From: "Jorge Agrelo" <jagrelo@novadevices.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter@lists.netfilter.org
Subject: Re: IPSET issue ???
Date: Wed, 30 Mar 2005 17:09:58 -0500 [thread overview]
Message-ID: <424ADD66.23629.6DAE69D5@localhost> (raw)
In-Reply-To: <Pine.LNX.4.58.0503300947090.4659@blackhole.kfki.hu>
Hi Jozsef
Thanks for your reply, last question regarding IPSET..
Can I define the protocol in portmap set type, I means, Can I do
that?
ipset -N ports portmap
ipset -A ports tcp/53
ipset -A ports udp/53
ipset -A ports tcp/25
ipset -A ports tcp/110
......
If no, there is any way to do that?
Thanks in advanced.
On 30 Mar 2005 at 9:57, Jozsef Kadlecsik wrote:
> Hi,
>
> On Tue, 29 Mar 2005, Jorge Agrelo wrote:
>
> > I want to block the offensive network list supplied by dshield
> > (http://feeds.dshield.org/block.txt) using IPSET match, anybody tell me if the
> > following stuff is correct.
> >
> > ipset -N bogons-nets nethash
> > ipset -A bogons-nets 81.208.28.0/24
> > ipset -A bogons-nets 141.50.163.0/24 ..........
> > iptables -N blocklist
> > iptables -A bogons-nets -m set --set bogons-nets scr,dst -j drop
> > iptables -A INPUT -i ! lo -m state ! --state ESTABLISHED -j blocklist
> > iptables -A FORWARD -m state ! --state ESTABLISHED -j blocklist
> > iptables -A OUTPUT -o ! lo -m state ! --state ESTABLISHED -j blocklist
> >
> > I want to block the source and destination traffic from/to this
> > networks, I'm not sure regarding how to use the tokens src and dst and
> > the set type (nethash) in IPSET???
>
> No, assuming you want to block access from and to the networks in the
> set bogons-net:
>
> iptables -A bogons-nets -m set --set bogons-nets scr -j drop
> iptables -A bogons-nets -m set --set bogons-nets dst -j drop
>
> Multiple 'src' and 'dst' tokens can be used when you bind set elements to
> other sets and want to follow the bindings, for example when you want to
> to represent your servers by ipset:
>
> ipset -N servers ipmap ....
> ipset -A servers x.x.x.x
> ...
> ipset -N services portmap...
> ipset -A services ssh
> ...
> ipset -N clients iphash
> ipset -A clients y.y.y.y
> ...
> # Glue the corresponding set elements together with bindings
> ipset -B servers x.x.x.x -b services
> ipset -B services ssh -b clients
>
> # Restrict access to "all" servers on "all" service ports
> # from "all" allowed clients in one iptables rule
> iptables -A FORWARD -m set --set servers dst,dst,src -j ACCEPT
>
> Best regards,
> Jozsef
> -
> E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : KFKI Research Institute for Particle and Nuclear Physics
> H-1525 Budapest 114, POB. 49, Hungary
next prev parent reply other threads:[~2005-03-30 22:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-03-30 0:10 IPSET issue ??? Jorge Agrelo
2005-03-30 7:57 ` Jozsef Kadlecsik
2005-03-30 22:09 ` Jorge Agrelo [this message]
2005-03-31 11:15 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=424ADD66.23629.6DAE69D5@localhost \
--to=jagrelo@novadevices.com \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.