From fcf857b0fe934f45433e2ddfbfaf5d972752d65f Mon Sep 17 00:00:00 2001
From: Dominic Reich <dominic@noreply.oe7drt.com>
Date: Sun, 26 May 2024 08:12:03 +0200
Subject: [PATCH] update archlinux notes page

---
 content/notes/archlinux/index.md | 31 ++++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/content/notes/archlinux/index.md b/content/notes/archlinux/index.md
index defad5d..d2181fd 100644
--- a/content/notes/archlinux/index.md
+++ b/content/notes/archlinux/index.md
@@ -1,7 +1,7 @@
 ---
 title: Archlinux
 date: 2023-11-29T20:33:48+0100
-lastmod: 2024-05-09T12:29:13+0000
+lastmod: 2024-05-26T06:31:47+0000
 tags:
   - archlinux
 
@@ -104,6 +104,35 @@ wifi.backend=iwd
 dhcp=dhcpcd
 ~~~
 
+## Blocking IPs from a list with ipset
+
+Using [ipset](https://wiki.archlinux.org/title/Ipset) should increase performance
+on the box, also using the raw table should not create useless states as for what
+I understand from the source article on
+[serverfault.com](https://serverfault.com/a/823336).
+
+~~~console
+$ sudo ipset -N badips iphash
+$ while read ip; do sudo ipset -A badips "$ip"; done < blocked.txt
+$ sudo iptables -t raw -I PREROUTING -m set --match-set badips src,dst -j DROP
+$ sudo iptables-save -f /etc/iptables/iptables.rules
+~~~
+
+Enable iptables in case it is not running yet.
+
+~~~console
+$ sudo systemctl enable --now iptables.service
+~~~
+
+Also make the ipset configuration persistent:
+
+~~~console
+$ sudo ipset save -file /etc/ipset.conf
+$ sudo systemctl enable ipset.service
+~~~
+
+Reboot to test its persistency.
+
 ## Do not manage one specific USB dongle
 
 `99-unmanaged-devices.conf`: