how to block ipv4 list with iptables/ipset, but exclude certain ports

Question

I have the following rules in a bash (in that order):

# blocklist.txt contains:
#192.168.1.39

for ip in $(cat blocklist.txt); do
    iptables -I INPUT -s $ip -p tcp -m multiport --dports 137:139,445 -j ACCEPT
    iptables -I FORWARD -d $ip -p tcp -m multiport --dports 137:139,445 -j ACCEPT
done

ipset flush banip
ipset -N -! banip hash:ip maxelem 1000000
for ip in $(cat blocklist.txt); do
    ipset -A banip "$ip"
done
iptables -I INPUT -m set --match-set banip src,dts -j DROP
iptables -I FORWARD -m set --match-set banip src,dts -j DROP

where "blocklist" includes ipv4 addresses. but my rules block the list and do not allow access to those ports excluded in the ALLOW rules.

Note 1: I have tried with hash:ip and hash:net and the same result

Note 2: if i add ACCEPT rules for -p udp the ports are still blocked.

According to HERE you should do this, but this does not open the desired ports for this list either:

ipset flush banip
ipset -N -! banip hash:ip maxelem 1000000
for ip in $(cat blocklist.txt); do
    ipset -A banip "$ip"
done
iptables -I INPUT -p tcp -m multiport --dports 137:139,445 -m set --match-set banip src,dts -j ACCEPT
iptables -I INPUT -m set --match-set banip src,dts -j DROP
iptables -I FORWARD -p tcp -m multiport --dports 137:139,445 -m set --match-set banip src,dts -j ACCEPT
iptables -I FORWARD -m set --match-set banip src,dts -j DROP

and According to HERE you should do this, but the same happen:

ipset flush banip
ipset -N -! banip hash:ip maxelem 1000000
for ip in $(cat blocklist.txt); do
    ipset -A banip "$ip"
done
iptables -I INPUT -m set --match-set banip src,dts -p tcp -m multiport --dport 137:139,445 -j ACCEPT
iptables -I INPUT -m set --match-set banip src,dts -j DROP
iptables -I FORWARD -m set --match-set banip src,dts -p tcp -m multiport --dport 137:139,445 -j ACCEPT
iptables -I FORWARD -m set --match-set banip src,dts -j DROP

my data:

iptables v1.8.7
ipset v7.15
ubuntu 22.04

ipset -L banip

Name: banip
Type: hash:ip
Revision: 5
Header: family inet hashsize 1024 maxelem 1000000 bucketsize 12 initval 0xebeb2f5c
Size in memory: 240
References: 16
Number of entries: 1
Members:
192.168.1.39

iptables -L -v -n

Chain INPUT (policy ACCEPT 4185 packets, 7480K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip dst
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip src
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip dst
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip src
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip dst
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip dst multiport dports 137:139,445
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip src
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip src multiport dports 137:139,445
Chain FORWARD (policy ACCEPT 170 packets, 29238 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip dst
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip src
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip dst
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip src
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip dst
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip dst multiport dports 137:139,445
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip src
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip src multiport dports 137:139,445

What's wrong with my rules?. Thanks

Update:

I also created a new list with the ports and allowed it before the block list, no results.

# allowports.txt contains:
# 137
# 138
# 139
# 445

ipset flush allowports
ipset -N -! allowports bitmap:port range 0-65535
for ports in $(cat allowports.txt); do
    ipset -A allowports "$ports"
done
iptables -I INPUT -m set --match-set allowports src,dts -j ACCEPT
iptables -I FORWARD -m set --match-set allowports src,dts -j ACCEPT

ipset flush banip
ipset -N -! banip hash:ip maxelem 1000000
for ip in $(cat blocklist.txt); do
    ipset -A banip "$ip"
done
iptables -I INPUT -m set --match-set banip src,dts -j DROP
iptables -I FORWARD -m set --match-set banip src,dts -j DROP

ipset -L allowports

Name: allowports
Type: bitmap:port
Revision: 3
Header: range 0-65535
Size in memory: 8264
References: 16
Number of entries: 4
Members:
137
138
139
445

new iptables -L -v -n

Chain INPUT (policy ACCEPT 757 packets, 619K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip dst
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip src
   42  3883 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set allowports dst
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set allowports src
Chain FORWARD (policy ACCEPT 197 packets, 11983 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip dst
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set banip src
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set allowports dst
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set allowports src

Solved!

As suggested by @MarkWagner I have reversed the rules and the problem is solved. This is because iptables rules are executed in order. However, the --insert (-I) rules are placed in the header, above the --append (-A) rules, but if there are two "--insert" rules, the last one will be the one in the header. header (first). So the right way is:

ipset flush banip
ipset -N -! banip hash:ip maxelem 1000000
for ip in $(cat blocklist.txt); do
    ipset -A banip "$ip"
done
iptables -I INPUT -m set --match-set banip src,dts -j DROP
iptables -I FORWARD -m set --match-set banip src,dts -j DROP
for protocol in $(echo udp tcp); do
   iptables -I INPUT -m set --match-set banip src,dts -$protocol -m multiport --dports 137,138,139,445 -j ACCEPT
   iptables -I FORWARD -m set --match-set banip src,dts -$protocol -m multiport --dports 137,138,139,445 -j ACCEPT
done

Input - dport, output -sport, forward - inbound - dport, outbound - sport — gapsf, Sep 27 '22 at 20:48
Showing `iptables -L -v -n` would make answering this question easier. — Mark Wagner, Sep 27 '22 at 22:56
Whatever you doing, you're getting the ordering of the rules backwards. The first matching rule is applied and you have the DROPs before the ACCEPTs. (You also have duplicate rules.) — Mark Wagner, Sep 28 '22 at 17:13

how to block ipv4 list with iptables/ipset, but exclude certain ports

0 Answers0

Linked