IPset (Import)

[SamTzu]

I would like to import list of IP's to Proxmox IPset rule.
Any idea how that might be done?
I have collected Fail2Ban Recidive list for a while now and would like to import that to a ClusterWide rule set for every LXC container.

 

[SamTzu]

In /etc/pve/firewall/cluster.fw I can see something like this:

[OPTIONS]

enable 1

[ALIASES]

[IPSET Google DNS1] # 8.8.8.8/32

8.8.8.8/32

[IPSET Google DNS2] # 8.8.4.4/32

8.8.4.4/32

[IPSET no2all-list] # Block all - 1 list 2 rule them all

112.85.42.120
112.85.42.121
112.85.42.122

 

[SamTzu]

Can I just start modifying that list "manually" to add IP's there?

 

[spirit]

Can I just start modifying that list "manually" to add IP's there?

yes

 

[SamTzu]

Wouldn't it be nice if cluster.fw could be "split" or include links to file(s) that only contained IP address's (or IP/CIDR)?
That would make scripting IP list updates really easy.

$IncludeConfig /etc/pve/firewall/listname.conf

Then we could just "import" fail2ban IP's there with something like:

iptables -L -n | awk '$1=="REJECT" && $4!="0.0.0.0/0" {print $4}' > /etc/pve/firewall/listname.conf

...and voila - Network wide ban lists automatically distributed where ever we want.