Ipset - iptables absurd problem

Fabri94 · April 10, 2019, 11:33am

Hello,
tonight I implemented ipset on my little router, a program I've been using for a year to filter out different ddos attacks on my server.

It worked all night but after rebooting, while reinserting the rules on iptables, it stopped working in forwarding. Only in INPUT and OUTPUT.
The router is configured with two network adapters in bridge and the kernel module "br_netfilter" is active.

This is ipset:

Name: test
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 100
References: 3
Members:
1.1.1.1

This is iptables:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             match-set test src

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             match-set test src

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere             match-set test src

eduperez · April 10, 2019, 11:48am

Did you enable "net.bridge.bridge-nf-call-iptables"? Otherwise, "iptables" will not filter bridged traffic.

Fabri94 · April 10, 2019, 11:55am

I added the following string to "sysctl.conf":
net.bridge.bridge-nf-call-iptables = 1
and now it also works in FORWARDING.
It is the first time that I find myself having to add this string. Was it possible that this night worked without? Or is it disabled by itself?
I have not made any changes to the device ...

dlakelan · April 10, 2019, 1:39pm

the kernel defaults to turning this on I think, so it would work in your server, but OpenWrt defaults to having it off I believe, so you need to add the line