Hello there,

I would highly appreciate it if someone could help on a quite simple ipset rule I am trying to set up. I cannot really understand why it does not seem to work. So here it goes:

1. I create a simple file with IP addresses I would like to block and call it blocklist

2. Then I create my ipset and reference it like this:

ipset create blocklist nethash
for i in $(cat /path/to/blocklist); do ipset add blocklist $i; done
-A INPUT -p tcp --match multiport --dport 25,587 -m set --match-set blocklist src -j DROP

When I verify it with:
ipset test blocklist (IP address here) and press enter
it says the IP address is on the list.

When I verify it with:
iptables -L -n -v
it says my iptables' rule is there and in action.

However, when I connect from the IP address that is on the blocklist it does not block this IP address by saying connection timed out, it simply gets connected and goes right through... I am lost... Could anybody advise, please where is there a mistake in my setting? Any pointers / assistance / suggestions, etc. are most welcome! Many thanks in advance!
====
P.S. It works OK when I set it without any multiport options and blocks only one port like this:

-A INPUT -p tcp --dport 80 -m set --match-set blocklist src -j DROP

but when I do the same thing but on the 25th port it won't work:

-A INPUT -p tcp --dport 25 -m set --match-set blocklist src -j DROP

I cannot really figure it out. I have Postfix running OK and listening onto my 25th port.

P.S.S. The only thing that comes to my mind is that there is a limit of ipset's sets that I can have (is that possible at all?) that's why my last rule does not work because it's being pushed out of the allowed limit... clueless...

Hi

May be if you just create a diferent iptables with different ports and works, that mey be is the solution, however, it looks that when you use the ipset the iptables use a lookup algorithm that may be don't have support for multiple ports. Go to the netfilter mailing list and probably you will find the solution, and on the meanwhile you can use the iptables rules by select the single port.

try OUTPUT

check

https://www.linuxquestions.org/quest...ip-4175601788/

i didn see that you fix it

but check this

-A INPUT -p tcp -m tcp --match multiport --dports 25,587 -m set --match-set blocklist src -j DROP

with multi port you need dports not dport and try sports on input.

syntax is wrong
One question I have is are only blocking them from certain ports or do you want to block them from everything? Normally when I block you, you're blocked from everything not just a few ports.

There are limits to everything but in this case it would not be ipset that is limiting you as you can see the ip addresses

Since you are not showing your entire firewall rule set it is hard to pin-point the issue. You could have other rules that allow things to connect that you are trying to block. Because IPTABLES works in top down mode if you have a rule before your DROP rules that allows said IP Address then your DROP rules are useless.

Thank you for replying and your suggestions. I appreciate. The syntax is perfectly correct as it is working well. My iptables are not of the latest version and that's most probably why you thought it was outdated.

The rule clearly shows which ports I would like to be blocked. I do not intend to block everything.

I figured it out myself though. The trouble is in -A INPUT that amends (-A = amend) the rules and puts them "at the end". It all works successively as you correctly mentioned in your reply therefore the solution was to -I INPUT which creates a new rule (-I = input) and does the trick.

If you're good to go then mark this puppy as resolved. Thnx.