Sign In
Access your IPWhois.net account
No account? Create one
Home / Blacklist / Docs / iptables / nftables

iptables / nftables

Block IPs at the kernel firewall level. Step-by-step setup guide with code examples.
184,732 IPs 7,362 reports Free API
Quick Install
Ubuntu Debian Raspberry Pi CentOS RHEL Fedora Rocky AlmaLinux Alpine Arch openSUSE Amazon Linux

Run this command as root to set up automatic IP blocking via ipset + iptables:

No API key needed (500 reports/day):
curl -sL https://bl.ipwhois.net/api/iptables/install | sudo bash
No curl? Use wget:
wget -qO- https://bl.ipwhois.net/api/iptables/install | sudo bash

Installs ipset, creates blocking script, sets up cron (every 6 hours), adds iptables DROP rule.

Requires: iptables or nftables curl Root access
What is iptables / nftables?

iptables and nftables are the Linux kernel's built-in firewall frameworks. Combined with ipset (hash-based IP sets), they can block tens of thousands of IPs with near-zero performance overhead using O(1) lookups.

This is the lowest-level integration, ideal for servers without Fail2Ban or CSF, or for hardening alongside them.

Block
Downloads blacklisted IPs into an ipset/nftables set and drops all traffic. Free: 500 req/day, with API key: 1,000/day.
Block only
This integration blocks IPs but does not report. Use Fail2Ban or the API to report attacks.
Method 1: iptables + ipset
sudo apt install -y ipset # Debian/Ubuntu sudo dnf install -y ipset # CentOS/RHEL
/usr/local/bin/ipwhois-iptables.sh
#!/bin/bash # Block IPWhois.net Blacklist IPs via ipset + iptables # Cron: 0 */6 * * * SET="ipwhois_bl" TMPSET="${SET}_tmp" API="https://bl.ipwhois.net/api/browse?format=plaintext&min_confidence=80" ipset create "$TMPSET" hash:ip hashsize 4096 maxelem 65536 2>/dev/null || ipset flush "$TMPSET" curl -s "$API" | while read -r ip; do [ -n "$ip" ] && ipset add "$TMPSET" "$ip" 2>/dev/null done ipset create "$SET" hash:ip hashsize 4096 maxelem 65536 2>/dev/null ipset swap "$TMPSET" "$SET" ipset destroy "$TMPSET" iptables -C INPUT -m set --match-set "$SET" src -j DROP 2>/dev/null || \ iptables -I INPUT 1 -m set --match-set "$SET" src -j DROP echo "$(date) - ipset $SET updated" | logger -t ipwhois-bl
sudo chmod +x /usr/local/bin/ipwhois-iptables.sh echo "0 */6 * * * root /usr/local/bin/ipwhois-iptables.sh" | sudo tee /etc/cron.d/ipwhois-iptables
Method 2: nftables Sets
/usr/local/bin/ipwhois-nftables.sh
#!/bin/bash # Block IPWhois.net Blacklist IPs via nftables # Cron: 0 */6 * * * TABLE="ipwhois" SET="blacklist" API="https://bl.ipwhois.net/api/browse?format=plaintext&min_confidence=80" nft add table inet "$TABLE" 2>/dev/null nft add set inet "$TABLE" "$SET" '{ type ipv4_addr; flags timeout; }' 2>/dev/null nft add chain inet "$TABLE" input '{ type filter hook input priority -10; policy accept; }' 2>/dev/null nft add rule inet "$TABLE" input ip saddr @"$SET" drop 2>/dev/null nft flush set inet "$TABLE" "$SET" ELEMENTS="" while read -r ip; do [ -n "$ip" ] && ELEMENTS="$ELEMENTS $ip timeout 24h," done < <(curl -s "$API") if [ -n "$ELEMENTS" ]; then nft add element inet "$TABLE" "$SET" "{ $ELEMENTS }" fi echo "$(date) - nftables set updated" | logger -t ipwhois-bl
Troubleshooting
  • ipset not found: Install with apt install ipset or dnf install ipset.
  • Set full: Increase maxelem in the ipset create command.
  • Rules lost on reboot: Use iptables-persistent or save with ipset save.
  • nftables conflict: Do not mix iptables and nftables on the same system.