2

How to correctly add an IP address to ipset from an iptables rule? Or isn't that possible at all?

This rule doesn't work for me: -A INPUT -m recent --name IP_LIST --set

Type of IP_LIST is hash:net IP_LIST was created using command ipset create IP_LIST hash:net

But checking the same list for an IP to drop it, works: -A INPUT -m set --match-set IP_LIST src -j DROP

Improve this question
2
  • I don't think you understand what ipset does or is used for - -j SET is used to add an entry to an ipset. Please consider rewording your question to explain what you overall objective is in terms of traffic filtering.
    – Olipro
    Commented May 12, 2013 at 2:01
  • @Olipro, thank you! -j SET is that I was looking for (adding an entry to ipset from an iptables rule)
    – RIscRIpt
    Commented May 12, 2013 at 7:53

3 Answers 3

Reset to default
2

So, since -j SET is what you wanted:

Within iptables, -m set is used when you want to compare a packet against an ipset (-m stands for match) it can be used multiple times within a single rule.

-j SET on the other hand is used to insert an entry into an ipset, it is a non-terminating target, meaning that rule traversal will continue.

You should read the iptables manpage for a full explanation of the expected syntax.

Improve this answer
2

As @Olipro and @0x534B41 said, I mustn't use -m recent. So, to add an entry to ipset from an iptables rule, you should use -j SET --add-set IPSET_LIST src

Improve this answer
0

Iptables documentation suggests that recent module has nothing to do with ipset. Instead it creates dynamic lists which are used only by itself. The lists recent module uses are exposed via procfs at /proc/net/xt_recent/

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .