I know it's an old thread but I wanted to say THANK YOU because it helped me to better understand and troubleshoot my IpSet problem.
It may help because documentation is very poor on IpSet and Iptables "set" module.
If you are using
HASH:IP IpSet, you have to use Iptables rules like this "-m set --match-set myIpSet
dst -j ACCEPT" with a sigle "tag"
If, like me, you are using
HASH:IP,PORT IpSet, you have to use IpTables rules like this "-m set --match-set myIpSet
dst,dst -j ACCEPT" with 2 tags to match the content of the IpSet
But you can also filter Source and Destination with IpSet described by
HASH:NET,IP,PORT and have rules "-m set --match-set myIpSet
src,dst,dst -j ACCEPT" with 3 tags this time
You can have up to 6 tags in one IpSet
Ex:
Code:
ipset create IpSetFilter1 hash:ip,port timeout 604800
# Allow SSH from 10.125.33.0/24 to 10.40.10.10 for 1 hour
ipset add IpSetFilter1 10.125.33.0/24,10.40.10.10,tcp:22 timeout 3600
iptables -I FORWARD -m set ! --match-set IpSetFilter1 src,dst,dst -j DROP
iptables -I FORWARD -m set ! --match-set IpSetFilter1 src,dst,dst -j LOG --log-level info --log-prefix "DROP IPSET NOT MATCH"
iptables -I FORWARD -m set --match-set IpSetFilter1 src,dst,dst -j ACCEPT
I hope it will help people with IpSet!!
Best regards,