From the IPset homepage:
If you have a network or server with high traffic and using standard iptables for traffic blocking it may affect your server/network performance. With IPsets you can “group” multiple IP sets in groups and then match these in one swoop. This will provide you top performance.IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel, which can be administered by the ipset utility. Depending on the type, currently an IP set may store IP addresses, (TCP/UDP) port numbers or IP addresses with MAC addresses in a way, which ensures lightning speed when matching an entry against a set.If you want to
- store multiple IP addresses or port numbers and match against the collection by iptables at one swoop;
- dynamically update iptables rules against IP addresses or ports without performance penalty;
express complex IP address and ports based rulesets with one single iptables rule and benefit from the speed of IP sets
IP sets allows you to bind an entry in a set to another set, which forms a relationship between the set element and the set it is bound to. The sets may have a default binding, which is valid for every set element for which there is no binding defined at all.
Example:
ipset -N servers ipmap –network 10.10.10.0/16Courtesy : http://www.ipdeny.com/blog/using-ip-sets-for-best-performance/
ipset -A servers 10.10.10.1
ipset -A servers 10.10.10.2
ipset -N ports portmap –from 1 –to 1024
ipset -A ports 21
ipset -A ports 22
ipset -A ports 25
ipset -B servers 10.10.10.2 -b ports
iptables -A FORWARD -m set –set servers dst,dst -j ACCEPT
iptables -A FORWARD -j DROP
