1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IPSET, Shibby 115 and massive banlists. Again. For dummies

Discussion in 'Tomato Firmware' started by Aleksazhko, Dec 9, 2013.

  1. Aleksazhko

    Aleksazhko Reformed Router Member

    Hi to all.

    I have some troubles with ipset. Maybe I do something wrong (of course!), but cant get it working.
    First of all, I've tried to change a bit this script https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset#peer-guardian
    I've got this one: http://pastebin.com/vA8d0gAx
    'banlist' is my list of undesireble IPs. I dont want them go to my little web-site inside of my network behind a router. Just portforwarding for 80 port. That's why I use the PORTFORWARD iptables chain. I guess it's right.
    For now, when I do 'ipset -L', I see my list of undesireble IPs. Let's say it's ok.
    But when I manually enter
    Code:
    iptables -I FORWARD -m set --set banlist src -j DROP
    iptables -L shows the following

    Code:
    Chain FORWARD (policy DROP)
    target      prot opt   source             destination
    DROP         all   --  anywhere            anywhere            set banlist src
    
    And internet dies. Even no pings until i delete recent rule.

    How can I get it done right way?
    One script, one ipset list just block them all.
    'banlist' is just a file with the only column. One IP per every string.

    Perhaps I need to drop packets from those IPs earlier than in FORWARD chain? They create very huge amount of traffic

    Thanx in advance!
     
  2. Aleksazhko

    Aleksazhko Reformed Router Member

    Possibly I need something like

    iptables -I PORTFORWARD -dport 80 blah-blah from any except 'banlist' to 192.168.0.2 to port 80 -j ACCEPT
    ?
     
  3. phuque99

    phuque99 LI Guru Member

    Perhaps your banlist contain private IP address that you're using internally. Adding that rule into the main FORWARD chain will filter internal to external traffic. Try:

    iptables -I wanin -m set --set banlist src -j DROP
     
  4. Aleksazhko

    Aleksazhko Reformed Router Member

    Unfortunatelly, it doesn't work.
    I still see IPs from banlist in web-server logs.
     

Share This Page