Re: IPSET issue ???

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Jozsef

Thanks for your reply, last question regarding IPSET..

Can I define the protocol in portmap set type, I means, Can I do 
that?

ipset -N ports portmap
ipset -A ports tcp/53
ipset -A ports udp/53
ipset -A ports tcp/25
ipset -A ports tcp/110
......
If no, there is any way to do that?

Thanks in advanced.



On 30 Mar 2005 at 9:57, Jozsef Kadlecsik wrote:

> Hi,
> 
> On Tue, 29 Mar 2005, Jorge Agrelo wrote:
> 
> > I want to block the offensive network list supplied by dshield
> > (http://feeds.dshield.org/block.txt) using IPSET match, anybody tell me if the
> > following stuff is correct.
> >
> > ipset -N bogons-nets nethash
> > ipset -A bogons-nets 81.208.28.0/24
> > ipset -A bogons-nets 141.50.163.0/24 ..........
> > iptables -N blocklist
> > iptables -A bogons-nets -m set --set bogons-nets scr,dst -j drop
> > iptables -A INPUT -i ! lo -m state ! --state ESTABLISHED -j blocklist
> > iptables -A FORWARD -m state ! --state ESTABLISHED -j blocklist
> > iptables -A OUTPUT -o ! lo -m state ! --state ESTABLISHED -j blocklist
> >
> > I want to block the source and destination traffic from/to this
> > networks, I'm not sure regarding how to use the tokens src and dst and
> > the set type (nethash) in IPSET???
> 
> No, assuming you want to block access from and to the networks in the
> set bogons-net:
> 
> iptables -A bogons-nets -m set --set bogons-nets scr -j drop
> iptables -A bogons-nets -m set --set bogons-nets dst -j drop
> 
> Multiple 'src' and 'dst' tokens can be used when you bind set elements to
> other sets and want to follow the bindings, for example when you want to
> to represent your servers by ipset:
> 
> ipset -N servers ipmap ....
> ipset -A servers x.x.x.x
> ...
> ipset -N services portmap...
> ipset -A services ssh
> ...
> ipset -N clients iphash
> ipset -A clients y.y.y.y
> ...
> # Glue the corresponding set elements together with bindings
> ipset -B servers x.x.x.x -b services
> ipset -B services ssh -b clients
> 
> # Restrict access to "all" servers on "all" service ports
> # from "all" allowed clients in one iptables rule
> iptables -A FORWARD -m set --set servers dst,dst,src -j ACCEPT
> 
> Best regards,
> Jozsef
> -
> E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : KFKI Research Institute for Particle and Nuclear Physics
>           H-1525 Budapest 114, POB. 49, Hungary
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux