control the target firewall.

URL

http://$SEERBOX_IP:53380/feeds/ip_tables_$FIREWALL_NAME

Variables to be replaced

  • $SEERBOX_IP : the Seer Box IP address
  • $FIREWALL_NAME : the name configured for the specific firewall

Seer Box side configuration

To set IP Tables as the type, simply select the IP Tables Feed value in the Firewall type field in step 3 of Add a firewall.

No additional fields will be required

Firewall side configuration

A ZIP file will be exposed via HTTP to the URL specified above. The ZIP file contains different feeds for IPv4 and IPv6 addresses, and if there are no targets on IPv6 addresses among the declared rules, only the IPv4 feed will be created.

File names

ZIP file

ip_tables_$FIREWALL_NAME
Variables to be replaced
  • $FIREWALL_NAME : the name configured for the specific firewall

Feed files

ip_tables_ipv4_$FIREWALL_NAME
ip_tables_ipv6_$FIREWALL_NAME
Variable to be replaced
  • $FIREWALL_NAME : the name configured for the specific firewall

Applying rules to firewall

Once the feed files has been extracted from the ZIP file, use filenames to create or update the IP addresses sets (lists of IP addresses) in the following command:

$ sudo ipset restore < ip_tables_ipv4_firewall_example
$ sudo ipset restore < ip_tables_ipv6_firewall_example

Now that the sets of IP addresses have been created, use the iptables tool to apply rules to the various sets. In order to do that, you will need to know the names assigned to the newly created ipsets. You can open the feed files and check the first line. In this example, the name of the ipset is seerbox-example-ipv4:

create seerbox-example-ipv4 hash:ip family inet -!

Alternatively, you can use the following command to list all the ipsets created on the machine:

$ sudo ipset list

Here is an example of how to block incoming traffic from IP addresses in an ipset called seerbox-example-ipv4:

$ sudo iptables -A INPUT -m set --match-set seerbox-example-ipv4 src -j DROP

Once the firewall is configured and the rules have been applied, you can update the ipsets by running the command ipset restore again. In this way, iptables will automatically update the firewall and the rules will be applied to the updated ipsets.

To automate the updating of ipsets, you can use tools such as inotifywait or similar to monitor the ZIP file and make sure that each time it is updated, the command to restore the ipsets is run again.

For more information, see the iptables and ipset documentation.