From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rob Carlson Subject: Re: IPset ports question. Date: Tue, 19 Jul 2005 16:58:15 -0400 Message-ID: <42DD6967.3050700@kitchenandassociates.com> References: <42DBF833.9020505@kitchenandassociates.com> <42DD50E4.9090800@kitchenandassociates.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Jozsef Kadlecsik Cc: Netfilter User Mailing List That did it. Thanks again, Joszef Jozsef Kadlecsik wrote: > Hi Rob, > > On Tue, 19 Jul 2005, Rob Carlson wrote: > > >>iptables -A testset -m set --set testset src -j >>LTREJECT >>iptables -I FORWARD 2 -i eth1 -j testset >>iptables -I INPUT 2 -i eth1 -j testset >> >>This works fine for blocking all traffic. However >>since I now want specifically to only drop port 22 >>and port 25 entries (that is most of the nuisance >>traffic) and allow port 80 for example, I did the >>following: >> >>ipset -N ports portmap --from 1 --to 1024 >>ipset -A ports 22 >>ipset -A ports 25 >>ipset -B testset :default: -b ports > > > You missed to replace the iptables command above with the one > which instruct the SET target to follow bindings. What you need is > > iptables -A testset -m set --set testset src,dst -j LTREJECT > > Best regards, > Jozsef > - > E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address : KFKI Research Institute for Particle and Nuclear Physics > H-1525 Budapest 114, POB. 49, Hungary > > -- Rob Carlson, Systems and Network Administrator Kitchen & Associates Architectural Services, PA Architecture - Planning - Interior Design 856.854.1880