1

I would highly appreciate it if someone could help on a quite simple ipset rule I am trying to set up. I cannot really understand why it does not seem to work. So here it goes:

  1. I create a simple file with IP addresses I would like to block and call it blocklist.

  2. Then I create my ipset and reference it like this:

    ipset create blocklist nethash
for i in $(cat /path/to/blocklist); do ipset add blocklist $i; done
-A INPUT -p tcp --match multiport --dport 25,587 -m set --match-set blocklist src -j DROP

When I verify it with

ipset test blocklist (IP address here) and press enter

it says the IP address is on the list.

When I verify it with

iptables -L -n -v

it says my iptables' rule is there and in action.

However, when I connect from the IP address that is on the blocklist it does not block this IP address by saying connection timed out, it simply gets connected and goes right through... I am lost... Could anybody advise, please where is there a mistake in my setting? Any pointers / assistance / suggestions, etc. are most welcome! Many thanks in advance!

P.S. It works OK when I set it without any multiport options and blocks only one port like this:

-A INPUT -p tcp --dport 80 -m set --match-set blocklist src -j DROP

but when I do the same thing but on the 25th port it won't work:

-A INPUT -p tcp --dport 25 -m set --match-set blocklist src -j DROP

I cannot really figure it out. I have Postfix running OK and listening onto my 25th port.

P.S.S. The only thing that comes to my mind is that there is a limit of ipset's sets that I can have (is that possible at all?) that's why my last rule does not work because it's being pushed out of the allowed limit... clueless...

Serguei
  • 127
  • 9
Klaipedaville
  • 41
  • 1
  • 1
  • 6

3 Answers3

3

I may have to answer my own question as it looks like that nobody at serverfault knows the answer. Well, this is really simple. Since iptable rules work successively then all that was needed was to change from -A INPUT to -I INPUT in my code above. Problem solved.

It created amended (-A) rules in my input chain and put them at the back which seemed to conflict with the other rules that came before it. The trick was to do insert (-I) which created a new rule and put it in front that stopped the conflict with the others and started working perfectly well.

Hope it will help someone out as well.

Klaipedaville
  • 41
  • 1
  • 1
  • 6
2

The problem is with the iptables rule:

-A INPUT -p tcp --match multiport --dport 25,587 -m set --match-set blocklist src -j DROP
                                  ^^^^^^^

The parameter for multiport match is --dports, not --dport:

-A INPUT -p tcp --match multiport --dports 25,587 -m set --match-set blocklist src -j DROP
                                  ^^^^^^^^
Tomek
  • 3,390
  • 1
  • 16
  • 10
0

As you seem to have discovered, there is nothing fundamentally wrong with what you were doing - it just seems to you got bitten by iptables rule precedence. a.k.a. first match wins.

In general, you would probably want your INPUT chain to look something like:

-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m set --match-set blocklist src -j DROP
<... other rules ....>
-A INPUT -j LOG
-A INPUT -j DROP

You may want to consider looking into fail2ban, which might help automate the population of your ipsets based on the jails you configure for it (tl;dr: jails link to filters, which run regex on specified files/log events (e.g. failed SSH login, requests for admin panel URLs, etc), extract an IP, and add/remove it from the appropriate ipsets).

iwaseatenbyagrue
  • 3,688
  • 15
  • 24
  • I have fail2ban running and when it's restarted their rules tend to "jump up" on top and "win as the first match" pushing my own rules down the line thus making my rules inactive or conflicting with them, therefore I consider un-installing fail2ban for testing, it's being closely watched now. In fact, this fail2ban's was the second issue after I had discovered my trouble with -A IPNUT and -I INPUT. – Klaipedaville Mar 27 '17 at 04:45
  • Right - in my mind, your setup seemed to duplicate some of fail2ban's functionality and intent - hence my suggestion. In that case, you could (possibly) have re-used fail2ban's ipsets to add your own IPs where needed, and would have avoided a conflict between your rules and those of fail2ban. But it was only a suggestion - so long as you've found a way to do what you wanted, no need to change your habits. – iwaseatenbyagrue Mar 27 '17 at 09:45
  • Well, I have always used my own rules and my own iptable / ipset setups. I have been trying fail2ban for only a couple of months just to check them out. However, I do not see any help / much improvement from having this fail2ban running. I would say it's even on the contrary, it gives me more trouble than benefits (provided they are used together with mine of course). On the other hand since I figured out where the issue was I might as well keep this fail2ban for some more time just to see if they are any good at all to have as an extra protection on top and in addition with my setup. – Klaipedaville Mar 27 '17 at 16:13