[SOLVED] ipset not matching in mangle table

systemlordanubis · 11-05-2016, 08:30 AM

Hi All,

I have an ipset group which is configured with a hash:ip,port.

user@svr1:~# ipset list TestSet
Name: TestSet
Type: hash:ip,port
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16656
References: 7
Members:
10.10.3.186,udp:12345
10.10.3.186,tcp:12345

When I add a record to the POSTROUTING table like this:

iptables -t mangle -I POSTROUTING 1 -m set --match-set TestSet src -j CLASSIFY --set-class 1:99

No packets are ever matched, yet, if I add this record:

iptables -t mangle -I POSTROUTING 1 -p udp -s 10.10.3.186 --sport 12345 -j CLASSIFY --set-class 1:99

It does successfully match the packets.

I can't find any reason why this wouldn't be matching packets as I have sets working fine in other sections.

Has anyone else ever encountered this or am I just overlooking something?

Thanks.
Anubis.

systemlordanubis · 11-05-2016, 08:59 AM

After a lot more searching, I came across the solution from this source - http://thread.gmane.org/gmane.comp.s....general/46123

In the rules above you specified a single direction flag for a two
dimensional set, thus the matching returned "false". If in the first rule
the port is the destination, then it should be:

Which means my rule should have been listed as:

iptables -t mangle -I POSTROUTING 1 -m set --match-set TestSet src,src -j CLASSIFY --set-class 1:99

Once correcting the missing ",src" the rule's working perfectly.

Hope this is able to help some others in the future.

Anubis.

kerin444 · Today, 04:20 AM

I know it's an old thread but I wanted to say THANK YOU because it helped me to better understand and troubleshoot my IpSet problem.

It may help because documentation is very poor on IpSet and Iptables "set" module.

If you are using HASH:IP IpSet, you have to use Iptables rules like this "-m set --match-set myIpSet dst -j ACCEPT" with a sigle "tag"
If, like me, you are using HASH:IP,PORT IpSet, you have to use IpTables rules like this "-m set --match-set myIpSet dst,dst -j ACCEPT" with 2 tags to match the content of the IpSet
But you can also filter Source and Destination with IpSet described by HASH:NET,IP,PORT and have rules "-m set --match-set myIpSet src,dst,dst -j ACCEPT" with 3 tags this time
You can have up to 6 tags in one IpSet

Ex:

Code:

ipset create IpSetFilter1 hash:ip,port timeout 604800
# Allow SSH from 10.125.33.0/24 to 10.40.10.10 for 1 hour
ipset add IpSetFilter1 10.125.33.0/24,10.40.10.10,tcp:22 timeout 3600 
iptables -I FORWARD -m set ! --match-set IpSetFilter1 src,dst,dst -j DROP
iptables -I FORWARD -m set ! --match-set IpSetFilter1 src,dst,dst -j LOG --log-level info --log-prefix "DROP IPSET NOT MATCH"
iptables -I FORWARD -m set --match-set IpSetFilter1 src,dst,dst -j ACCEPT

I hope it will help people with IpSet!!

Best regards,