Hi, On Tue, 29 Mar 2005, Jorge Agrelo wrote: > I want to block the offensive network list supplied by dshield > (http://feeds.dshield.org/block.txt) using IPSET match, anybody tell me if the > following stuff is correct. > > ipset -N bogons-nets nethash > ipset -A bogons-nets 81.208.28.0/24 > ipset -A bogons-nets 141.50.163.0/24 .......... > iptables -N blocklist > iptables -A bogons-nets -m set --set bogons-nets scr,dst -j drop > iptables -A INPUT -i ! lo -m state ! --state ESTABLISHED -j blocklist > iptables -A FORWARD -m state ! --state ESTABLISHED -j blocklist > iptables -A OUTPUT -o ! lo -m state ! --state ESTABLISHED -j blocklist > > I want to block the source and destination traffic from/to this > networks, I'm not sure regarding how to use the tokens src and dst and > the set type (nethash) in IPSET??? No, assuming you want to block access from and to the networks in the set bogons-net: iptables -A bogons-nets -m set --set bogons-nets scr -j drop iptables -A bogons-nets -m set --set bogons-nets dst -j drop Multiple 'src' and 'dst' tokens can be used when you bind set elements to other sets and want to follow the bindings, for example when you want to to represent your servers by ipset: ipset -N servers ipmap .... ipset -A servers x.x.x.x ... ipset -N services portmap... ipset -A services ssh ... ipset -N clients iphash ipset -A clients y.y.y.y ... # Glue the corresponding set elements together with bindings ipset -B servers x.x.x.x -b services ipset -B services ssh -b clients # Restrict access to "all" servers on "all" service ports # from "all" allowed clients in one iptables rule iptables -A FORWARD -m set --set servers dst,dst,src -j ACCEPT Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
