1

How to correctly add an IP address to ipset from an iptables rule? Or isn't that possible at all?

This rule doesn't work for me: -A INPUT -m recent --name IP_LIST --set

Type of IP_LIST is hash:net IP_LIST was created using command ipset create IP_LIST hash:net

But checking the same list for an IP to drop it, works: -A INPUT -m set --match-set IP_LIST src -j DROP

Serguei
  • 127
  • 9
RIscRIpt
  • 33
  • 1
  • 5
  • I don't think you understand what ipset does or is used for - -j SET is used to add an entry to an ipset. Please consider rewording your question to explain what you overall objective is in terms of traffic filtering. – Olipro May 12 '13 at 02:01
  • @Olipro, thank you! _-j SET_ is that I was looking for (adding an entry to ipset from an iptables rule) – RIscRIpt May 12 '13 at 07:53

3 Answers3

2

As @Olipro and @0x534B41 said, I mustn't use -m recent. So, to add an entry to ipset from an iptables rule, you should use -j SET --add-set IPSET_LIST src

RIscRIpt
  • 33
  • 1
  • 5
1

So, since -j SET is what you wanted:

Within iptables, -m set is used when you want to compare a packet against an ipset (-m stands for match) it can be used multiple times within a single rule.

-j SET on the other hand is used to insert an entry into an ipset, it is a non-terminating target, meaning that rule traversal will continue.

You should read the iptables manpage for a full explanation of the expected syntax.

Olipro
  • 3,007
  • 19
  • 18
0

Iptables documentation suggests that recent module has nothing to do with ipset. Instead it creates dynamic lists which are used only by itself. The lists recent module uses are exposed via procfs at /proc/net/xt_recent/

skarap
  • 733
  • 5
  • 7