ipset not being applied to iptables

cardinalPilot asked:

I’m trying to filter out a country that keeps probing my SMTP server (CentOS6) and I can’t seem to get the ipset to work out right in iptables.

I downloaded that countries IP addresses from ipdeny.com and installed the list as a text file. Originally, I had all my blacklist IP addresses in a big long iptables chain, but that could really affect the CPU adversely – hence me wanting to use an ipset.

Here’s an excerpt from that IP addresses file:

185.40.4.31
80.82.65.237
2.60.0.0/14

So now I’m trying to use that list in an ipset set. I verify the ipset set is populated using ‘ipset list’.

Name: blacklist
Type: hash:net
Header: family inet hashsize 2048 maxelem 65536
Size in memory: 108816
References: 1
Members:
....
185.40.4.31
185.40.152.0/22
...

With this ipset, I add it to iptables:

iptables -A INPUT -p tcp -m set --set blacklist src -j DROP

But when I try and test the set using hping3, the packages still gets thru.

hping3 --syn --destport 25 --count 3 -a 185.40.4.31 <server_ip>

When I was using the long iptables chain, things were working as expected.

Here’s the abbreviated output of iptables -L -n (I editted out most of the 6200+ ipdeny entries)

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  217.199.240.0/20     0.0.0.0/0
DROP       all  --  217.199.208.0/20     0.0.0.0/0
...
DROP       all  --  2.60.0.0/14          0.0.0.0/0
DROP       all  --  94.102.50.41         0.0.0.0/0
DROP       all  --  80.82.65.237         0.0.0.0/0
DROP       all  --  185.40.4.31          0.0.0.0/0
ACCEPT     all  --  192.168.2.0/24       0.0.0.0/0
ACCEPT     all  --  192.168.1.0/24       0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:27944 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:27940
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           match-set blacklist src

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

My answer:


Your rule never takes effect because you have added it to the end of the chain. Immediately preceding it is a rule to drop all traffic, thus your rule is never reached. In iptables, rules are matched in order; this is different than many other firewalls.

To resolve the problem, move the rule up to earlier in the chain. And if you really want to blacklist those addresses, it should be as early as possible in the chain, e.g. the first rule.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.