3

I am trying to block all traffic except US and Canada. I added all US and Canada IP's to ipset geoblock and when i am trying this command. I am getting an error.

iptables -A INPUT -m set --set !geoblock src -j DROP
-bash: !geoblock: event not found

but when i run this command

ipset list

I am getting all the IP's, so there is nothing wrong with the name and the ipset. I am using iptables v1.4.21 on cent os 7.3.1611

Shubham Jairath
  • 67
  • 1
  • 6
  • 1
    The fact that you are getting a **bash** error makes me think you need to escape your `!`. But I am not sure. – Zoredache Feb 16 '17 at 17:42

2 Answers2

6

Solution:

Following is the correct command line:

iptables -A INPUT -m set ! --match-set geoblock src -j DROP

Explanation:

javier@equipo-javier:~$ sudo ipset create geoblock hash:net
javier@equipo-javier:~$ sudo iptables -A INPUT -m set --set '!geoblock' src -j DROP
--set option deprecated, please use --match-set
iptables v1.4.21: Set !geoblock doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.

1st correction:

javier@equipo-javier:~$ sudo iptables -A INPUT -m set --match-set '!geoblock' src -j DROP
iptables v1.4.21: Set !geoblock doesn't exist.

Try `iptables -h' or 'iptables --help' for more information.

2nd correction:

javier@equipo-javier:~$ sudo iptables -A INPUT -m set ! --match-set geoblock src -j DROP
javier@equipo-javier:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m set ! --match-set geoblock src -j DROP

Now works

Javier Dev
  • 71
  • 3
  • This is the correct answer. If you tried putting a space between ! and geoblock then iptables would have also informed you of the correct syntax. – kingmilo May 29 '17 at 16:53
  • Sorry, but I am not able to get that iptables' output suggesting the correct syntax. Could you copy an example here? – Javier Dev Jul 29 '17 at 15:10
  • Sure, my ipset lists are called whitelist and geoblock. I'm using ipset v6.11 and iptables 1.4.7 `/sbin/iptables -I INPUT 1 -m set --match-set whitelist src,dst -j ACCEPT /sbin/iptables -I INPUT 2 -m set --match-set geoblock src,dst -j DROP` – kingmilo Aug 01 '17 at 06:00
1

As Zoredache mentioned the bash error indicates this is a quoting issue. Putting that argument in single quotes or using backslash to escape the exclamation will get around the immediate issue:

iptables -A INPUT -m set --set '!geoblock' src -j DROP

or

iptables -A INPUT -m set --set \!geoblock src -j DROP
chicks
  • 3,793
  • 10
  • 27
  • 36