0

I'm looking for a solid method to block unwanted TCP/IP traffic.

On my linux machine iptables and ipset seem to offer a nice way to do so.

Until now I've done this:

ipset create ipsok hash:net maxelem (result of wc -l for my cidr list in a file)
ipset add <network address>

And made sure this is the only ipset using:

service ipset status

This shows only ipset ipsok with the right number of entries. I've also made sure the ipset is used after a reboot. Then I add the ipset to the iptables rules:

iptables -I INPUT -m set --match-set ipsok src -j ACCEPT

To test if this works I let TOR provide me with an ip address and check this with:

ipset test ipsok <tor ip address>

This tells me the address is NOT in the ipsok set.

When I direct the tor browser to my machine the connection is made. Is this correct? I thought the connection would fail because the ip address is not found in the ipset.

What do I need to do to make iptables (and ipset) block traffic NOT coming from any network address in ipset ipsok?

Serguei
  • 127
  • 9
Karel de V
  • 1
  • Do you have a rule after the set accept that will drop or reject the traffic that doesn't match? – Shane Madden Mar 04 '15 at 01:51
  • Your displayed rules are not useful to us without more context - we would need the output of `iptables-save` to answer your question with something else than a reasonable guess. – gparent Mar 20 '15 at 19:18

1 Answers1

0

Iptables' default policy is ACCEPT. So by adding IPs to your list, you're only ACCEPTing them twice.

Your iptables -L should show as much - that is, the only rules will be ACCEPT rules.

Change the default to DROP, then add your items to ACCEPT.

Try this before your match set rule: iptables -P INPUT DROP

Be careful - don't do this remotely or you're likely to lock yourself out.

Xavier Lucas
  • 13,095
  • 2
  • 44
  • 50
Bumptious Q Bangwhistle
  • 163
  • 1
  • 9