Firewall Setup
We will use a combination of iptables and ipset to create sets of IP addresses that have their
access to a host blocked. Most Linux distributions come with iptables pre-installed,
but not ipset. The examples given here are for Ubuntu but there will be alternatives for other
Linux distributions, just run ipset and the command to install its package wíll normally be
displayed.
So, first we install the ipset package.
Next we use ipset to create two sets; one for IPv4 addresses and another for IPv6 addresses. In
this example we create sets that automatically remove an IP address after one day.
sudo ipset create blacklist_ipv4 hash:ip timeout 86400
sudo ipset create blacklist_ipv6 hash:ip timeout 86400 family inet6
Finally we set up two iptables rules to drop connections when IP addresses in the sets are
matched. We use iptables for the IPv4 set and ip6tables for the IPv6 set.
sudo iptables -I INPUT -m set --match-set blacklist_ipv4 src -j DROP
sudo ip6tables -I INPUT -m set --match-set blacklist_ipv6 src -j DROP
At this point we are all set up, as the Phoenix plug will be responsible for adding IP addresses
to the sets. However, you may want to add IP addresses manually, so here are a couple of examples.
sudo ipset add blacklist_ipv4 1.2.3.4
sudo ipset add blacklist_ipv6 2001:db8:85a3:8d3:1319:8a2e:370:7348
It is possible to represent IPv4 addresses as IPv6 addresses e.g. 1.2.3.4 can be represented as
::ffff:1.2.3.4. So, for curiosity value, I tried adding my IPv4 address to the IPv6 set, but
unfortunately the firewall did not block my IPv4 address. No matter, we can use two sets rather
than one, it will just require a little more work in the plug.