When router is rebooted, looking at iptables FORWARD chain, there is no entry corresponding to what I expected from the firewall script. Appears it didn't run at all. If I run it manually, and then look at the FORWARD chain it's there. Why is this not running automatically at startup?
https://ipset.netfilter.org/iptables.man.html _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Many IPs were added to an ipset list named BLOCKED. This part is working. The part I'm confused about is why doesn't the rule below which is set in the firewall script section result in a rule within the FORWARD table. If I manually run the script it works, just not after a reboot.
iptables -I FORWARD -m set --match-set BLOCKED src -j logdrop
I agree, this looks duplicated/incorrect, but changing to anything simpler doesn't work. What is above does work, just not during reboots, which was the point of the post.
Many IPs were added to an ipset list named BLOCKED. This part is working. The part I'm confused about is why doesn't the rule below which is set in the firewall script section result in a rule within the FORWARD table. If I manually run the script it works, just not after a reboot.
iptables -I FORWARD -m set --match-set BLOCKED src -j logdrop
I agree, this looks duplicated/incorrect, but changing to anything simpler doesn't work. What is above does work, just not during reboots, which was the point of the post.
But my question was where is the BLOCKED list coming from, is it created with a script, if so what script and how is it executed or is the list restored from USB?
If the list is not available when the firewall rule is executed then the firewall rule will of course fail as there is no BLOCKED list (yet)
It looks as if it is created via ipset itself, considering the example given. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Adding ipset command in the firewall script first fixed it. Didn't realize iptables did a verification to ensure that existed, but it makes sense now. :)
Out of curiosity, why is using ipset so much faster than adding rules through iptables? It's orders of magnitude faster. For ~10,000 addresses it took around 200-300 seconds to add them. Now it can be done in seconds... pretty amazing.