2

I'm trying to filter out a country that keeps probing my SMTP server (CentOS6) and I can't seem to get the ipset to work out right in iptables.

I downloaded that countries IP addresses from ipdeny.com and installed the list as a text file. Originally, I had all my blacklist IP addresses in a big long iptables chain, but that could really affect the CPU adversely - hence me wanting to use an ipset.

Here's an excerpt from that IP addresses file:

185.40.4.31
80.82.65.237
2.60.0.0/14

So now I'm trying to use that list in an ipset set. I verify the ipset set is populated using 'ipset list'.

Name: blacklist
Type: hash:net
Header: family inet hashsize 2048 maxelem 65536
Size in memory: 108816
References: 1
Members:
....
185.40.4.31
185.40.152.0/22
...

With this ipset, I add it to iptables:

iptables -A INPUT -p tcp -m set --set blacklist src -j DROP

But when I try and test the set using hping3, the packages still gets thru.

hping3 --syn --destport 25 --count 3 -a 185.40.4.31 <server_ip>

When I was using the long iptables chain, things were working as expected.

Here's the abbreviated output of iptables -L -n (I editted out most of the 6200+ ipdeny entries)

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  217.199.240.0/20     0.0.0.0/0
DROP       all  --  217.199.208.0/20     0.0.0.0/0
...
DROP       all  --  2.60.0.0/14          0.0.0.0/0
DROP       all  --  94.102.50.41         0.0.0.0/0
DROP       all  --  80.82.65.237         0.0.0.0/0
DROP       all  --  185.40.4.31          0.0.0.0/0
ACCEPT     all  --  192.168.2.0/24       0.0.0.0/0
ACCEPT     all  --  192.168.1.0/24       0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:27944 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:27940
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           match-set blacklist src

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
Improve this question
4
  • Is it the only rule in iptables? You should probably add output of iptables-save to ease debugging.
    – darkk
    Commented Jul 26, 2015 at 19:07
  • Considering that my original post was edited by an admin to add capitalization to acronyms and to expand some abbreviations (really?), is it acceptable to add the iptables-save output?
    – pathrider
    Commented Jul 28, 2015 at 2:03
  • No "admin" edited your post. An ordinary member of the community did. Learn how editing works. And, I undeleted your post because I suspect you deleted it in error. Learn about moderators and what we do.
    – Michael Hampton
    Commented Jul 28, 2015 at 2:21
  • iptables -L -n is not as useful as iptables-save or iptables -L -v -n as interfaces are hidden.
    – darkk
    Commented Jul 28, 2015 at 9:25

1 Answer 1

Reset to default
1

Your rule never takes effect because you have added it to the end of the chain. Immediately preceding it is a rule to drop all traffic, thus your rule is never reached. In iptables, rules are matched in order; this is different than many other firewalls.

To resolve the problem, move the rule up to earlier in the chain. And if you really want to blacklist those addresses, it should be as early as possible in the chain, e.g. the first rule.

Improve this answer
4
  • You're probably right, but you can't say that for sure as iptables -L without -v option hides interface names.
    – darkk
    Commented Jul 28, 2015 at 9:24
  • It's very unlikely that there are interface names on that rule. And that doesn't explain the downvote. You're supposed to downvote wrong answers.
    – Michael Hampton
    Commented Jul 28, 2015 at 13:40
  • I expect to see interface names on rule ACCEPT all -- 0.0.0.0/0 0.0.0.0/0. And your assumption is wrong, it was not me who downvoted the answer :-)
    – darkk
    Commented Jul 29, 2015 at 9:43
  • @darkk And you assumed that I meant you downvoted me, which is also wrong.
    – Michael Hampton
    Commented Jul 29, 2015 at 15:39

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .