Problem solved!
The following command has to come at bottom , not at top:
iptables -A INPUT -m set --match-set blacklist src -j REJECT
U.Mutlu wrote on 10/17/23 01:30:
Jozsef, thanks. I modified it slightly, but it still doesn't work.
Can you please inspect why this is not calling the MY_MISC chain?
The adding via the MY_ADD chain works fine, but the subsequent MY_MISC isn't
get called.
firewall.sh :
-------------
#...
ipset destroy blacklist
ipset create blacklist hash:ip hashsize 4096 timeout 300 counters
iptables -N MY_ADD
iptables -A MY_ADD -j SET --exist --add-set blacklist src
iptables -A MY_ADD -j RETURN
iptables -N MY_MISC
#...
iptables -A MY_MISC -j RETURN
#...
iptables -A INPUT -m set ! --match-set blacklist src -j MY_ADD
iptables -A INPUT -m set --match-set blacklist src --packets-gt 2 -j MY_MISC
#...
Jozsef Kadlecsik wrote on 10/16/23 21:54:
On Mon, 16 Oct 2023, U.Mutlu wrote:
could a kind soul please check why the ipset "match-set" rule below isn't
working.
It jumps to the chain MY2 only if "--packets-gt 0" or
"--packets-gt 1" is used, but not for any higher values! :-)
I'm new to ipset, but this very much looks like a bug in iptables or ipset,
IMHO.
firewall.sh :
-------------
#...
ipset destroy blacklist
ipset create blacklist hash:ip hashsize 4096 timeout 300 counters
#...
iptables -N MY2
#...
iptables -A MY2 -j RETURN
#...
iptables -A INPUT -j SET --exist --add-set blacklist src
iptables -A INPUT -m set --match-set blacklist src --packets-gt 2 -j MY2
Reverse the order of the rules above. With the first one you continuously
(re)add the elements to the set with packet number 1.
