Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I would highly appreciate it if someone could help on a quite simple ipset rule I am trying to set up. I cannot really understand why it does not seem to work. So here it goes:
1. I create a simple file with IP addresses I would like to block and call it blocklist
2. Then I create my ipset and reference it like this:
ipset create blocklist nethash
for i in $(cat /path/to/blocklist); do ipset add blocklist $i; done
-A INPUT -p tcp --match multiport --dport 25,587 -m set --match-set blocklist src -j DROP
When I verify it with:
ipset test blocklist (IP address here) and press enter
it says the IP address is on the list.
When I verify it with:
iptables -L -n -v
it says my iptables' rule is there and in action.
However, when I connect from the IP address that is on the blocklist it does not block this IP address by saying connection timed out, it simply gets connected and goes right through... I am lost... Could anybody advise, please where is there a mistake in my setting? Any pointers / assistance / suggestions, etc. are most welcome! Many thanks in advance!
====
P.S. It works OK when I set it without any multiport options and blocks only one port like this:
-A INPUT -p tcp --dport 80 -m set --match-set blocklist src -j DROP
but when I do the same thing but on the 25th port it won't work:
-A INPUT -p tcp --dport 25 -m set --match-set blocklist src -j DROP
I cannot really figure it out. I have Postfix running OK and listening onto my 25th port.
P.S.S. The only thing that comes to my mind is that there is a limit of ipset's sets that I can have (is that possible at all?) that's why my last rule does not work because it's being pushed out of the allowed limit... clueless...
Last edited by Klaipedaville; 03-11-2017 at 01:34 PM.
May be if you just create a diferent iptables with different ports and works, that mey be is the solution, however, it looks that when you use the ipset the iptables use a lookup algorithm that may be don't have support for multiple ports. Go to the netfilter mailing list and probably you will find the solution, and on the meanwhile you can use the iptables rules by select the single port.
-A INPUT -p tcp --match multiport --dport 25,587 -m set --match-set blocklist src -j DROP
syntax is wrong
Code:
-A INPUT -p tcp -m multiport --dport 25,587 -m set --match-set blocklist src -j DROP
One question I have is are only blocking them from certain ports or do you want to block them from everything? Normally when I block you, you're blocked from everything not just a few ports.
Quote:
P.S. It works OK when I set it without any multiport options and blocks only one port like this:
-A INPUT -p tcp --dport 80 -m set --match-set blocklist src -j DROP
but when I do the same thing but on the 25th port it won't work:
-A INPUT -p tcp --dport 25 -m set --match-set blocklist src -j DROP
I cannot really figure it out. I have Postfix running OK and listening onto my 25th port.
P.S.S. The only thing that comes to my mind is that there is a limit of ipset's sets that I can have (is that possible at all?) that's why my last rule does not work because it's being pushed out of the allowed limit... clueless...
There are limits to everything but in this case it would not be ipset that is limiting you as you can see the ip addresses
Since you are not showing your entire firewall rule set it is hard to pin-point the issue. You could have other rules that allow things to connect that you are trying to block. Because IPTABLES works in top down mode if you have a rule before your DROP rules that allows said IP Address then your DROP rules are useless.
-A INPUT -p tcp -m multiport --dport 25,587 -m set --match-set blocklist src -j DROP
One question I have is are only blocking them from certain ports or do you want to block them from everything? Normally when I block you, you're blocked from everything not just a few ports.
Thank you for replying and your suggestions. I appreciate. The syntax is perfectly correct as it is working well. My iptables are not of the latest version and that's most probably why you thought it was outdated.
The rule clearly shows which ports I would like to be blocked. I do not intend to block everything.
I figured it out myself though. The trouble is in -A INPUT that amends (-A = amend) the rules and puts them "at the end". It all works successively as you correctly mentioned in your reply therefore the solution was to -I INPUT which creates a new rule (-I = input) and does the trick.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.