* IPSET issue ??? @ 2005-03-30 0:10 Jorge Agrelo 2005-03-30 7:57 ` Jozsef Kadlecsik 0 siblings, 1 reply; 4+ messages in thread From: Jorge Agrelo @ 2005-03-30 0:10 UTC (permalink / raw) To: netfilter Hi friends I want to block the offensive network list supplied by dshield (http://feeds.dshield.org/block.txt) using IPSET match, anybody tell me if the following stuff is correct. ipset -N bogons-nets nethash ipset -A bogons-nets 81.208.28.0/24 ipset -A bogons-nets 141.50.163.0/24 .......... iptables -N blocklist iptables -A bogons-nets -m set --set bogons-nets scr,dst -j drop iptables -A INPUT -i ! lo -m state ! --state ESTABLISHED -j blocklist iptables -A FORWARD -m state ! --state ESTABLISHED -j blocklist iptables -A OUTPUT -o ! lo -m state ! --state ESTABLISHED -j blocklist I want to block the source and destination traffic from/to this networks, I'm not sure regarding how to use the tokens src and dst and the set type (nethash) in IPSET??? Thanks in advanced ********************************** CTO: Eng. Jorge Agrelo O. WEb: www.novadevices.com E-Mail: jagrelo@novadevices.com Phone: (593-2) 225-7711 ext. 105 Av. Brasil N44-12 y Condor, Quito-Ecuador ********************************** ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: IPSET issue ??? 2005-03-30 0:10 IPSET issue ??? Jorge Agrelo @ 2005-03-30 7:57 ` Jozsef Kadlecsik 2005-03-30 22:09 ` Jorge Agrelo 0 siblings, 1 reply; 4+ messages in thread From: Jozsef Kadlecsik @ 2005-03-30 7:57 UTC (permalink / raw) To: Jorge Agrelo; +Cc: netfilter Hi, On Tue, 29 Mar 2005, Jorge Agrelo wrote: > I want to block the offensive network list supplied by dshield > (http://feeds.dshield.org/block.txt) using IPSET match, anybody tell me if the > following stuff is correct. > > ipset -N bogons-nets nethash > ipset -A bogons-nets 81.208.28.0/24 > ipset -A bogons-nets 141.50.163.0/24 .......... > iptables -N blocklist > iptables -A bogons-nets -m set --set bogons-nets scr,dst -j drop > iptables -A INPUT -i ! lo -m state ! --state ESTABLISHED -j blocklist > iptables -A FORWARD -m state ! --state ESTABLISHED -j blocklist > iptables -A OUTPUT -o ! lo -m state ! --state ESTABLISHED -j blocklist > > I want to block the source and destination traffic from/to this > networks, I'm not sure regarding how to use the tokens src and dst and > the set type (nethash) in IPSET??? No, assuming you want to block access from and to the networks in the set bogons-net: iptables -A bogons-nets -m set --set bogons-nets scr -j drop iptables -A bogons-nets -m set --set bogons-nets dst -j drop Multiple 'src' and 'dst' tokens can be used when you bind set elements to other sets and want to follow the bindings, for example when you want to to represent your servers by ipset: ipset -N servers ipmap .... ipset -A servers x.x.x.x ... ipset -N services portmap... ipset -A services ssh ... ipset -N clients iphash ipset -A clients y.y.y.y ... # Glue the corresponding set elements together with bindings ipset -B servers x.x.x.x -b services ipset -B services ssh -b clients # Restrict access to "all" servers on "all" service ports # from "all" allowed clients in one iptables rule iptables -A FORWARD -m set --set servers dst,dst,src -j ACCEPT Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: IPSET issue ??? 2005-03-30 7:57 ` Jozsef Kadlecsik @ 2005-03-30 22:09 ` Jorge Agrelo 2005-03-31 11:15 ` Jozsef Kadlecsik 0 siblings, 1 reply; 4+ messages in thread From: Jorge Agrelo @ 2005-03-30 22:09 UTC (permalink / raw) To: Jozsef Kadlecsik; +Cc: netfilter Hi Jozsef Thanks for your reply, last question regarding IPSET.. Can I define the protocol in portmap set type, I means, Can I do that? ipset -N ports portmap ipset -A ports tcp/53 ipset -A ports udp/53 ipset -A ports tcp/25 ipset -A ports tcp/110 ...... If no, there is any way to do that? Thanks in advanced. On 30 Mar 2005 at 9:57, Jozsef Kadlecsik wrote: > Hi, > > On Tue, 29 Mar 2005, Jorge Agrelo wrote: > > > I want to block the offensive network list supplied by dshield > > (http://feeds.dshield.org/block.txt) using IPSET match, anybody tell me if the > > following stuff is correct. > > > > ipset -N bogons-nets nethash > > ipset -A bogons-nets 81.208.28.0/24 > > ipset -A bogons-nets 141.50.163.0/24 .......... > > iptables -N blocklist > > iptables -A bogons-nets -m set --set bogons-nets scr,dst -j drop > > iptables -A INPUT -i ! lo -m state ! --state ESTABLISHED -j blocklist > > iptables -A FORWARD -m state ! --state ESTABLISHED -j blocklist > > iptables -A OUTPUT -o ! lo -m state ! --state ESTABLISHED -j blocklist > > > > I want to block the source and destination traffic from/to this > > networks, I'm not sure regarding how to use the tokens src and dst and > > the set type (nethash) in IPSET??? > > No, assuming you want to block access from and to the networks in the > set bogons-net: > > iptables -A bogons-nets -m set --set bogons-nets scr -j drop > iptables -A bogons-nets -m set --set bogons-nets dst -j drop > > Multiple 'src' and 'dst' tokens can be used when you bind set elements to > other sets and want to follow the bindings, for example when you want to > to represent your servers by ipset: > > ipset -N servers ipmap .... > ipset -A servers x.x.x.x > ... > ipset -N services portmap... > ipset -A services ssh > ... > ipset -N clients iphash > ipset -A clients y.y.y.y > ... > # Glue the corresponding set elements together with bindings > ipset -B servers x.x.x.x -b services > ipset -B services ssh -b clients > > # Restrict access to "all" servers on "all" service ports > # from "all" allowed clients in one iptables rule > iptables -A FORWARD -m set --set servers dst,dst,src -j ACCEPT > > Best regards, > Jozsef > - > E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address : KFKI Research Institute for Particle and Nuclear Physics > H-1525 Budapest 114, POB. 49, Hungary ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: IPSET issue ??? 2005-03-30 22:09 ` Jorge Agrelo @ 2005-03-31 11:15 ` Jozsef Kadlecsik 0 siblings, 0 replies; 4+ messages in thread From: Jozsef Kadlecsik @ 2005-03-31 11:15 UTC (permalink / raw) To: Jorge Agrelo; +Cc: netfilter Hi, On Wed, 30 Mar 2005, Jorge Agrelo wrote: > Can I define the protocol in portmap set type, I means, Can I do > that? > > ipset -N ports portmap > ipset -A ports tcp/53 > ipset -A ports udp/53 > ipset -A ports tcp/25 > ipset -A ports tcp/110 No, you have to define two individual sets for the TCP and UDP ports. It'd be way too expensive to add protocol and port support combined to the portmap set. Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-03-31 11:15 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2005-03-30 0:10 IPSET issue ??? Jorge Agrelo 2005-03-30 7:57 ` Jozsef Kadlecsik 2005-03-30 22:09 ` Jorge Agrelo 2005-03-31 11:15 ` Jozsef Kadlecsik
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox