IPset ports question.

IPset ports question.

[Rob Carlson]

Is there a way to bind an IPSet hash to a port, 
and if so, what is the syntax?

I had a rule for a CIDR block that I bound to a 
port set and then was able to reject incoming 
traffic from that CIDR block addressed to specific 
ports and that worked very well.  Now I would like 
to be able to take an iphash and a nethash 
(currently blocking all traffic) and reject 
traffic from the hashed addresses going 
specifically to port 22 and 25 only.

Thanks for any help.
-- 
Rob Carlson, Systems and Network Administrator
Kitchen & Associates Architectural Services, PA
Architecture - Planning - Interior Design
856.854.1880

Re: IPset ports question.

[Jozsef Kadlecsik]

Hi Rob,

On Mon, 18 Jul 2005, Rob Carlson wrote:

> Is there a way to bind an IPSet hash to a port,
> and if so, what is the syntax?

The syntax is the same in all cases:

ipset -B <setname> <elem> -b <name of set to bind elem from setname>

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: IPset ports question.

[Rob Carlson]

Jozsef,

Somehow I'm still blocking all traffic from the 
iphash entries afrer binding the hash to the port 
(port 80, for instance).  For background purposes, 
this is how I am blocking traffic with the iphash:

iptables -A testset -m set --set testset src -j 
LTREJECT
iptables -I FORWARD 2 -i eth1 -j testset
iptables -I INPUT 2 -i eth1 -j testset

This works fine for blocking all traffic.  However 
since I now want specifically to only drop port 22 
and port 25 entries (that is most of the nuisance 
traffic) and allow port 80 for example,  I did the 
following:

ipset -N ports portmap --from 1 --to 1024
ipset -A ports 22
ipset -A ports 25
ipset -B testset :default: -b ports

Now, if I run "ipset -n -L testset", I get the 
following

Name: testset
Type: iphash
References: 1
Default binding: ports
Header: hashsize: 1024 probes: 8 resize: 50
Members:
<List of Entries>
Bindings:

In order to test what I have, I added to the hash 
an address of an external machine (that I can 
always reach) to see if I could access the web 
page, but _not_ the ssh port.  However, when the 
address is in the hash, _all_ ports still seem to 
be blocked-- i.e. no web access OR ssh.  Removing 
the address from the hash fixes this.

In order to see if something was cached and 
blocking the address I tried removing the iptables 
entry for testset  and re-added it.  The result is 
the same.  Is there something in the order of what 
I am doing that causes the LTREJECT to affect 
traffic to all ports, and not just the ports that 
I bound to the iphash?

Thanks,

Rob

.
Jozsef Kadlecsik wrote:
> Hi Rob,
> 
> On Mon, 18 Jul 2005, Rob Carlson wrote:
> 
> 
>>Is there a way to bind an IPSet hash to a port,
>>and if so, what is the syntax?
> 
> 
> The syntax is the same in all cases:
> 
> ipset -B <setname> <elem> -b <name of set to bind elem from setname>
> 
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : KFKI Research Institute for Particle and Nuclear Physics
>           H-1525 Budapest 114, POB. 49, Hungary
> 
> 

-- 
Rob Carlson, Systems and Network Administrator
Kitchen & Associates Architectural Services, PA
Architecture - Planning - Interior Design
856.854.1880

Re: IPset ports question.

[Jozsef Kadlecsik]

Hi Rob,

On Tue, 19 Jul 2005, Rob Carlson wrote:

> iptables -A testset -m set --set testset src -j
> LTREJECT
> iptables -I FORWARD 2 -i eth1 -j testset
> iptables -I INPUT 2 -i eth1 -j testset
>
> This works fine for blocking all traffic.  However
> since I now want specifically to only drop port 22
> and port 25 entries (that is most of the nuisance
> traffic) and allow port 80 for example,  I did the
> following:
>
> ipset -N ports portmap --from 1 --to 1024
> ipset -A ports 22
> ipset -A ports 25
> ipset -B testset :default: -b ports

You missed to replace the iptables command above with the one
which instruct the SET target to follow bindings. What you need is

iptables -A testset -m set --set testset src,dst -j LTREJECT

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: IPset ports question.

[Rob Carlson]

That did it.

Thanks again, Joszef

Jozsef Kadlecsik wrote:
> Hi Rob,
> 
> On Tue, 19 Jul 2005, Rob Carlson wrote:
> 
> 
>>iptables -A testset -m set --set testset src -j
>>LTREJECT
>>iptables -I FORWARD 2 -i eth1 -j testset
>>iptables -I INPUT 2 -i eth1 -j testset
>>
>>This works fine for blocking all traffic.  However
>>since I now want specifically to only drop port 22
>>and port 25 entries (that is most of the nuisance
>>traffic) and allow port 80 for example,  I did the
>>following:
>>
>>ipset -N ports portmap --from 1 --to 1024
>>ipset -A ports 22
>>ipset -A ports 25
>>ipset -B testset :default: -b ports
> 
> 
> You missed to replace the iptables command above with the one
> which instruct the SET target to follow bindings. What you need is
> 
> iptables -A testset -m set --set testset src,dst -j LTREJECT
> 
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : KFKI Research Institute for Particle and Nuclear Physics
>           H-1525 Budapest 114, POB. 49, Hungary
> 
> 

-- 
Rob Carlson, Systems and Network Administrator
Kitchen & Associates Architectural Services, PA
Architecture - Planning - Interior Design
856.854.1880