query regarding hashlimit using ipset src,dst tuple

query regarding hashlimit using ipset src,dst tuple

[Retesh Chadha]

Hi
I have a requirement as follows -

Say there are 2 source IPs - src1 and src2, and 2 destination IP - dst1, dst2.
I need to limit src1->dst1 as well as src2-dst2 communication but want
unlimited src2->dst1 communication.
I have a ipset KNOWN, which contains src1, src2, dst1, dst2

Now i write a rule as follows -
iptables -A INPUT_CHAIN --match hashlimit --hashlimit 1000/s
--hashlimit-mode srcipdstip --hashlimit-name foo -m set --set KNOWN
src,dst -j ACCEPT

But this will limit the src2->dst1 communication as well, which I dont want.

Is there a way to add ip1,ip2 as a tuple in a ipset the way we can do
for ip1%port?
Is there a mode which can help me do this, using a single iptable rule as above?
Is there a way to specify multiple ipsets in 1 iptable rule?

Thanks & Regards
Retesh Chadha

query regarding hashlimit using ipset src,dst tuple

[Manish Jain]

Hi,

I have a requirement as follows -

Say there are 2 source IPs - src1 and src2, and 2 destination IP - dst1,
dst2.
I need to limit src1->dst1 as well as src2-dst2 communication but want
unlimited src2->dst1 communication.
I have a ipset KNOWN, which contains src1, src2, dst1, dst2

Now i write a rule as follows -
iptables -A INPUT_CHAIN --match hashlimit --hashlimit 1000/s
--hashlimit-mode srcipdstip --hashlimit-name foo -m set --set KNOWN
src,dst -j ACCEPT

But this will limit the src2->dst1 communication as well, which I dont want.

1. Is there a way to add ip1,ip2 as a tuple in a ipset the way we can do for
ip1%port?
2. Is there a mode which can help me do this, using a single iptable rule as
above?
3. Is there a way to specify multiple ipsets in 1 iptable rule?

Thanks & Regards
Manish Jain

Re: query regarding hashlimit using ipset src,dst tuple

[Bo Yang]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Manish Jain :
> Hi,
>
> I have a requirement as follows -
>
> Say there are 2 source IPs - src1 and src2, and 2 destination IP - dst1,
> dst2.
> I need to limit src1->dst1 as well as src2-dst2 communication but want
> unlimited src2->dst1 communication.
> I have a ipset KNOWN, which contains src1, src2, dst1, dst2
>
> Now i write a rule as follows -
> iptables -A INPUT_CHAIN --match hashlimit --hashlimit 1000/s
> --hashlimit-mode srcipdstip --hashlimit-name foo -m set --set KNOWN
> src,dst -j ACCEPT
>
> But this will limit the src2->dst1 communication as well, which I dont
want.
>
> 1. Is there a way to add ip1,ip2 as a tuple in a ipset the way we can
do for
> ip1%port?
Yes , look the ipset manual to find the binding .
> 2. Is there a mode which can help me do this, using a single iptable
rule as
> above?
Following maybe :
ipset -N from  ipmap --network 192.168.0.0/24
ipset -A from src1
ipset -A from src2

ipset -N to ipmap --network 192.168.0.0/24
ipset -A to dst1
ipset -A to dst2

ipset -B from default -b to

iptables -A INPUT_CHAIN --match hashlimit --hashlimit 1000/s
- --hashlimit-mode srcipdstip --hashlimit-name foo -m set --set KNOWN
src,dst -j ACCEPT

> 3. Is there a way to specify multiple ipsets in 1 iptable rule?
I think one set with its bindings can do everything for you ~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFFMyha7tZp58UCwyMRAhWDAJ9o8DdSFxcMDUbK8djcqtTF3Va7MACgsbU1
e5JKNYI/P62IGXKtVD3i7wY=
=mDXZ
-----END PGP SIGNATURE-----

Re: query regarding hashlimit using ipset src,dst tuple

[Jozsef Kadlecsik]

On Sun, 15 Oct 2006, Manish Jain wrote:

> Say there are 2 source IPs - src1 and src2, and 2 destination IP - dst1,
> dst2.
> I need to limit src1->dst1 as well as src2-dst2 communication but want
> unlimited src2->dst1 communication.
> I have a ipset KNOWN, which contains src1, src2, dst1, dst2

What type of set is it?

> Now i write a rule as follows -
> iptables -A INPUT_CHAIN --match hashlimit --hashlimit 1000/s
> --hashlimit-mode srcipdstip --hashlimit-name foo -m set --set KNOWN
> src,dst -j ACCEPT
>
> But this will limit the src2->dst1 communication as well, which I dont want.
>
> 1. Is there a way to add ip1,ip2 as a tuple in a ipset the way we can do for
> ip1%port?

No, such type of set currently does not exist.

> 2. Is there a mode which can help me do this, using a single iptable rule as
> above?

I don't think so.

> 3. Is there a way to specify multiple ipsets in 1 iptable rule?

Yes, you can specify as many same kind maches as you want, but please keep
in mind that the matches are AND-ed.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: query regarding hashlimit using ipset src,dst tuple

[Retesh]

Hi Jozsef
Can you let us know the way to AND 2 ipsets, with an example. It will
be really useful.

Thanks
Retesh Chadha

Re: query regarding hashlimit using ipset src,dst tuple

[Jozsef Kadlecsik]

On Mon, 16 Oct 2006, Retesh wrote:

> Can you let us know the way to AND 2 ipsets, with an example. It will
> be really useful.

Let's assume a bunch of servers (the IP addresses stored in the set
'servers') and a bunch of clients (the IP addresses stored in 'clients')
and one wants to allow any listed client to access any listed server:

iptables -A <chain> -m set --set clients src \
	            -m set --set servers dst \
		    -j ACCEPT

Or if you want to restrict the access to the given list of services on the
servers (port numbers are stored in 'services'), assuming the same list of
services on each server:

iptables -A <chain> -m set --set clients src \
	            -m set --set servers dst \
		    -m set --set services dst \
		    -j ACCEPT

Or if the list of services are different on the servers, then one can use
an ipporthash type of set to store (server IP, service port) pairs in
'server-service' and write:

iptables -A <chain> -m set --set clients src \
	            -m set --set server-service dst,dst \
		    -j ACCEPT

Hope it helps,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: query regarding hashlimit using ipset src,dst tuple

[Ismaël BALLO]

Hi,

My message is for having in-depth explanation on this thread :
http://www.gossamer-threads.com/lists/iptables/user/62849
Here is the part that I focus on :
_______________________________________________________
On Mon, 16 Oct 2006, Retesh wrote:

Let's assume a bunch of servers (the IP addresses stored in the set
'servers') and a bunch of clients (the IP addresses stored in 'clients')
and one wants to allow any listed client to access any listed server:

iptables -A <chain> -m set --set clients src \
-m set --set servers dst \
-j ACCEPT

Or if you want to restrict the access to the given list of services on the
servers (port numbers are stored in 'services'), assuming the same list of
services on each server:

iptables -A <chain> -m set --set clients src \
-m set --set servers dst \
-m set --set services dst \
-j ACCEPT

Or if the list of services are different on the servers, then one can use
an ipporthash type of set to store (server IP, service port) pairs in
'server-service' and write:

iptables -A <chain> -m set --set clients src \
-m set --set server-service dst,dst \
-j ACCEPT

Hope it helps,
Jozsef
-
E-mail : kadlec[at]blackhole.kfki.hu, kadlec[at]sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
_______________________________________________________

Clients :
192.168.1.5 & 192.168.1.4
Services :
ssh
Servers
192.169.50.105


When I try to test such a configuration.
ipset rules ( file ipset.rule I load with ipset -R < ipset.rule)

# Generated by ipset 2.2.9a on Mon Jan 29 15:43:49 2007
-N servers iphash --hashsize 1024 --probes 8 --resize 50
-A servers 192.169.50.105
-N services portmap --from 1 --to 31
-A services 22
-N clients iphash --hashsize 1024 --probes 8 --resize 50
-A clients 192.168.1.5
-A clients 192.168.1.4
-B servers :default: -b services
-B services 22 -b clients
COMMIT

iptables rules :
# Generated by iptables-save v1.3.7 on Mon Jan 29 15:11:48 2007
*nat
:PREROUTING ACCEPT [79:3756]
:POSTROUTING ACCEPT [94:5189]
:OUTPUT ACCEPT [46:3071]
COMMIT
# Completed on Mon Jan 29 15:11:48 2007
# Generated by iptables-save v1.3.7 on Mon Jan 29 15:11:48 2007
*filter
:INPUT ACCEPT [29336:1622806]
:FORWARD ACCEPT [1122:89879]
:OUTPUT ACCEPT [700613:32934646]
:LOG_DROP - [0:0]
-A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT
-A FORWARD -m set --set servers dst,dst,src -j ACCEPT
                                        ---------------------
-A FORWARD -j LOG_DROP
-A OUTPUT -d 192.168.1.0/255.255.255.0 -j ACCEPT
-A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : "
-A LOG_DROP -j DROP
COMMIT

The firewall drops reponses from 192.169.50.105.

Do I have to add an ipset rule for the return as
(*)  -A FORWARD -m set --set clients  dst,dst,src -j ACCEPT ?

Without (*), it doesn't work, but this last rule disturbs me.

Thanks,

Re: query regarding hashlimit using ipset src,dst tuple

[Jozsef Kadlecsik]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 2030 bytes --]


On Wed, 31 Jan 2007, Ismaël BALLO wrote:

> When I try to test such a configuration.
> ipset rules ( file ipset.rule I load with ipset -R < ipset.rule)
>
> # Generated by ipset 2.2.9a on Mon Jan 29 15:43:49 2007
> -N servers iphash --hashsize 1024 --probes 8 --resize 50
> -A servers 192.169.50.105
> -N services portmap --from 1 --to 31
> -A services 22
> -N clients iphash --hashsize 1024 --probes 8 --resize 50
> -A clients 192.168.1.5
> -A clients 192.168.1.4
> -B servers :default: -b services
> -B services 22 -b clients
> COMMIT
>
> iptables rules :
> # Generated by iptables-save v1.3.7 on Mon Jan 29 15:11:48 2007
> *nat
> :PREROUTING ACCEPT [79:3756]
> :POSTROUTING ACCEPT [94:5189]
> :OUTPUT ACCEPT [46:3071]
> COMMIT
> # Completed on Mon Jan 29 15:11:48 2007
> # Generated by iptables-save v1.3.7 on Mon Jan 29 15:11:48 2007
> *filter
> :INPUT ACCEPT [29336:1622806]
> :FORWARD ACCEPT [1122:89879]
> :OUTPUT ACCEPT [700613:32934646]
> :LOG_DROP - [0:0]
> -A INPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT
> -A FORWARD -m set --set servers dst,dst,src -j ACCEPT
>                                       ---------------------
> -A FORWARD -j LOG_DROP
> -A OUTPUT -d 192.168.1.0/255.255.255.0 -j ACCEPT
> -A LOG_DROP -j LOG --log-prefix "[IPTABLES DROP] : "
> -A LOG_DROP -j DROP
> COMMIT
>
> The firewall drops reponses from 192.169.50.105.
>
> Do I have to add an ipset rule for the return as
> (*)  -A FORWARD -m set --set clients  dst,dst,src -j ACCEPT ?
>
> Without (*), it doesn't work, but this last rule disturbs me.

Yes, the rule to allow the reply packets is missing. The best is to add 
the rule

-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

as the very first in the FORWARD chain.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
           H-1525 Budapest 114, POB. 49, Hungary