[inetquestion]

Saved an entry in Administration>Commands>Firewall

[code]
iptables -I FORWARD -m set --match-set BLOCKED src -j logdrop
[/code]


Verified the entry above was saved to /tmp/.rc_firewall.

[code]
cat /tmp/.rc_firewall
#!/bin/sh
iptables -I FORWARD -m set --match-set BLOCKED src -j logdrop
[/code]

When router is rebooted, looking at iptables FORWARD chain, there is no entry corresponding to what I expected from the firewall script. Appears it didn't run at all. If I run it manually, and then look at the FORWARD chain it's there. Why is this not running automatically at startup?

[egc]

What router and which build number are you using?

How (and when) is the BLOCKED set made ?

[dale_gribble39]

Why are you setting match-set twice?

https://ipset.netfilter.org/iptables.man.html

[inetquestion]

Currnetly running version: v3.0-r51306
Linksys WRT3200ACM

Many IPs were added to an ipset list named BLOCKED. This part is working. The part I'm confused about is why doesn't the rule below which is set in the firewall script section result in a rule within the FORWARD table. If I manually run the script it works, just not after a reboot.

Based on what's detailed here, I followed this example.
https://malware.expert/howto/ipset-with-iptables

iptables -I FORWARD -m set --match-set BLOCKED src -j logdrop

I agree, this looks duplicated/incorrect, but changing to anything simpler doesn't work. What is above does work, just not during reboots, which was the point of the post.

[egc]

[dale_gribble39]

It looks as if it is created via ipset itself, considering the example given.

[inetquestion]

The ipset list is created by an external process which updates every minute with new entries. Think I see what you mean...

A test showed I'm unable to issue the iptables command if the ipset part hasn't been done already. Updated the firewall script to this:

ipset -! create BLOCKED hash:ip;
iptables -I FORWARD -m set --match-set BLOCKED src -j logdrop

Will check after reboot to see if this solves it. Thanks!

[inetquestion]

Adding ipset command in the firewall script first fixed it. Didn't realize iptables did a verification to ensure that existed, but it makes sense now. :)

Thanks for the assistance!

[inetquestion]

Out of curiosity, why is using ipset so much faster than adding rules through iptables? It's orders of magnitude faster. For ~10,000 addresses it took around 200-300 seconds to add them. Now it can be done in seconds... pretty amazing.

[egc]

If you add rules every rule has to be traversed.

I think Ipset functions somewhat of an indexed database just one Ipset rule which looks up in its database