Create the ipsets
sudo ipset create cybercrime hash:ip sudo ipset create infected hash:mac
Populate the cybercrime list
sudo xargs -n1 ipset add cybercrime \ < <(curl -fSsL https://iplists.firehol.org/files/cybercrime.ipset | grep -v "^#")
Create the iptables rules
sudo iptables -I FORWARD -m set --match-set infected src \ -j DROP sudo iptables -I FORWARD -m set --match-set cybercrime dst \ -j SET --add-set infected src
Trying it out
[rohan@desktop ~]$ docker run -it --rm alpine sh / # ping 126.96.36.199 PING 188.8.131.52 (184.108.40.206): 56 data bytes 64 bytes from 220.127.116.11: seq=0 ttl=122 time=42.093 ms / # ping -c2 18.104.22.168 PING 22.214.171.124 (126.96.36.199): 56 data bytes ^C --- 188.8.131.52 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss / # ping -c2 184.108.40.206 PING 220.127.116.11 (18.104.22.168): 56 data bytes ^C --- 22.214.171.124 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss / # exit [rohan@desktop ~]$ sudo ipset list infected Name: infected Type: hash:mac Revision: 0 Header: hashsize 1024 maxelem 65536 Size in memory: 152 References: 3 Number of entries: 1 Members: 02:42:C0:A8:08:02
The first ping to 126.96.36.199 verifies internet connectivity, then I attempt to ping an address in the cybercrime set. As expected, the ping is unsuccessful, and a subsequent ping to 188.8.131.52 also fails.
In the above example using Docker, I found that after I deleted the container, the next container I created used the previously blocked MAC address. This can be solved by using a manually specified MAC address.