ipset not being applied to iptables

Question

I'm trying to filter out a country that keeps probing my SMTP server (CentOS6) and I can't seem to get the ipset to work out right in iptables.

I downloaded that countries IP addresses from ipdeny.com and installed the list as a text file. Originally, I had all my blacklist IP addresses in a big long iptables chain, but that could really affect the CPU adversely - hence me wanting to use an ipset.

Here's an excerpt from that IP addresses file:

185.40.4.31
80.82.65.237
2.60.0.0/14

So now I'm trying to use that list in an ipset set. I verify the ipset set is populated using 'ipset list'.

Name: blacklist
Type: hash:net
Header: family inet hashsize 2048 maxelem 65536
Size in memory: 108816
References: 1
Members:
....
185.40.4.31
185.40.152.0/22
...

With this ipset, I add it to iptables:

iptables -A INPUT -p tcp -m set --set blacklist src -j DROP

But when I try and test the set using hping3, the packages still gets thru.

hping3 --syn --destport 25 --count 3 -a 185.40.4.31 <server_ip>

When I was using the long iptables chain, things were working as expected.

Here's the abbreviated output of iptables -L -n (I editted out most of the 6200+ ipdeny entries)

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  217.199.240.0/20     0.0.0.0/0
DROP       all  --  217.199.208.0/20     0.0.0.0/0
...
DROP       all  --  2.60.0.0/14          0.0.0.0/0
DROP       all  --  94.102.50.41         0.0.0.0/0
DROP       all  --  80.82.65.237         0.0.0.0/0
DROP       all  --  185.40.4.31          0.0.0.0/0
ACCEPT     all  --  192.168.2.0/24       0.0.0.0/0
ACCEPT     all  --  192.168.1.0/24       0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:27944 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21 state NEW
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 state NEW
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:27940
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           match-set blacklist src

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Is it the only rule in iptables? You should probably add output of `iptables-save` to ease debugging. — darkk, Jul 26 '15 at 19:07
Considering that my original post was edited by an admin to add capitalization to acronyms and to expand some abbreviations (really?), is it acceptable to add the iptables-save output? — pathrider, Jul 28 '15 at 02:03
No "admin" edited your post. An ordinary member of the community did. [Learn how editing works.](http://serverfault.com/help/editing) And, I undeleted your post because I suspect you deleted it in error. [Learn about moderators and what we do.](http://serverfault.com/help/site-moderators) — Michael Hampton, Jul 28 '15 at 02:21
`iptables -L -n` is not as useful as `iptables-save` or `iptables -L -v -n` as interfaces are hidden. — darkk, Jul 28 '15 at 09:25

score 1 · Accepted Answer · answered Jul 28 '15 at 02:20

1

Your rule never takes effect because you have added it to the end of the chain. Immediately preceding it is a rule to drop all traffic, thus your rule is never reached. In iptables, rules are matched in order; this is different than many other firewalls.

To resolve the problem, move the rule up to earlier in the chain. And if you really want to blacklist those addresses, it should be as early as possible in the chain, e.g. the first rule.

answered Jul 28 '15 at 02:20

Michael Hampton

237,123
42
477
940

You're probably right, but you can't say that for sure as `iptables -L` without `-v` option hides interface names. – darkk Jul 28 '15 at 09:24
It's very unlikely that there are interface names on that rule. And that doesn't explain the downvote. You're supposed to downvote _wrong_ answers. – Michael Hampton Jul 28 '15 at 13:40
I expect to see interface names on rule `ACCEPT all -- 0.0.0.0/0 0.0.0.0/0`. And your assumption is wrong, it was not me who downvoted the answer :-) – darkk Jul 29 '15 at 09:43
@darkk And you assumed that I meant you downvoted me, which is also wrong. – Michael Hampton Jul 29 '15 at 15:39

ipset not being applied to iptables

1 Answers1