ipset with iptables not working

wolfsden3 · 09-09-2014, 12:25 AM

I'm beating my head into the wall (firewall) a bit here.

I don't quite get iptables and have read a ton about them. What I have is:

Code:

# IPset command to create a new ipset with nethash (x.x.x.x/xx) <-- cidr
ipset -N custom.zone nethash

# I then add the zone into the custom.zone nethas
ipset add custom.zone 82.165.0.0/16

* ipset = done, working as expected from what I can tell

# I then create a new ipchain
iptables -N custom.zone

# I then make a new reject rule and insert it "-I"
iptables -I custom.zone -m set '--match-set' custom.zone src -j REJECT

# Now; I've read that I also might need to do a:
iptables -A INPUT -j custom.zone

All that last syntax seems to do is put it into the INPUT chain and make it "jump" (-j) to my "custom.zone" chain. I'd like it to be an INDEPENDANT chain though and work just like INPUT, OUTPUT, FORWARD, etc work so in addition to INPUT, OUTPUT, etc I'd also now have "custom.zone".

1 - What's up with the existing chain of INPUT, OUTPUT, FORWARD and where did they come from?

2 - Can't I just create a new chain called WHATEVER and have it do something like reject, drop, etc packets? Why would I need to add it (-A) to the INPUT chain that already exists?

My desired end result is:

have ipset nethash rules of xyz.zone (a number of them all different names)
Inside the xyz.zone I have IP address/network (x.x.x.x/xx)
I then make an iptables chain referencing that ipset nethash to do something

So far this has my head spinning :-(

I'm using Ubuntu + UFW (Uncomplicated FireWall) + ipset
Ubuntu 12.04 LTS server

If I do aN "iptables -n -L -v --line-numbers"...here's a snippet:

Code:

Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1      22M 4554M ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
2      22M 4554M ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
3     109K   24M ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
4    24227 1714K ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
5    24227 1714K ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
6    24227 1714K ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
7        3   180 custom.zone  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Down the output is this other reference to "custom.zone":

Code:

Chain custom.zone (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set custom.zone src reject-with icmp-port-unreachable

root@email:/var/log# ufw status
Status: active

How I Know this IS NOT working is, I'm tailing a mail log and I see an offender who's network I have in my custom.zone ipset yet they STILL try to authenticate (SASL error). I wanted to block their entire network till further notice using the ipset + iptables method but I'm just having a hard time putting it all together.

Any insight would be appreciated.

Thanks!

salasi · 09-09-2014, 06:21 PM

Quote:

Originally Posted by wolfsden3

I don't quite get iptables and have read a ton about them.

I don't think that you do quite get iptables; otoh, I'm not sure I can help you with some of the ipset stuff, but, if we do get your head around the basics of iptables, maybe you'll be able to do the rest yourself.

As a reference on iptables, what you need is a document on frozentux. if you want to look through some worked examples, try this.

Quote:

Originally Posted by wolfsden3

All that last syntax seems to do is put it into the INPUT chain and make it "jump" (-j) to my "custom.zone" chain. I'd like it to be an INDEPENDANT chain though and work just like INPUT, OUTPUT, FORWARD, etc work so in addition to INPUT, OUTPUT, etc I'd also now have "custom.zone".

1 - What's up with the existing chain of INPUT, OUTPUT, FORWARD and where did they come from?

2 - Can't I just create a new chain called WHATEVER and have it do something like reject, drop, etc packets? Why would I need to add it (-A) to the INPUT chain that already exists?

No.Your custom chain doesn't go 'in' anywhere. It just sits there on its own, waiting for... well, waiting for some data to be sent to it. This data, could in theory, come from anywhere, it wouldn't matter.

The question about the existing chains is a bit like 'and, before the big bang, what was there, then?' In the beginning, there have to be some chains existing chains for data to go down, if there is any data passing around (which there might be, particularly on the 'lo' interface).

So, INPUT, OUTPUT and FORWARD, are just a fact of life, like death and taxes and are there at the beginning of time, as far as your ruleset is concerned. What you do need to do, for your custom chains to be of any practical use, is to include some instruction in the existing chains that sends, under some conditions, some data packets to your custom chain. without this, your custom chain(s) will just sit there idle; that won't break anything, it just won't help in any way.

If your WHATEVER chain has, err, whatever rules you want, it can't do anything unless the data passes their way.

Now, more or less anything that you could do in your custom chain, you could do in one of the inherent chains, but it just might be rather messy, with repeats of the same tests, lots of traffic passing through useless tests, and generally be a bit inefficient.

As to your objectives, I don't understand them, and they sound more like methods or tactics than objectives to me. Can't help.

Edit:

And, if you do chose to include any code in a reply, please put it in code tags, for readability.

wolfsden3 · 09-09-2014, 08:09 PM

OK, so I figured this out (and thanks for pitching in). To say the least iptables + ipchains are two different but similar birds. I did more reading THEN more searching online and bumped into this handy post that had the syntax perfectly!

https://wiki.archlinux.org/index.php/Ipset

* Sorry for the code stuff, I'm not sure that's working in my browser as I'm blocking scripts BUT here's what I've got.

1 - I reset my iptables; this btw does NOT affect in any way youre UFW rules should you have any (which is cool).
Ref: http://ubuntuforums.org/showthread.php?t=1381516 <-- See Lars's post

I added Lars's stuff into a "reset.sh" script I called "sh reset.sh" which reset the iptables stuff.

2 - I also appened his excellen code with my own code to redo all the ipset stuff

The ONLY code I needed with respect to iptables was this: iptables -I INPUT -m set '--match-set' custom.zone src -j REJECT

I didn't need the -N to add a new chain, etc. I guess this means I compramized a bit and I'm using the default INPUT rule. The default ipchains rules are in taht ubuntuforums.org post. Of course, with some variables in the iptables code you can bump in a list of zone's to reject which is what I did, all the zone's were countries I don't poking around.

I did struggle a bit to do the REJECT or DENY, I think REJECT is "RFC" so I stuck with that.

Hope this helps someone.