+ # start the blocking rule
+ if iptables-save | grep -qs "match-set $SET" ; then
+ : # all fine
+ else
+ if ipset list $SET >& /dev/null ; then
+ : # The set exists
+ else
+ ipset create $SET hash:net
+ fi
+ iptables -A FORWARD -p tcp --dport 53 -j ACCEPT
+ iptables -A FORWARD -p udp --dport 53 -j ACCEPT
+ iptables -A FORWARD -m set --match-set $SET src -j DROP
+ fi
+ # Start the traffic listener