Re: query regarding hashlimit using ipset src,dst tuple

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Ismaël BALLO" <isma.ballo@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Re: query regarding hashlimit using ipset src,dst tuple
Date: Wed, 31 Jan 2007 23:28:44 +0100	[thread overview]
Message-ID: <45C1181C.6030001@gmail.com> (raw)

Hi,

My message is for having in-depth explanation on this thread :
http://www.gossamer-threads.com/lists/iptables/user/62849
Here is the part that I focus on :
_______________________________________________________
On Mon, 16 Oct 2006, Retesh wrote:

Let's assume a bunch of servers (the IP addresses stored in the set
'servers') and a bunch of clients (the IP addresses stored in 'clients')
and one wants to allow any listed client to access any listed server:

iptables -A <chain> -m set --set clients src \
-m set --set servers dst \
-j ACCEPT

Or if you want to restrict the access to the given list of services on the
servers (port numbers are stored in 'services'), assuming the same list of
services on each server:

iptables -A <chain> -m set --set clients src \
-m set --set servers dst \
-m set --set services dst \
-j ACCEPT

Or if the list of services are different on the servers, then one can use
an ipporthash type of set to store (server IP, service port) pairs in
'server-service' and write:

iptables -A <chain> -m set --set clients src \
-m set --set server-service dst,dst \
-j ACCEPT

Hope it helps,
Jozsef
-
E-mail : kadlec[at]blackhole.kfki.hu, kadlec[at]sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
_______________________________________________________

Clients :
192.168.1.5 & 192.168.1.4
Services :
ssh
Servers
192.169.50.105


When I try to test such a configuration.
ipset rules ( file ipset.rule I load with ipset -R < ipset.rule)

# Generated by ipset 2.2.9a on Mon Jan 29 15:43:49 2007
-N servers iphash --hashsize 1024 --probes 8 --resize 50
-A servers 192.169.50.105
-N services portmap --from 1 --to 31
-A services 22
-N clients iphash --hashsize 1024 --probes 8 --resize 50
-A clients 192.168.1.5
-A clients 192.168.1.4
-B servers :default: -b services
-B services 22 -b clients
COMMIT

iptables rules :
# Generated by iptables-save v1.3.7 on Mon Jan 29 15:11:48 2007
*nat
:PREROUTING ACCEPT [79:3756]
:POSTROUTING ACCEPT [94:5189]
:OUTPUT ACCEPT [46:3071]
COMMIT
# Completed on Mon Jan 29 15:11:48 2007
# Generated by iptables-save v1.3.7 on Mon Jan 29 15:11:48 2007
*filter
:INPUT ACCEPT [29336:1622806]
:FORWARD ACCEPT [1122:89879]
:OUTPUT ACCEPT [700613:32934646]
:LOG_DROP - [0:0]
-A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT
-A FORWARD -m set --set servers dst,dst,src -j ACCEPT
                                        ---------------------
-A FORWARD -j LOG_DROP
-A OUTPUT -d 192.168.1.0/255.255.255.0 -j ACCEPT
-A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : "
-A LOG_DROP -j DROP
COMMIT

The firewall drops reponses from 192.169.50.105.

Do I have to add an ipset rule for the return as
(*)  -A FORWARD -m set --set clients  dst,dst,src -j ACCEPT ?

Without (*), it doesn't work, but this last rule disturbs me.

Thanks,

next             reply	other threads:[~2007-01-31 22:28 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-01-31 22:28 Ismaël BALLO [this message]
2007-02-02  8:18 ` query regarding hashlimit using ipset src,dst tuple Jozsef Kadlecsik
     [not found] <360933340.11695@mail.nankai.edu.cn>
2006-10-16  6:36 ` Bo Yang
2006-10-16  6:36   ` Bo Yang
  -- strict thread matches above, loose matches on Subject: below --
2006-10-15 17:23 Manish Jain
2006-10-16  7:00 ` Jozsef Kadlecsik
2006-10-16  8:54   ` Retesh
2006-10-16  9:19     ` Jozsef Kadlecsik
2006-10-13  6:50 Retesh Chadha

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=45C1181C.6030001@gmail.com \
    --to=isma.ballo@gmail.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.