* Problem with ipset and --in-interface
@ 2017-03-26 8:06 Nick Howitt
2017-03-27 18:29 ` Robert White
0 siblings, 1 reply; 4+ messages in thread
From: Nick Howitt @ 2017-03-26 8:06 UTC (permalink / raw)
To: netfilter
Hi,
I'm new to the list so please forgive.
I have the following rule in my iptables:
iptables -w -I INPUT -i enp2S0 -m set --match-set country-list src -p
tcp -m multiport ! --dports 25,80,443 -m state --state NEW -j DROP
but I've noticed it is not blocking. I tried checking using GRC's
Shields Up test scanning port 993. If instead, I do:
iptables -w -I INPUT -m set --match-set country-list src -p tcp -m
multiport ! --dports 25,80,443 -m state --state NEW -j DROP.
It works. The problem seems to be the come when I use the -i selector.
Do you know what I'm doing wrong?
I am using ClearOS7.3 (a CentOS7.3 derrivative) with
ipset-6.19-6.el7.x86_64 and iptables-1.4.21-17.v7.x86_64.
TIA,
Nick
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Problem with ipset and --in-interface
2017-03-26 8:06 Problem with ipset and --in-interface Nick Howitt
@ 2017-03-27 18:29 ` Robert White
2017-03-27 18:53 ` Nick Howitt
0 siblings, 1 reply; 4+ messages in thread
From: Robert White @ 2017-03-27 18:29 UTC (permalink / raw)
To: Nick Howitt, netfilter
On 03/26/17 08:06, Nick Howitt wrote:
> I have the following rule in my iptables:
>
> iptables -w -I INPUT -i enp2S0 -m set --match-set country-list src -p
> tcp -m multiport ! --dports 25,80,443 -m state --state NEW -j DROP
>
> but I've noticed it is not blocking. I tried checking using GRC's
> Shields Up test scanning port 993. If instead, I do:
>
> iptables -w -I INPUT -m set --match-set country-list src -p tcp -m
> multiport ! --dports 25,80,443 -m state --state NEW -j DROP.
>
There's nowhere near enough information in that post. In particular,
where are you running the "shileds up" test? If it's not coming from
another computer on the enp2S0 adapter then it would, of course, not hit
this rule for not arriving on that adapter.
Now my suspicion is that upper-case letter "S". The default naming
scheme uses lower case letters. The name match is not checked at install
time because it's a wildcard enabled text match. So for instance I can
paste that command line in on my host:
iptables --append FORWARD -i blarg -j DROP
and it will go into my rule set just fine even though I don't have an
interface named "blarg". The rule will simply hang out, doing nothing,
until I rename an interface to "blarg".
So I'd guess that you need to double-check that argument for correctness.
The rule isn't matching because the interface name doesn't match.
--Rob.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Problem with ipset and --in-interface
2017-03-27 18:29 ` Robert White
@ 2017-03-27 18:53 ` Nick Howitt
2017-03-27 19:18 ` Robert White
0 siblings, 1 reply; 4+ messages in thread
From: Nick Howitt @ 2017-03-27 18:53 UTC (permalink / raw)
To: Robert White, netfilter
OK I feel a prat but you've pointed out the error. "s" and not "S". I
could not see the wood from the trees.
FWIW, the Shields Up test is an external port scanner at grc.com. It is
not fully functional in that it only scans tcp and always tries to give
a fail if it can ping you.
Regards,
Nick
On 27/03/2017 19:29, Robert White wrote:
> On 03/26/17 08:06, Nick Howitt wrote:
>> I have the following rule in my iptables:
>>
>> iptables -w -I INPUT -i enp2S0 -m set --match-set country-list src -p
>> tcp -m multiport ! --dports 25,80,443 -m state --state NEW -j DROP
>>
>> but I've noticed it is not blocking. I tried checking using GRC's
>> Shields Up test scanning port 993. If instead, I do:
>>
>> iptables -w -I INPUT -m set --match-set country-list src -p tcp -m
>> multiport ! --dports 25,80,443 -m state --state NEW -j DROP.
>>
> There's nowhere near enough information in that post. In particular,
> where are you running the "shileds up" test? If it's not coming from
> another computer on the enp2S0 adapter then it would, of course, not hit
> this rule for not arriving on that adapter.
>
> Now my suspicion is that upper-case letter "S". The default naming
> scheme uses lower case letters. The name match is not checked at install
> time because it's a wildcard enabled text match. So for instance I can
> paste that command line in on my host:
>
> iptables --append FORWARD -i blarg -j DROP
>
> and it will go into my rule set just fine even though I don't have an
> interface named "blarg". The rule will simply hang out, doing nothing,
> until I rename an interface to "blarg".
>
> So I'd guess that you need to double-check that argument for correctness.
>
> The rule isn't matching because the interface name doesn't match.
>
> --Rob.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Problem with ipset and --in-interface
2017-03-27 18:53 ` Nick Howitt
@ 2017-03-27 19:18 ` Robert White
0 siblings, 0 replies; 4+ messages in thread
From: Robert White @ 2017-03-27 19:18 UTC (permalink / raw)
To: Nick Howitt, netfilter
On 03/27/17 18:53, Nick Howitt wrote:
> OK I feel a prat but you've pointed out the error. "s" and not "S". I
> could not see the wood from the trees.
It happens to the best of us. I aborted an install the other day because
I was looking at the wrong end of an asymmetric cable. Same shell but
different number of pins. /sigh.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-03-27 19:18 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-26 8:06 Problem with ipset and --in-interface Nick Howitt
2017-03-27 18:29 ` Robert White
2017-03-27 18:53 ` Nick Howitt
2017-03-27 19:18 ` Robert White
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.