Having trouble with ipset behaviour

Have a script to populates ipsets and then I do:

/sbin/iptables -I INPUT -m set --match-set ipsum src -j DROP

Now not sure how this works out for other ports but I know that if I want the addresses included in "ipsum" not to access 80 and 443 i have to add the last 2 commands.

/sbin/iptables -A FORWARD -p tcp --dport 443 -m set --match-set ipsum dst -j DROP

/sbin/iptables -A FORWARD -p tcp --dport 80 -m set --match-set ipsum dst -j DROP

I verified that the last 2 commands work as I tested it.

Not sure why the first command was not enough to do that.

I should specify that I also have ufw and that one of the fist lines is:

443 ALLOW Anywhere

Which is translated in iptables:

Chain ufw-user-input (1 references)

target prot opt source destination

ACCEPT tcp -- anywhere anywhere tcp dpt:http

ACCEPT udp -- anywhere anywhere udp dpt:80

ACCEPT tcp -- anywhere anywhere tcp dpt:https

ACCEPT udp -- anywhere anywhere udp dpt:443

So I'm guessing there's a order prefereence here.

But then what I don't understand: if the ufw rules take precedence then me adding /sbin/iptables -A FORWARD -p tcp --dport 443 -m set --match-set ipsum dst -j DROP

would't change anything. But it does.

So not sure what's going on...

Any ideas most welcomed.

But mostly I guess my question would be: is there a way to achieve the same results with 1 command?

Can I replace

/sbin/iptables -I INPUT -m set --match-set ipsum src -j DROP

with another line that would do the trick and block all ports to addresses in this set.

Managed a work around by blocking all ports in the FORWARD statement:

/sbin/iptables -A FORWARD -p tcp --dport 0:65535 -m set --match-set ipsum dst -j DROP

But not a very elegant solution, so not satisfied.

@A.B thanks for your answer.

I listed the FORWARD chain with the following results:

(sorry that makes a long post)

iptables -L FORWARD

Chain FORWARD (policy DROP)

target prot opt source destination

DOCKER-USER all -- anywhere anywhere

DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere

ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED

DOCKER all -- anywhere anywhere

ACCEPT all -- anywhere anywhere

ACCEPT all -- anywhere anywhere

ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED

DOCKER all -- anywhere anywhere

ACCEPT all -- anywhere anywhere

ACCEPT all -- anywhere anywhere

ufw-before-logging-forward all -- anywhere anywhere

ufw-before-forward all -- anywhere anywhere

ufw-after-forward all -- anywhere anywhere

ufw-after-logging-forward all -- anywhere anywhere

ufw-reject-forward all -- anywhere anywhere

ufw-track-forward all -- anywhere anywhere

DROP tcp -- anywhere anywhere tcp dpt:https match-set ipsum ds

t DROP tcp -- anywhere anywhere tcp dpt:http match-set ipsum dst

DROP tcp -- anywhere anywhere tcp dpt:https match-set fireh dst

DROP tcp -- anywhere anywhere tcp dpt:http match-set ipsum dst

DROP tcp -- anywhere anywhere tcp dpt:https match-set blockde dst

DROP tcp -- anywhere anywhere tcp dpt:http match-set ipsum dst

DROP tcp -- anywhere anywhere tcp dpt:http match-set ipsum dst

DROP tcp -- anywhere anywhere tcp dpt:https match-set tornodes dst

DROP tcp -- anywhere anywhere tcp dpt:http match-set ipsum dst

DROP tcp -- anywhere anywhere tcp dpt:https match-set ipsum dst

DROP tcp -- anywhere anywhere tcp dpt:http match-set ipsum dst

DROP tcp -- anywhere anywhere tcp dpt:https match-set fireh dst

DROP tcp -- anywhere anywhere tcp dpt:http match-set ipsum dst

DROP tcp -- anywhere anywhere tcp dpt:https match-set blockde dst

DROP tcp -- anywhere anywhere tcp dpt:http match-set ipsum dst

DROP tcp -- anywhere anywhere tcp dpt:http match-set ipsum dst

DROP tcp -- anywhere anywhere tcp dpt:https match-set tornodes dst

DROP tcp -- anywhere anywhere tcp dpt:http match-set ipsum dst

DROP tcp -- anywhere anywhere tcp dpt:https match-set ipsum dst

DROP tcp -- anywhere anywhere tcp dpt:http match-set ipsum dst

DROP tcp -- anywhere anywhere tcp dpt:https match-set fireh dst

DROP tcp -- anywhere anywhere tcp dpt:http match-set fireh dst

DROP tcp -- anywhere anywhere tcp dpt:https match-set blockde dst

DROP tcp -- anywhere anywhere tcp dpt:http match-set blockde dst

DROP tcp -- anywhere anywhere tcp dpt:https match-set tornodes dst

DROP tcp -- anywhere anywhere tcp dpt:http match-set tornodes dst

DROP tcp -- anywhere anywhere tcp dpt:https match-set russia dst

DROP tcp -- anywhere anywhere tcp dpt:http match-set russia dst

DROP tcp -- anywhere anywhere tcp match-set ipsum dst

DROP tcp -- anywhere anywhere tcp match-set ipsum dst

DROP tcp -- anywhere anywhere tcp match-set fireh dst

DROP tcp -- anywhere anywhere tcp match-set blockde dst

DROP tcp -- anywhere anywhere tcp match-set tornodes dst

DROP tcp -- anywhere anywhere tcp match-set russia dst

DROP tcp -- anywhere anywhere tcp match-set ipsum dst

DROP tcp -- anywhere anywhere tcp match-set fireh dst

DROP tcp -- anywhere anywhere tcp match-set blockde dst

DROP tcp -- anywhere anywhere tcp match-set tornodes dst

DROP tcp -- anywhere anywhere tcp match-set ipsum dst

DROP tcp -- anywhere anywhere tcp match-set fireh dst

DROP tcp -- anywhere anywhere tcp match-set blockde dst

DROP tcp -- anywhere anywhere tcp match-set tornodes dst

DROP all -- anywhere anywhere match-set ipsum src

DROP tcp -- anywhere anywhere tcp match-set ipsum dst

DROP tcp -- anywhere anywhere tcp match-set fireh dst

DROP tcp -- anywhere anywhere tcp match-set blockde dst

DROP tcp -- anywhere anywhere tcp match-set tornodes dst

DROP all -- anywhere anywhere match-set tornodes src

First comment obviously what I tried to do with

iptables -A FORWARD -p tcp --dport 0:65535 -m set --match-set ipsum dst -j DROP

did not work as there's no trace of it in the listing.

Now I'm no specialist of iptables so I seem to be confused between src and dst.

For me src applied to incoming requests and dst to outgoing.

But that doesn't seem to be the case here. Because

ptables -A FORWARD -p tcp --dport 80 -m set --match-set ipsum dst -j DROP

did block connections to port 80 from outside.

You will also notice in the listing the line:

DROP all -- anywhere anywhere match-set ipsum src

resulting from a command I tried:

iptables -A FORWARD -m set --match-set ipsum src -j DROP

Following the port logic (if I want to block incoming requests I should use dst). Does that mean that I specify dst instead of src for it to work correctly???

Again sorry for so much text...

• Try using the -I flag instead of the -A flag when adding the two FORWARD rules to block traffic to ports 80 and 443. This will insert the rules at the beginning of the chain and give them higher priority.

• Modify the UFW rules to block traffic to ports 80 and 443 from the specific IP addresses in the "ipsum" set. This might be a cleaner solution that avoids the need for additional iptables rules.

• Check the order in which the iptables and UFW rules are being applied to see if there are any conflicts or overlaps.