ipset rules on iptables do not match

Question

I want to block all ip Adresses except from a specific country. So i installed ipset and downloaded the ip range list from ipdeny.com and did this:

ipset create allow-list hash:net
for i in $( cat /home/pi/firewall/country-aggregated.zone ); do sudo ipset -A allow-list $i; done

If i do "sudo ipset list":

Name: allow-list
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 5408
References: 0
Number of entries: 97
Members:
89.183.60.0/22
etc...

Then i have to add a rule to the DOCKER-USER and INPUT to block all services. To test it, i blocked the country and tested if i could access the services and still i could. So something is wrong with my configuration.

sudo iptables -I DOCKER-USER -m set --match-set allow-list src -j DROP
sudo iptables -A INPUT -m set --match-set allow-list src -j DROP

My iptable filter tables (iptables -L -v -n) with DOCKER-USER chain and INPUT chain looks like this:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  310 19940 ACCEPT     all  --  *      *       192.168.1.102        0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set allow-list src

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
3564K 2076M DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
3564K 2076M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
 5350 2397K ACCEPT     all  --  *      br-c80792c5d0cc  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 6261  414K DOCKER     all  --  *      br-c80792c5d0cc  0.0.0.0/0            0.0.0.0/0           
11135 1009K ACCEPT     all  --  br-c80792c5d0cc !br-c80792c5d0cc  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-c80792c5d0cc br-c80792c5d0cc  0.0.0.0/0            0.0.0.0/0           
3037K 1724M ACCEPT     all  --  *      br-89ecb09e5185  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
29923 1796K DOCKER     all  --  *      br-89ecb09e5185  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-89ecb09e5185 !br-89ecb09e5185  0.0.0.0/0            0.0.0.0/0           
29923 1796K ACCEPT     all  --  br-89ecb09e5185 br-89ecb09e5185  0.0.0.0/0            0.0.0.0/0           
   69 10621 ACCEPT     all  --  *      br-451331e576b8  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   10  1222 DOCKER     all  --  *      br-451331e576b8  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-451331e576b8 !br-451331e576b8  0.0.0.0/0            0.0.0.0/0           
   10  1222 ACCEPT     all  --  br-451331e576b8 br-451331e576b8  0.0.0.0/0            0.0.0.0/0           
 349K  210M ACCEPT     all  --  *      br-2db6a76ed3c5  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
31128 1866K DOCKER     all  --  *      br-2db6a76ed3c5  0.0.0.0/0            0.0.0.0/0           
94113  135M ACCEPT     all  --  br-2db6a76ed3c5 !br-2db6a76ed3c5  0.0.0.0/0            0.0.0.0/0           
29958 1798K ACCEPT     all  --  br-2db6a76ed3c5 br-2db6a76ed3c5  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (5 references)
 pkts bytes target     prot opt in     out     source               destination         
 1170 68000 ACCEPT     tcp  --  !br-2db6a76ed3c5 br-2db6a76ed3c5  0.0.0.0/0            172.25.0.2           tcp dpt:8080
    0     0 ACCEPT     tcp  --  !br-c80792c5d0cc br-c80792c5d0cc  0.0.0.0/0            172.28.0.2           tcp dpt:443
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:30009
    0     0 ACCEPT     tcp  --  !br-451331e576b8 br-451331e576b8  0.0.0.0/0            172.20.0.3           tcp dpt:80
    0     0 ACCEPT     tcp  --  !br-c80792c5d0cc br-c80792c5d0cc  0.0.0.0/0            172.28.0.2           tcp dpt:80
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:30008
    0     0 ACCEPT     udp  --  !br-c80792c5d0cc br-c80792c5d0cc  0.0.0.0/0            172.28.0.2           udp dpt:67
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:30007
    0     0 ACCEPT     tcp  --  !br-c80792c5d0cc br-c80792c5d0cc  0.0.0.0/0            172.28.0.2           tcp dpt:53
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:30006
 6261  414K ACCEPT     udp  --  !br-c80792c5d0cc br-c80792c5d0cc  0.0.0.0/0            172.28.0.2           udp dpt:53
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:30005
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:30004
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:30003
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:3000Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination2
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:30001
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:30000
    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:21

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
11135 1009K DOCKER-ISOLATION-STAGE-2  all  --  br-c80792c5d0cc !br-c80792c5d0cc  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-89ecb09e5185 !br-89ecb09e5185  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-451331e576b8 !br-451331e576b8  0.0.0.0/0            0.0.0.0/0           
94113  135M DOCKER-ISOLATION-STAGE-2  all  --  br-2db6a76ed3c5 !br-2db6a76ed3c5  0.0.0.0/0            0.0.0.0/0           
3564K 2076M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (5 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-c80792c5d0cc  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-89ecb09e5185  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-451331e576b8  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-2db6a76ed3c5  0.0.0.0/0            0.0.0.0/0           
 105K  136M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0 

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set allow-list src
1831K 1083M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0 

nat table (iptables -t nat -nvL)

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 7467  484K DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
 3957  267K MASQUERADE  all  --  *      !br-c80792c5d0cc  172.28.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-89ecb09e5185  172.24.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-451331e576b8  172.20.0.0/16        0.0.0.0/0           
    5   392 MASQUERADE  all  --  *      !br-2db6a76ed3c5  172.25.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  tcp  --  *      *       172.25.0.2           172.25.0.2           tcp dpt:8080
    0     0 MASQUERADE  tcp  --  *      *       172.28.0.2           172.28.0.2           tcp dpt:443
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:30009
    0     0 MASQUERADE  tcp  --  *      *       172.20.0.3           172.20.0.3           tcp dpt:80
    0     0 MASQUERADE  tcp  --  *      *       172.28.0.2           172.28.0.2           tcp dpt:80
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:30008
    0     0 MASQUERADE  udp  --  *      *       172.28.0.2           172.28.0.2           udp dpt:67
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:30007
    0     0 MASQUERADE  tcp  --  *      *       172.28.0.2           172.28.0.2           tcp dpt:53
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:30006
    0     0 MASQUERADE  udp  --  *      *       172.28.0.2           172.28.0.2           udp dpt:53
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:30005
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:30004
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:30003
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:30002
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:30001
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:30000
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:21

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   21  1407 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-c80792c5d0cc *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-89ecb09e5185 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-451331e576b8 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-2db6a76ed3c5 *       0.0.0.0/0            0.0.0.0/0           
 1195 69492 DNAT       tcp  --  !br-2db6a76ed3c5 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 to:172.25.0.2:8080
    0     0 DNAT       tcp  --  !br-c80792c5d0cc *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.28.0.2:443
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30009 to:172.17.0.2:30009
    0     0 DNAT       tcp  --  !br-451331e576b8 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6875 to:172.20.0.3:80
    0     0 DNAT       tcp  --  !br-c80792c5d0cc *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.28.0.2:80
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30008 to:172.17.0.2:30008
    0     0 DNAT       udp  --  !br-c80792c5d0cc *       0.0.0.0/0            0.0.0.0/0            udp dpt:67 to:172.28.0.2:67
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30007 to:172.17.0.2:30007
    0     0 DNAT       tcp  --  !br-c80792c5d0cc *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 to:172.28.0.2:53
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30006 to:172.17.0.2:30006
 6253  413K DNAT       udp  --  !br-c80792c5d0cc *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 to:172.28.0.2:53
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30005 to:172.17.0.2:30005
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30004 to:172.17.0.2:30004
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30003 to:172.17.0.2:30003
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30002 to:172.17.0.2:30002
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30001 to:172.17.0.2:30001
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:30000 to:172.17.0.2:30000
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 to:172.17.0.2:21

mangle table (iptables -t mangle -L -nv):

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

raw table:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

The server is a raspberry pi.

What could be the problem?

Answer 1

I spoke with my isp and its their fault. They have an weird network. So i always only get an internal ip address from every package that arrive.