Ipset is very usefull thing when you need to make your firewall check thousands of ip's/networks/ports and/or combinations of them. It is possible e.g. to add rules to your tables in a loop, using some shell script, but it becomes very slow when you have several thousands rules and more. In such cases, ipset (IP Sets) can be a very handy addition.

Here is the quote from the ipset's site

IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel, which can be administered by the ipset utility. Depending on the type, currently an IP set may store IP addresses, (TCP/UDP) port numbers or IP addresses with MAC addresses in a way, which ensures lightning speed when matching an entry against a set.

If you want to

• store multiple IP addresses or port numbers and match against the collection by iptables at one swoop;
• dynamically update iptables rules against IP addresses or ports without performance penalty;
• express complex IP address and ports based rulesets with one single iptables rule and benefit from the speed of IP sets

then ipset may be the proper tool for you.

Whereas ipset tool is included in Debian distro, you still need to patch kernel. Here's how i did this:

# apt-get install linux-source-2.6.18 build-essential kernel-package initramfs-tools
# cd /usr/src
# tar xjf linux-source-2.6.18.tar.bz2
# cp /boot/config-2.6.18-4-686 ./linux-source-2.6.18/.config
# wget http://ipset.netfilter.org/patch-o-matic-ng-20070524.tar.bz2
# tar xjf patch-o-matic-ng-20070524.tar.bz2
# apt-get source iptables
# cd patch-o-matic-ng
# KERNEL_DIR=/usr/src/linux-source-2.6.18 IPTABLES_DIR=/usr/src/iptables-1.3.6.0debian1/iptables ./runme set
# cd ../linux-source-2.6.18
# make oldconfig
# make-kpkg --bzimage --initrd --append-to-version=-ipset --revision=00.01 kernel_image

That's all! After this, you should find a ready-made package linux-image-2.6.18-ipset_00.01_i386.deb in /usr/src.