Join Log in
Score:0
avatar Server

Using an ipset to block IPs

gi flag
Richard Barraclough

What is the iptables command to block all of the IPs in an ipset? I've tried INPUT and OUTPUT and src and dst, but nothing I've tried works.

The machine is my home router doing masquerade; it has two outbound interfaces which fail-over.

Here is my iptables script:

# cat bin/iptables.sh
#!/bin/sh

iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

# Blocker
ipset -L blocked >/dev/null 2>&1
if [ $? -ne 0 ]
then
        echo "Creating ipset: blocked"
        ipset create blocked hash:ip
fi

if [ -f /root/blocked_domains.txt ]
then
        ipset flush blocked
        for domain in $(cat /root/blocked_domains.txt); do
                for address in $( dig a $domain +short | grep -P -e '^(\d{1,3}\.){3}\d{1,3}$' ); do
                        echo $domain " -> " $address
                        ipset add blocked $address
                done
        done

        ipset -L blocked >/dev/null 2>&1
        if [ $? -eq 0 ]
        then
                echo "Blocking"
                # # # What goes here? # # #
                iptables -A INPUT -m set --match-set blocked src -j DROP         
        fi
fi

# Only allow things on this box to use the failover connection (limited data allowance.)
iptables -A FORWARD -s localhost -j ACCEPT
iptables -A FORWARD -s 192.168.1.0/24 -o enp0s6f1u2 -j DROP

# Masquerade
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -o wlan0      -j MASQUERADE
iptables -t nat -A POSTROUTING -o enp0s6f1u2 -j MASQUERADE

Update

# iptables -vnL INPUT
Chain INPUT (policy ACCEPT 15M packets, 16G bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set blocked src

(Truncated; but clearly this is the relevant line.)

Another update

I've also got myself confused because one of the domains I'm trying to block seems to be changing its IP (different replies from the same nameserver -- which is the WiFi hotspot on my Android phone.)

# date; dig b.scorecardresearch.com
Fri  2 Jul 09:34:36 BST 2021

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> b.scorecardresearch.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3185
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;b.scorecardresearch.com.       IN      A

;; ANSWER SECTION:
b.scorecardresearch.com. 1      IN      A       143.204.198.94
b.scorecardresearch.com. 1      IN      A       143.204.198.59
b.scorecardresearch.com. 1      IN      A       143.204.198.111
b.scorecardresearch.com. 1      IN      A       143.204.198.90

;; Query time: 35 msec
;; SERVER: 192.168.43.214#53(192.168.43.214)
;; WHEN: Fri Jul 02 09:34:36 BST 2021
;; MSG SIZE  rcvd: 116


# date; dig b.scorecardresearch.com
Fri  2 Jul 09:34:51 BST 2021

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> b.scorecardresearch.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52849
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;b.scorecardresearch.com.       IN      A

;; ANSWER SECTION:
b.scorecardresearch.com. 24     IN      A       99.84.15.95
b.scorecardresearch.com. 24     IN      A       99.84.15.83
b.scorecardresearch.com. 24     IN      A       99.84.15.117
b.scorecardresearch.com. 24     IN      A       99.84.15.65

;; Query time: 63 msec
;; SERVER: 192.168.43.214#53(192.168.43.214)
;; WHEN: Fri Jul 02 09:34:51 BST 2021
;; MSG SIZE  rcvd: 116
201
1 + 4
it flag
parkamark
You need to create an iptables rule that references the ipset. https://serverfault.com/questions/837705/configure-iptables-with-ipset
0
Reply
gi flag
Richard Barraclough
Tha'ts my question: what is that command? This command isn't working: `iptables -A INPUT -m set --match-set blocked src -j DROP`.
0
Reply
it flag
parkamark
Sorry I missed the reference you have in the snippet. I can see it now. What does the output of `iptables -vnL INPUT` show? Does it show any hits against that rule?
1
Reply
it flag
parkamark
It could be the case that you've applied this to the wrong chain? `INPUT` is for stuff destined to the actual host. Is your intent to block routed or NAT'd traffic going through the host instead? If so, you will not get any hits on the `INPUT` chain, and you'll need to modify the matching rule to be either in the `FORWARD` chain or some appropriate NAT rule in the `POSTROUTING` chain.
0
Reply
Score:1
avatar Server
cw flag
cybernard

Here's an example

ipset create banned_hosts hash:net family inet hashsize 1048576 maxelem 1500000 counters comment

Here's the iptables rule

iptables -t nat -A PREROUTING -i eth0 -m set --match-set banned_hosts src -j DROP
0 + 4
gi flag
Richard Barraclough
I have to use `FORWARD` not `PREROUTING` becaause `iptables v1.8.2 (nf_tables): Chain 'PREROUTING' does not exist`. Furthermore I believe that in `iptables` (unlike `ipchains`) the `INPUT` chain only matches packets that are destined for the localhost. I have also got myself confused because one of the domains I'm trying to block (an ad server) seems to change its IP every few minutes.
0
Reply
it flag
parkamark
@RichardBarraclough Make sure you are using `-t nat` arguments in your iptables command. I have working iptables ipset rules running on the `PREROUTING` chain.
0
Reply
it flag
parkamark
I think the `-j DROP` target needs adjusted to be `-j RETURN` on `-t nat` chains also. If someone could confirm that, please edit the above answer accordingly.
0
Reply
cw flag
cybernard
The OP wants the block ip addresses block -J RETURN does not do this. You want -J DROP. You could use -J REJECT, but that sends packets back to the source indicating a rejection. This is definitely not something you want to waste bandwidth on as your just sending to a port scanning bot.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.