OK, Let's me clarify that I use the uhttp as a web server and deployed a website on my 3rd level router through port forwarding. I want to use the rules on my 2nd level router to filter Censys scan.
I have try the configuration as your suggestion:
config rule
option src 'wan'
option name 'CenSysBlock1'
option proto 'all'
option target 'REJECT'
option extra '-m iprange --src-range 74.120.14.0/24'
config rule
option src 'wan'
option name 'CenSysBlock2'
option proto 'all'
option target 'REJECT'
option extra '-m iprange --src-range 162.142.125.0/24'
config rule
option src 'wan'
option name 'CenSysBlock3'
option proto 'all'
option target 'REJECT'
option extra '-m iprange --src-range 167.248.133.0/24'
config rule
option src 'wan'
option name 'CenSysBlock4'
option proto 'all'
option target 'REJECT'
option extra '-m iprange --src-range 192.35.168.0/23'
I provided the information needed. And in fact, you put a normal drop rule on the first device in the stream, as long as the rule is first rule.
My suggestion???
No, why do you keep using the option extra???
config rule
option family 'ipv4'
option proto 'all'
option src '*'
option target 'DROP'
option name 'CenSysBlock'
list src_ip '74.120.14.0/24'
list src_ip '162.142.125.0/24'
list src_ip '167.248.133.0/24'
list src_ip '192.35.168.0/23'
(BTW, REJECT sends an ICMP error to the SRC, so I used DROP.)
It seems that the syntax just support individual ip address.not support subnet mask. And i search it on the web. somebody just had the same issue and used the iprange parameter. So I did it like that. I will try your cofigurateion. Thanks.
Perhaps you can edit that if it confused you. The underlying software (iptables) does in fact support CIDR notation (hence including IP masks/ranges). This includes everything - from a single /32 up to the addressing the whole Internet via /0.
Note that when you are using only src zone, then it is implied INPUT, than means to the router.
If you use src and dst zones, then it is implied FORWARD, which is what you want from my understanding
config ipset
option name 'foo'
option match 'dest_ip'
option family 'ipv4'
option storage 'hash'
option enabled '1'
option maxelem '65536'
option timeout '7200'
list entry '...'
list entry '80.228.111.1/24'
instead of
option iprange '51.103.5.1/24'
which I dind't get working with ipsets.
Alternatively CIDR can be used in rules:
config rule
option name 'TESTRULE'
option target 'REJECT'
list proto 'all'
option src 'wlan_fw_kn'
list src_ip '192.168.150.87'
option dest 'wan'
list dest_ip '80.228.111.1/24'
If I knew that before I wouldn't have fiddled to much with ipsets....
/etc/init.d/firewall restart
Warning: Section @ipset[0] (IP-Bereiche) maxelem ignored
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Deleting ipset IP-Bereiche
* Flushing conntrack table ...
* Creating ipset IP-Bereiche
ipset v7.3: Element is out of the range of the set
ipset v7.3: Element is out of the range of the set
ipset v7.3: Element is out of the range of the set
...