Capturing my steps for creating CIDR network lists (ipset) suitable for use with firewalls such as iptables
and nftables
.
For example, I reference this approach in my Secure defaults for Debian sshd_config
and MFA gist.
The ipsets that I build in this gist reduce the permitted IPv4 hosts from ~4.28 billion to ~47 million, a reduction of ~98.88%, which helps to reduce the attack surface but still lets in some traffic including your preferred IPS/networks.
This approach is not as good as, or a replacement for, setting up a VPN or Bastion setup, or implementing Zero Trust Network Access (ZTNA), or reducing the host list to only trusted hosts/networks. These topics can be tricky for dynamic IP addressing setups and will be the subject of a future Gist.
Glossary: AS refers to the network itself, and ASN refers to the number that identifies tha