Create the ipsets
sudo ipset create cybercrime hash:ip sudo ipset create infected hash:mac
Populate the cybercrime list
sudo xargs -n1 ipset add cybercrime \ < <(curl -fSsL https://iplists.firehol.org/files/cybercrime.ipset | grep -v "^#")
Create the iptables rules
sudo iptables -I FORWARD -m set --match-set infected src \ -j DROP sudo iptables -I FORWARD -m set --match-set cybercrime dst \ -j SET --add-set infected src
Trying it out
[rohan@desktop ~]$ docker run -it --rm alpine sh / # ping 188.8.131.52 PING 184.108.40.206 (220.127.116.11): 56 data bytes 64 bytes from 18.104.22.168: seq=0 ttl=122 time=42.093 ms / # ping -c2 22.214.171.124 PING 126.96.36.199 (188.8.131.52): 56 data bytes ^C --- 184.108.40.206 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss / # ping -c2 220.127.116.11 PING 18.104.22.168 (22.214.171.124): 56 data bytes ^C --- 126.96.36.199 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss / # exit [rohan@desktop ~]$ sudo ipset list infected Name: infected Type: hash:mac Revision: 0 Header: hashsize 1024 maxelem 65536 Size in memory: 152 References: 3 Number of entries: 1 Members: 02:42:C0:A8:08:02
The first ping to 188.8.131.52 verifies internet connectivity, then I attempt to ping an address in the cybercrime set. As expected, the ping is unsuccessful, and a subsequent ping to 184.108.40.206 also fails.
In the above example using Docker, I found that after I deleted the container, the next container I created used the previously blocked MAC address. This can be solved by using a manually specified MAC address.