Configure Iptables with Ipset

iptables ipset

16,003

Solution 1

I may have to answer my own question as it looks like that nobody at serverfault knows the answer. Well, this is really simple. Since iptable rules work successively then all that was needed was to change from -A INPUT to -I INPUT in my code above. Problem solved.

It created amended (-A) rules in my input chain and put them at the back which seemed to conflict with the other rules that came before it. The trick was to do insert (-I) which created a new rule and put it in front that stopped the conflict with the others and started working perfectly well.

Hope it will help someone out as well.

Solution 2

The problem is with the iptables rule:

-A INPUT -p tcp --match multiport --dport 25,587 -m set --match-set blocklist src -j DROP
                                  ^^^^^^^

The parameter for multiport match is --dports, not --dport:

-A INPUT -p tcp --match multiport --dports 25,587 -m set --match-set blocklist src -j DROP
                                  ^^^^^^^^

16,003

Klaipedaville

Updated on September 18, 2022

Comments

Klaipedaville over 1 year
I would highly appreciate it if someone could help on a quite simple ipset rule I am trying to set up. I cannot really understand why it does not seem to work. So here it goes:
1. I create a simple file with IP addresses I would like to block and call it blocklist.
2. Then I create my ipset and reference it like this:
```
ipset create blocklist nethash
for i in $(cat /path/to/blocklist); do ipset add blocklist $i; done
-A INPUT -p tcp --match multiport --dport 25,587 -m set --match-set blocklist src -j DROP
```
When I verify it with
```
ipset test blocklist (IP address here) and press enter
```
it says the IP address is on the list.

When I verify it with
```
iptables -L -n -v
```
it says my iptables' rule is there and in action.

However, when I connect from the IP address that is on the blocklist it does not block this IP address by saying connection timed out, it simply gets connected and goes right through... I am lost... Could anybody advise, please where is there a mistake in my setting? Any pointers / assistance / suggestions, etc. are most welcome! Many thanks in advance!

P.S. It works OK when I set it without any multiport options and blocks only one port like this:
```
-A INPUT -p tcp --dport 80 -m set --match-set blocklist src -j DROP
```
but when I do the same thing but on the 25th port it won't work:
```
-A INPUT -p tcp --dport 25 -m set --match-set blocklist src -j DROP
```
I cannot really figure it out. I have Postfix running OK and listening onto my 25th port.

P.S.S. The only thing that comes to my mind is that there is a limit of ipset's sets that I can have (is that possible at all?) that's why my last rule does not work because it's being pushed out of the allowed limit... clueless...
Klaipedaville about 7 years

I have fail2ban running and when it's restarted their rules tend to "jump up" on top and "win as the first match" pushing my own rules down the line thus making my rules inactive or conflicting with them, therefore I consider un-installing fail2ban for testing, it's being closely watched now. In fact, this fail2ban's was the second issue after I had discovered my trouble with -A IPNUT and -I INPUT.
iwaseatenbyagrue about 7 years

Right - in my mind, your setup seemed to duplicate some of fail2ban's functionality and intent - hence my suggestion. In that case, you could (possibly) have re-used fail2ban's ipsets to add your own IPs where needed, and would have avoided a conflict between your rules and those of fail2ban. But it was only a suggestion - so long as you've found a way to do what you wanted, no need to change your habits.