Servers running iptables with CSF firewall can become slow and bogged down while processing the sometimes hundreds of IP addresses in CSF's iptables chains. Thankfully, it is possible to quickly and easily alleviate this slowdown by installing and configuring a took called ipset.
IP sets are a framework inside the Linux kernel that can store IP addresses, networks, TCP/UDP port numbers, MAC addresses - or combinations of some/all of the prior. These IP sets are stored in a fast and efficient manor that allows for quick access and searching, plus seamless updates to the IP sets without having to reload iptables.
To get started, we want to install ipset. CentOS, Red Hat and Fedora (yum) users do this by:
sudo yum install ipset -y
Or for an apt based Linux distro like Ubuntu or Debian, run:
sudo apt-get install ipset -y
Once ipset and its necessary supporting packages are installed, we need to tell CSF that ipset is available and ready to be used. We want to edit CSF's main config file:
Then, we want to search for the lf_ipset line to make our changes:
CTRL+W to search in nano
Type lf_ipset and hit return
Alter the lf_ipset line to look like this:
LF_IPSET = "1"
Now we want to save our changes and exit nano:
CTRL+X then type Y and hit return
And finally, we need to reload CSF and LFD to apply our changes: