Author
Message
iggiebee DD-WRT Novice Joined: 14 May 2022 Posts: 3
Posted: Mon Aug 15, 2022 13:19 Post subject: [SOLVED] Having problems with ipset iptables --match-set
Reference: Netgear r6400v2 D-WRT v3.0-r49626 std (08/03/22)
Hello all,
Having problems regarding ipset iptables match "--match-set" not working in any of the beta firmwares I have used so far. The above version is just the latest I've tried, to no avail.
Every other ipset iptables commands works fine except this, I suspect is a matter of iptables cmpilation problem, which I am totally unable to even begin to understand.
Here is and example I have been using for testing:
code:
ipset -F
ipset -X
ipset -exist create BANH hash:net family inet timeout 60 counters comment
iptables -t mangle -A PREROUTING -i vlan2 -j SET --add-set BANH src
iptables -t mangle -A PREROUTING -i vlan2 -m set --match-set BANH src -J LOG --log-prefix "DROP:BAD_TEST:" --log-level 4
ipset list shows the set being populated ok but the match rule simply does not work.
ipset list
Name: BANH
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 timeout 60 counters comment
Size in memory: 46528
References: 1
Members:
128.116.127.3 timeout 51 packets 1 bytes 52
172.217.164.74 timeout 10 packets 1 bytes 52
31.13.67.53 timeout 34 packets 1 bytes 52
3.225.80.92 timeout 31 packets 1 bytes 52
159.89.129.146 timeout 29 packets 1 bytes 60
140.82.112.25 timeout 22 packets 1 bytes 52
3.231.30.127 timeout 19 packets 1 bytes 52
122.117.176.173 timeout 7 packets 1 bytes 40
Hope someone would be able to throw some light on this, either to something I am doing wrong, or be able to point me in the right direction.
Many thanks in advance. Last edited by iggiebee on Mon Aug 15, 2022 18:55; edited 1 time in total
Back to top
Sponsor
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Mon Aug 15, 2022 13:37 Post subject:
I am not sure if this will not overwhelm your router, if this is to track attacks/probing on your router you might use on the first rule
Quote: -m state --state NEW
furthermore make it more general and use $(get_wanface)
iptables -t mangle -A PREROUTING -i $(get_wanface) -m state --state NEW -j SET --add-set BANH src
The second rule has a typo try -j instead of -J
I am not sure if you have to enable kernel logging in DDWRT (Services page/System log)
I have not tested this and not an iptables expert so no guarantees _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read): https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top
iggiebee DD-WRT Novice Joined: 14 May 2022 Posts: 3
Posted: Mon Aug 15, 2022 17:14 Post subject:
Thanks for the reply.
Quote: iptables -t mangle -A PREROUTING -i $(get_wanface) -m state --state NEW -j SET --add-set BANH src
The second rule has a typo try -j instead of -J
You caught some BIG coding sloppiness from my part. Thanks for pointing it out!!
Although it seems was not affecting the adding of IPs to the set, perhaps when copy/pasting the code into the forum message? Who knows.
As for the mistake on the second rule, you were candidly guilty of of the same mistake I made on the example rule posted above (no harm done)
Quote: I am not sure if you have to enable kernel logging in DDWRT (Services page/System log
Yes, Syslogd is enabled, and working as well as Security -> Log Management -> Firewall log
Still, the problem persists with the match "--match-set" not working at all.
I am total loss as to how to fix this, other than work around it using "-m recent" rules again Last edited by iggiebee on Tue Aug 16, 2022 7:18; edited 2 times in total
Back to top
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Mon Aug 15, 2022 18:23 Post subject:
Apparently I was not very clear but you have to use -j and not a capital -J
And I am not asking if you have syslog enabled I asked if you have the Kernel logging enabled but not sure if that is necessary
In my defence I am not a native speaker
Code: rroot@R7800-2:~# iptables -vnL -t mangle
Chain PREROUTING (policy ACCEPT 769 packets, 486K bytes)
pkts bytes target prot opt in out source destination
730 461K SET all -- eth0 * 0.0.0.0/0 0.0.0.0/0 add-set BANH src
436 430K LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 match-set BANH src LOG flags 0 level 4 prefix "DROP:BAD_TEST:"
I just did a quick test on my router and it seems to work
Quote: [20283.858980] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=34.117.237.239 DST=192.168.0.5 LEN=626 TOS=0x00 PREC=0x00 TTL=58 ID=35290 PROTO=TCP SPT=443 DPT=19260 WINDOW=287 RES=0x00 ACK PSH URGP=0
[20283.886710] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=34.117.237.239 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=35316 PROTO=TCP SPT=443 DPT=19260 WINDOW=287 RES=0x00 ACK URGP=0
[20283.962599] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=34.117.237.239 DST=192.168.0.5 LEN=158 TOS=0x00 PREC=0x00 TTL=58 ID=35358 PROTO=TCP SPT=443 DPT=19260 WINDOW=287 RES=0x00 ACK PSH URGP=0
[20283.962727] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=34.117.237.239 DST=192.168.0.5 LEN=114 TOS=0x00 PREC=0x00 TTL=58 ID=35359 PROTO=TCP SPT=443 DPT=19260 WINDOW=287 RES=0x00 ACK PSH URGP=0
[20283.981753] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=34.117.237.239 DST=192.168.0.5 LEN=79 TOS=0x00 PREC=0x00 TTL=58 ID=35360 PROTO=TCP SPT=443 DPT=19260 WINDOW=287 RES=0x00 ACK PSH URGP=0
[20284.013428] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=34.117.237.239 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=35401 PROTO=TCP SPT=443 DPT=19260 WINDOW=287 RES=0x00 ACK URGP=0
[20284.057101] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=188.114.97.0 DST=192.168.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=57 ID=267 DF PROTO=TCP SPT=80 DPT=19248 WINDOW=64 RES=0x00 ACK URGP=0
[20286.835626] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=34.210.39.83 DST=192.168.0.5 LEN=71 TOS=0x00 PREC=0x00 TTL=230 ID=49239 DF PROTO=TCP SPT=443 DPT=16195 WINDOW=122 RES=0x00 ACK PSH URGP=0
[20287.030460] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=34.210.39.83 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=230 ID=49240 DF PROTO=TCP SPT=443 DPT=16195 WINDOW=122 RES=0x00 ACK URGP=0
[20288.101532] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=24195 DF PROTO=TCP SPT=63229 DPT=8080 WINDOW=64240 RES=0x00 SYN URGP=0
[20288.102250] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24196 DF PROTO=TCP SPT=63229 DPT=8080 WINDOW=8212 RES=0x00 ACK URGP=0
[20288.120761] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=566 TOS=0x00 PREC=0x00 TTL=128 ID=24197 DF PROTO=TCP SPT=63229 DPT=8080 WINDOW=8212 RES=0x00 ACK PSH URGP=0
[20288.153187] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24198 DF PROTO=TCP SPT=63229 DPT=8080 WINDOW=8211 RES=0x00 ACK URGP=0
[20288.161117] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24199 DF PROTO=TCP SPT=63229 DPT=8080 WINDOW=8211 RES=0x00 ACK FIN URGP=0
[20293.361496] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=24200 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8207 RES=0x00 ACK PSH URGP=0
[20293.402240] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24201 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8206 RES=0x00 ACK URGP=0
[20293.737756] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=24202 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8206 RES=0x00 ACK PSH URGP=0
[20293.779974] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24203 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8212 RES=0x00 ACK URGP=0
[20294.072822] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:14:59:c0:5a:43:9d:08:00 SRC=188.114.97.0 DST=192.168.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=57 ID=268 DF PROTO=TCP SPT=80 DPT=19248 WINDOW=64 RES=0x00 ACK URGP=0
[20294.105707] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=24204 DF PROTO=TCP SPT=63232 DPT=8080 WINDOW=64240 RES=0x00 SYN URGP=0
[20294.107029] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24205 DF PROTO=TCP SPT=63232 DPT=8080 WINDOW=1026 RES=0x00 ACK URGP=0
[20294.124927] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=566 TOS=0x00 PREC=0x00 TTL=128 ID=24206 DF PROTO=TCP SPT=63232 DPT=8080 WINDOW=1026 RES=0x00 ACK PSH URGP=0
[20294.157907] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24207 DF PROTO=TCP SPT=63232 DPT=8080 WINDOW=1025 RES=0x00 ACK URGP=0
[20294.165244] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24208 DF PROTO=TCP SPT=63232 DPT=8080 WINDOW=1025 RES=0x00 ACK FIN URGP=0
[20295.025669] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=24209 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8212 RES=0x00 ACK PSH URGP=0
[20295.066807] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24210 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8211 RES=0x00 ACK URGP=0
[20295.569721] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=24211 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8211 RES=0x00 ACK PSH URGP=0
[20295.611037] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=40 TOS=0x00 PREC=0x00 TTL=128 ID=24212 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8211 RES=0x00 ACK URGP=0
[20296.449798] DROP:BAD_TEST:IN=eth0 OUT= MAC=bc:a5:11:3e:71:f2:40:b0:76:42:f4:a0:08:00 SRC=192.168.0.59 DST=192.168.0.5 LEN=104 TOS=0x00 PREC=0x00 TTL=128 ID=24213 DF PROTO=TCP SPT=63051 DPT=22 WINDOW=8211 RES=0x00 ACK PSH URGP=0
_________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read): https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Back to top
iggiebee DD-WRT Novice Joined: 14 May 2022 Posts: 3
Posted: Mon Aug 15, 2022 18:54 Post subject:
Sorry for the misunderstanding, not trying to be adversarial.
SOLVED: It works!!
The changes you suggested on the ipset iptables rules made them work.
Many thanks for your help.
Back to top
egc DD-WRT Guru Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Back to top