Firewall IPSET configuration CIDR IP

Hello community,

I try to block a set of IPs in CIDR notation:

54.155.0.0/16
172.96.98.0/24
52.95.104.0/22
52.30.0.0/15
54.154.0.0/16
208.86.90.0/23
46.137.0.0/17
52.144.208.64/26
52.94.216.0/21
52.93.96.0/24
52.208.0.0/13

Using this configuration (on top of the file /etc/config/firewall) :

config ipset
        option name dropsqsIPV4
        option match src_net
        option storage hash
        option enabled 1
        option loadfile /etc/dropsqsIPV4.txt

config rule
        option name drop_sqsIPV4
        option ipset dropsqsIPV4
        option src *
        option proto tcp
        option dest *
        option target REJECT
        option enabled 1

I don't see any abnormal errors when I restart the firewall service service firewall restart and it 's still working using these IPs.

root@OpenWrt:/etc/config# service firewall restart
Warning: Section @rule[19] (Alexis-Computer) does not specify a protocol, assuming TCP+UDP
 * Flushing IPv4 filter table
 * Flushing IPv4 nat table
 * Flushing IPv4 mangle table
 * Flushing IPv6 filter table
 * Flushing IPv6 mangle table
 * Deleting ipset dropsqsIPV4
 * Flushing conntrack table ...
 * Creating ipset dropsqsIPV4
   * Loading file /etc/dropsqsIPV4.txt
 * Populating IPv4 filter table
   * Rule 'drop_sqsIPV4'
   * Rule 'Allow-DHCP-Renew'
   * Rule 'Allow-Ping'
   * Rule 'Allow-IGMP'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'SSH'
   * Rule 'SSH connection'
   * Rule 'Alexis-Computer'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 nat table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv4 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 filter table
   * Rule 'drop_sqsIPV4'
     ! Skipping due to different family in ipset
   * Rule 'Allow-DHCPv6'
   * Rule 'Allow-MLD'
   * Rule 'Allow-ICMPv6-Input'
   * Rule 'Allow-ICMPv6-Forward'
   * Rule 'Allow-IPSec-ESP'
   * Rule 'Allow-ISAKMP'
   * Rule 'SSH'
   * Rule 'SSH connection'
   * Rule 'Alexis-Computer'
   * Forward 'lan' -> 'wan'
   * Zone 'lan'
   * Zone 'wan'
 * Populating IPv6 mangle table
   * Zone 'lan'
   * Zone 'wan'
 * Set tcp_ecn to off
 * Set tcp_syncookies to on
 * Set tcp_window_scaling to on
 * Running script '/etc/firewall.user'

Do you know if my configuration is correct ?

I answer myself (again).

config ipset
        option name droptest
        option match dest_net
        option loadfile /etc/droptest.txt

config rule
        option name 'droptest'
        option ipset 'droptest'
        option src '*'
        option proto 'tcp'
        option dest '*'
        option target 'REJECT'

This was the correct configuration.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.