I'm running Arch Linux and referring to Simple stateful firewall - ArchWiki.
I have two different bash scripts for creating my iptables rules: one for IPv4 and another for IPv6. Each creates one or more ipset
hash lists (sets) using the appropriate family: inet or inet6.
That approach is supported by this answer, "You need to have two different sets: one for IPv4 and another for IPv6."
I use the systemd ipset.service and by default it loads the file /etc/ipset.conf
. That config file creates my hash lists of banned ip addresses, etc. ipset
uses only one config file, unlike iptables with /etc/iptables/iptables.rules and /etc/iptables/ip6tables.rules.
Each of my iptables bash scripts has this command near the end:
ipset save > /etc/ip6set.conf
What is a good way to combine my ipset hash lists into a single config file that will load as expected upon starting the systemd unit? For example, could I run my bash scripts in a specific order and change the second command to ipset save >> /etc/ip6set.conf
to append instead of replace?
That doesn't seem like a good approach (i.e., it is subject to breakage). How do most people deal with this?
0 Answers