How to block certain protocols with ipset?
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
The thing is, I currently have 3 virtual test machines, Client1, ip 192.168.1.10, Client2, ip 192.168.2.20 and Router with ip 192.168.1.1 and 192.168.2.1 as gateway to connect Client1 and Client2.
On Router, I have hash:ip,port set, for example:ipset add myset 192.168.2.20,tcp:80ipset add myset 192.168.2.20,tcp:443
On Client2 I have nginx setup to listen on port 80, and I don't want Client1 to be able to connect to Client2 via tcp on port 80, on Router I add a rule: iptables -A FORWARD -m set --match-set myset dst -j DROP
On Client1 I exec wget 192.168.2.20/index.html and due to my iptables rules on Router, Client1 shouldn't be able to connect to Client2 and grab index.html, however, it doesn't work and file can be successfully retrieved.
The problem is only with hash:ip,port set type of ipset. If I choose hash:ip type and move protocol/port part to iptables out of ipset, everything works fine. However, I need to use exactly ipset to be able to swap block lists any time.
What am I doing wrong? All 3 VMs are running on Ubuntu 17.04, minimal installation, no GUI.
ubuntu iptables routing ipset
asked Oct 3 '17 at 20:00
Groosha
13516
add a comment |Â
up vote
0
down vote
favorite
The thing is, I currently have 3 virtual test machines, Client1, ip 192.168.1.10, Client2, ip 192.168.2.20 and Router with ip 192.168.1.1 and 192.168.2.1 as gateway to connect Client1 and Client2.
On Router, I have hash:ip,port set, for example:ipset add myset 192.168.2.20,tcp:80ipset add myset 192.168.2.20,tcp:443
On Client2 I have nginx setup to listen on port 80, and I don't want Client1 to be able to connect to Client2 via tcp on port 80, on Router I add a rule: iptables -A FORWARD -m set --match-set myset dst -j DROP
On Client1 I exec wget 192.168.2.20/index.html and due to my iptables rules on Router, Client1 shouldn't be able to connect to Client2 and grab index.html, however, it doesn't work and file can be successfully retrieved.
The problem is only with hash:ip,port set type of ipset. If I choose hash:ip type and move protocol/port part to iptables out of ipset, everything works fine. However, I need to use exactly ipset to be able to swap block lists any time.
What am I doing wrong? All 3 VMs are running on Ubuntu 17.04, minimal installation, no GUI.
ubuntu iptables routing ipset
asked Oct 3 '17 at 20:00
Groosha
13516
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
The thing is, I currently have 3 virtual test machines, Client1, ip 192.168.1.10, Client2, ip 192.168.2.20 and Router with ip 192.168.1.1 and 192.168.2.1 as gateway to connect Client1 and Client2.
On Router, I have hash:ip,port set, for example:ipset add myset 192.168.2.20,tcp:80ipset add myset 192.168.2.20,tcp:443
On Client2 I have nginx setup to listen on port 80, and I don't want Client1 to be able to connect to Client2 via tcp on port 80, on Router I add a rule: iptables -A FORWARD -m set --match-set myset dst -j DROP
On Client1 I exec wget 192.168.2.20/index.html and due to my iptables rules on Router, Client1 shouldn't be able to connect to Client2 and grab index.html, however, it doesn't work and file can be successfully retrieved.
The problem is only with hash:ip,port set type of ipset. If I choose hash:ip type and move protocol/port part to iptables out of ipset, everything works fine. However, I need to use exactly ipset to be able to swap block lists any time.
What am I doing wrong? All 3 VMs are running on Ubuntu 17.04, minimal installation, no GUI.
ubuntu iptables routing ipset
asked Oct 3 '17 at 20:00
Groosha
13516
The thing is, I currently have 3 virtual test machines, Client1, ip 192.168.1.10, Client2, ip 192.168.2.20 and Router with ip 192.168.1.1 and 192.168.2.1 as gateway to connect Client1 and Client2.
On Router, I have hash:ip,port set, for example:ipset add myset 192.168.2.20,tcp:80ipset add myset 192.168.2.20,tcp:443
On Client2 I have nginx setup to listen on port 80, and I don't want Client1 to be able to connect to Client2 via tcp on port 80, on Router I add a rule: iptables -A FORWARD -m set --match-set myset dst -j DROP
On Client1 I exec wget 192.168.2.20/index.html and due to my iptables rules on Router, Client1 shouldn't be able to connect to Client2 and grab index.html, however, it doesn't work and file can be successfully retrieved.
The problem is only with hash:ip,port set type of ipset. If I choose hash:ip type and move protocol/port part to iptables out of ipset, everything works fine. However, I need to use exactly ipset to be able to swap block lists any time.
What am I doing wrong? All 3 VMs are running on Ubuntu 17.04, minimal installation, no GUI.
ubuntu iptables routing ipset
ubuntu iptables routing ipset
asked Oct 3 '17 at 20:00
Groosha
13516
asked Oct 3 '17 at 20:00
Groosha
13516
asked Oct 3 '17 at 20:00
Groosha
13516
asked Oct 3 '17 at 20:00
Groosha
13516
asked Oct 3 '17 at 20:00
Groosha
13516
13516
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
Thanks to this comment, the problem is solved:
Instead ofiptables -A FORWARD -m set --match-set myset dst -j DROP
I had to useiptables -A FORWARD -m set --match-set myset dst,dst -j DROP (two dst instead of one)
answered Oct 5 '17 at 7:05
Groosha
13516
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
Thanks to this comment, the problem is solved:
Instead ofiptables -A FORWARD -m set --match-set myset dst -j DROP
I had to useiptables -A FORWARD -m set --match-set myset dst,dst -j DROP (two dst instead of one)
answered Oct 5 '17 at 7:05
Groosha
13516
add a comment |Â
up vote
1
down vote
accepted
Thanks to this comment, the problem is solved:
Instead ofiptables -A FORWARD -m set --match-set myset dst -j DROP
I had to useiptables -A FORWARD -m set --match-set myset dst,dst -j DROP (two dst instead of one)
answered Oct 5 '17 at 7:05
Groosha
13516
add a comment |Â
up vote
1
down vote
accepted
up vote
1
down vote
accepted
Thanks to this comment, the problem is solved:
Instead ofiptables -A FORWARD -m set --match-set myset dst -j DROP
I had to useiptables -A FORWARD -m set --match-set myset dst,dst -j DROP (two dst instead of one)
answered Oct 5 '17 at 7:05
Groosha
13516
Thanks to this comment, the problem is solved:
Instead ofiptables -A FORWARD -m set --match-set myset dst -j DROP
I had to useiptables -A FORWARD -m set --match-set myset dst,dst -j DROP (two dst instead of one)
answered Oct 5 '17 at 7:05
Groosha
13516
answered Oct 5 '17 at 7:05
Groosha
13516
answered Oct 5 '17 at 7:05
Groosha
13516
answered Oct 5 '17 at 7:05
Groosha
13516
13516
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f395909%2fhow-to-block-certain-protocols-with-ipset%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
