[SOLVED] Having problems with ipset iptables --match-set

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
iggiebee
DD-WRT Novice


Joined: 14 May 2022
Posts: 3

PostPosted: Mon Aug 15, 2022 13:19    Post subject: [SOLVED] Having problems with ipset iptables --match-set Reply with quote
Reference: Netgear r6400v2 D-WRT v3.0-r49626 std (08/03/22)

Hello all,

Having problems regarding ipset iptables match "--match-set" not working in any of the beta firmwares I have used so far. The above version is just the latest I've tried, to no avail.

Every other ipset iptables commands works fine except this, I suspect is a matter of iptables cmpilation problem, which I am totally unable to even begin to understand.

Here is and example I have been using for testing:

code:
ipset -F
ipset -X

ipset -exist create BANH hash:net family inet timeout 60 counters comment

iptables -t mangle -A PREROUTING -i vlan2 -j SET --add-set BANH src
iptables -t mangle -A PREROUTING -i vlan2 -m set --match-set BANH src -J LOG --log-prefix "DROP:BAD_TEST:" --log-level 4

ipset list shows the set being populated ok but the match rule simply does not work.

ipset list
Name: BANH
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 timeout 60 counters comment
Size in memory: 46528
References: 1
Members:
128.116.127.3 timeout 51 packets 1 bytes 52
172.217.164.74 timeout 10 packets 1 bytes 52
31.13.67.53 timeout 34 packets 1 bytes 52
3.225.80.92 timeout 31 packets 1 bytes 52
159.89.129.146 timeout 29 packets 1 bytes 60
140.82.112.25 timeout 22 packets 1 bytes 52
3.231.30.127 timeout 19 packets 1 bytes 52
122.117.176.173 timeout 7 packets 1 bytes 40

Hope someone would be able to throw some light on this, either to something I am doing wrong, or be able to point me in the right direction.

Many thanks in advance.


Last edited by iggiebee on Mon Aug 15, 2022 18:55; edited 1 time in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12838
Location: Netherlands

PostPosted: Mon Aug 15, 2022 13:37    Post subject: Reply with quote
I am not sure if this will not overwhelm your router, if this is to track attacks/probing on your router you might use on the first rule
Quote:
-m state --state NEW


furthermore make it more general and use $(get_wanface)
iptables -t mangle -A PREROUTING -i $(get_wanface) -m state --state NEW -j SET --add-set BANH src

The second rule has a typo try -j instead of -J

I am not sure if you have to enable kernel logging in DDWRT (Services page/System log)

I have not tested this and not an iptables expert so no guarantees Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
iggiebee
DD-WRT Novice


Joined: 14 May 2022
Posts: 3

PostPosted: Mon Aug 15, 2022 17:14    Post subject: Reply with quote
Thanks for the reply.

Quote:
iptables -t mangle -A PREROUTING -i $(get_wanface) -m state --state NEW -j SET --add-set BANH src

The second rule has a typo try -j instead of -J


You caught some BIG coding sloppiness from my part. Thanks for pointing it out!!

Although it seems was not affecting the adding of IPs to the set, perhaps when copy/pasting the code into the forum message? Who knows.

As for the mistake on the second rule, you were candidly guilty of of the same mistake I made on the example rule posted above (no harm done)

Quote:
I am not sure if you have to enable kernel logging in DDWRT (Services page/System log


Yes, Syslogd is enabled, and working as well as Security -> Log Management -> Firewall log

Still, the problem persists with the match "--match-set" not working at all.

I am total loss as to how to fix this, other than work around it using "-m recent" rules again


Last edited by iggiebee on Tue Aug 16, 2022 7:18; edited 2 times in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12838
Location: Netherlands

PostPosted: Mon Aug 15, 2022 18:23    Post subject: Reply with quote
Apparently I was not very clear but you have to use -j and not a capital -J

And I am not asking if you have syslog enabled I asked if you have the Kernel logging enabled but not sure if that is necessary

In my defence I am not a native speaker Sad

Code:
rroot@R7800-2:~# iptables -vnL -t mangle
Chain PREROUTING (policy ACCEPT 769 packets, 486K bytes)
 pkts bytes target     prot opt in     out     source               destination
  730  461K SET        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            add-set BANH src
  436  430K LOG        all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            match-set BANH src LOG flags 0 level 4 prefix "DROP:BAD_TEST:"





I just did a quick test on my router and it seems to work

Quote:
[20283.858980] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=34.117.237.239 DST=192.168.0.5 LEN=626 TOS=0x00 PREC=0x00 TTL=58 ID=35290 PROTO=TCP SPT=443 DPT=19260 WINDOW=287 RES=0x00 ACK PSH URGP=0
[20283.886710] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=34.117.237.239 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=35316 PROTO=TCP SPT=443 DPT=19260 WINDOW=287 RES=0x00 ACK URGP=0
[20283.962599] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=34.117.237.239 DST=192.168.0.5 LEN=158 TOS=0x00 PREC=0x00 TTL=58 ID=35358 PROTO=TCP SPT=443 DPT=19260 WINDOW=287 RES=0x00 ACK PSH URGP=0
[20283.962727] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=34.117.237.239 DST=192.168.0.5 LEN=114 TOS=0x00 PREC=0x00 TTL=58 ID=35359 PROTO=TCP SPT=443 DPT=19260 WINDOW=287 RES=0x00 ACK PSH URGP=0
[20283.981753] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=34.117.237.239 DST=192.168.0.5 LEN=79 TOS=0x00 PREC=0x00 TTL=58 ID=35360 PROTO=TCP SPT=443 DPT=19260 WINDOW=287 RES=0x00 ACK PSH URGP=0
[20284.013428] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=34.117.237.239 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=35401 PROTO=TCP SPT=443 DPT=19260 WINDOW=287 RES=0x00 ACK URGP=0
[20284.057101] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=188.114.97.0 DST=192.168.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=57 ID=267 DF PROTO=TCP SPT=80 DPT=19248 WINDOW=64 RES=0x00 ACK URGP=0
[20286.835626] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=34.210.39.83 DST=192.168.0.5 LEN=71 TOS=0x00 PREC=0x00 TTL=230 ID=49239 DF PROTO=TCP SPT=443 DPT=16195 WINDOW=122 RES=0x00 ACK PSH URGP=0
[20287.030460] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=34.210.39.83 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=230 ID=49240 DF PROTO=TCP SPT=443 DPT=16195 WINDOW=122 RES=0x00 ACK URGP=0
[20288.101532] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=24195 DF PROTO=TCP SPT=63229 DPT=8080 WINDOW=64240 RES=0x00 SYN URGP=0
[20288.102250] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24196 DF PROTO=TCP SPT=63229 DPT=8080 WINDOW=8212 RES=0x00 ACK URGP=0
[20288.120761] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=566 TOS=0x00 PREC=0x00 TTL=128 ID=24197 DF PROTO=TCP SPT=63229 DPT=8080 WINDOW=8212 RES=0x00 ACK PSH URGP=0
[20288.153187] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24198 DF PROTO=TCP SPT=63229 DPT=8080 WINDOW=8211 RES=0x00 ACK URGP=0
[20288.161117] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24199 DF PROTO=TCP SPT=63229 DPT=8080 WINDOW=8211 RES=0x00 ACK FIN URGP=0
[20293.361496] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=24200 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8207 RES=0x00 ACK PSH URGP=0
[20293.402240] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24201 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8206 RES=0x00 ACK URGP=0
[20293.737756] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=24202 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8206 RES=0x00 ACK PSH URGP=0
[20293.779974] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24203 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8212 RES=0x00 ACK URGP=0
[20294.072822] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=188.114.97.0 DST=192.168.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=57 ID=268 DF PROTO=TCP SPT=80 DPT=19248 WINDOW=64 RES=0x00 ACK URGP=0
[20294.105707] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=24204 DF PROTO=TCP SPT=63232 DPT=8080 WINDOW=64240 RES=0x00 SYN URGP=0
[20294.107029] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24205 DF PROTO=TCP SPT=63232 DPT=8080 WINDOW=1026 RES=0x00 ACK URGP=0
[20294.124927] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=566 TOS=0x00 PREC=0x00 TTL=128 ID=24206 DF PROTO=TCP SPT=63232 DPT=8080 WINDOW=1026 RES=0x00 ACK PSH URGP=0
[20294.157907] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24207 DF PROTO=TCP SPT=63232 DPT=8080 WINDOW=1025 RES=0x00 ACK URGP=0
[20294.165244] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24208 DF PROTO=TCP SPT=63232 DPT=8080 WINDOW=1025 RES=0x00 ACK FIN URGP=0
[20295.025669] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=24209 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8212 RES=0x00 ACK PSH URGP=0
[20295.066807] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24210 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8211 RES=0x00 ACK URGP=0
[20295.569721] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=24211 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8211 RES=0x00 ACK PSH URGP=0
[20295.611037] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24212 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8211 RES=0x00 ACK URGP=0
[20296.449798] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=24213 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8211 RES=0x00 ACK PSH URGP=0

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
iggiebee
DD-WRT Novice


Joined: 14 May 2022
Posts: 3

PostPosted: Mon Aug 15, 2022 18:54    Post subject: Reply with quote
Sorry for the misunderstanding, not trying to be adversarial.

SOLVED: It works!!

The changes you suggested on the ipset iptables rules made them work.

Many thanks for your help.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12838
Location: Netherlands

PostPosted: Mon Aug 15, 2022 18:58    Post subject: Reply with quote
Glad you solved it Smile
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum