[Solved] Can two ipsets be used in a single rule

2devnull · January 24, 2018, 12:52am

Would it be possible to have a single rule that matches some src addresses from one ipset and some dest networks using another ipset?

lleachii · January 24, 2018, 1:15am

The simple answer is you can't specify a second match to a second set, for a second condition...

But you have options, depending on what you're tying to do (DROP, MARK, REJECT, etc.), or if the traffic has any other condition(s) by which it could be filtered (i.e. only tcp/80 to the DST IPs, only allowing certain source IPs to reach the DST IPs, by interface, out or inbound, etc.).

Two simple ones are:

you can make the very next rule to drop the same traffic for those not matching the other set
match one IP set to flag a chain, then match the chain with the other rule

2devnull · January 24, 2018, 1:25am

Thanks....do we have examples of how to flag a chain in lede firewall flag as you described?

lleachii · January 24, 2018, 1:36am

We...I'm not sure about yourself...and you haven't described how you are trying to filter the sets, so I wouldn't be able to assist.

I think you asking if someone can show you how to make a chain. See an iptables manual:
http://www.iptables.info/en/structure-of-iptables.html
or
https://www.safaribooksonline.com/library/view/linux-server-hacks/0596004613/ch04s06.html

I was just working on copying and pasting a basic rule, though:

Placed in Startup (/etc/rc.local):

#SEE http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
ipset -A bogons 0.0.0.0/8
ipset -A bogons 10.0.0.0/8
ipset -A bogons 100.64.0.0/10
ipset -A bogons 127.0.0.0/8
ipset -A bogons 169.254.0.0/16
ipset -A bogons 172.16.0.0/12
ipset -A bogons 192.0.0.0/24
ipset -A bogons 192.0.2.0/24
ipset -A bogons 192.168.0.0/16
ipset -A bogons 198.18.0.0/15
ipset -A bogons 198.51.100.0/24
ipset -A bogons 203.0.113.0/24
ipset -A bogons 224.0.0.0/4
ipset -A bogons 240.0.0.0/4

In /etc/config/firewall:

config rule
option name 'Drop-Bogons_In_WAN'
option family 'ipv4'
option proto 'all'
option src 'wan'
option extra '-m set --match-set bogons src'
option target 'DROP'

Is there a reason you cannot simply place the next rule in order - and specify a: protocol, outbound/inbound interface, mark the packet, etc.?

2devnull · January 24, 2018, 3:52am

Thanks, I am not finding much examples of what you just descibed in the LEDE documentation (e.g. option extra info). I am able to make ipsets, no problem there, but not understanding how the chaining should work. Also, why did you use the 'option extra' instead of 'option ipset'?

BTW - let me explain further with examples of what I would like to do without having to write a separate rule for each:

In /etc/firewall.user:

ipset create allnetworks hash:net
ipset add allnetworks 192.168.1.0/24
ipset add allnetworks 192.168.60.0/24
ipset add allnetworks 192.168.10.0/24

ipset create alloweddevices hash:ip
ipset add alloweddevices 192.168.1.21
ipset add alloweddevices 192.168.1.22

In /etc/config/firewall:

config ipset
    option external 'allnetworks'
    option match 'dest_net'
    option family 'ipv4'
    option storage 'hash'

config ipset
    option external 'alloweddevices'
    option match 'src_ip'
    option family 'ipv4'
    option storage 'hash'

What I would like to do is to simply get the alloweddevices to see all the networks (there are more than the three in the example and some not to be allowed). So I have two sets, how can I create a single rule for it or chain one rule to another?

lleachii · January 24, 2018, 6:31pm

It's to specify extra options in the firewall (which uses iptables), the "extra" in this rule matches to the ipset module, and the SRC IP against the set named 'bogons'... there is no such thing as "option ipset" in iptables...it's an iptables command, not ipset. This is how the Block-Bogons_on_WAN rule would look as an iptables command:

iptables -t raw -I PREROUTING -i eth0.2 -m set --match-set bogons src -j DROP

What does that mean??? What does "see all the networks" mean??? A route allows you to "see" networks. Firewall rules allow you to "access" networks. Are you trying to block, or allow....? Please describe exactly what you want the rules to do.

Simple:

you make a rule like the following...

iptables -t raw -I PREROUTING -i eth0.2 -m set --match-set bogons src -g chain1

now you add a rule in CHAIN1 to check the other set (it's hard to help when all you keep saying is you want to check 2 sets)
set the default to DROP (or ACCEPT, as the case might be) at the end of the chain
DONE

You may wish to read ANOTHER iptables manual: https://linux.die.net/man/8/iptables

2devnull · January 24, 2018, 7:15pm

I'm not sure why there seems to be a problem understanding. I show two sets. I want a rule configured in LEDE (you keep pointing me to raw iptables) that can honor the two sets. That is, if the src ip is in 'alloweddevices' set and the dest net is in 'allnetworks' set, ALLOW the traffic through. That is all that I'm trying to accomplish at the moment.

Also, when you define the ipset like I have shown, it already has a 'match' statement with prefix of src or dest, therefore in the rule you shouldn't need to have to specify that again like you did with 'option extra'.

dlakelan · January 24, 2018, 7:20pm

Create a chain, jump to that chain if src is in set 1, in that chain, allow packets if dest is in set2

2devnull · January 24, 2018, 7:23pm

ok, I got that it can be done in plain iptables. My question is, can it be done in the /etc/config/firewall rules in LEDE? If so, is there an example of how one chaining is done via that configuration method for rules?

lleachii · January 24, 2018, 7:23pm

Are you trying to drop?
Are you forwarding?
Is it an input rule?
Will the traffic ultimately be altered?
Are you wishing to alter the SRC or DST address?
Is this for a certain port (80, 443, 5060)?
Will the sets always be check against each other?
Are you trying to mark, log or otherwise flag the traffic?
Are you trying to make copies of this traffic?
Should this traffic be sent to another interface?

You can have a RAW table in LEDE...I'm copying these rules form an LEDE device...I really think you need to look at an iptables and LEDE manual.

Heres the rule using the input table:

iptables -I INPUT -i eth0.2 -m set --match-set bogons src -g chain1

THE IMPORTANT PART WAS THE CHAIN, WHICH IS WHAT YOU ASKED ABOUT.

I didn't specify a SRC IP in the rule, I specified a SOURCE FIREWALL ZONE...and on the command, I specified an inbound interface.

If you're not familiar with LEDE, the firewall or iptables, I would suggest reading up more.

2devnull · January 24, 2018, 7:27pm

With all due respect, you're overly complicating something very simple of which I had asked. All this is for is go from one zone to another (I apologize if that part I omitted caused this confusion).

lleachii · January 24, 2018, 7:34pm

I'm not...I've noted many times, it's hard to help unless it's known what you're trying to do.

I've shown you TWICE how to make a rule, and the second time - USING A SET and sending it to a chain...but twice you told me I was trying to show you something about RAW tables...

So, lets confirm you understand this part 1st...

-g chain1

This portion of the command means "GOTO the CHAIN named CHAIN1"

So, from your statement, I assume this is an ALLOW FORWARD RULE.
SO, I'LL TRY AGAIN

First rule takes you to a chain named "CHAIN1"
Second rule (first in the chain) checks the other set and ALLOWS the traffic
Default rule for the CHAIN is DROP
THAT'S ALL YOU NEED TO DO!!! YOU'RE DONE!!!

Will all traffic be originating from the same interface or firewall zone (as i told you it helps if there's other conditions to filter against)???

SO, YOUR RULES LOOK LIKE:

iptables -I FORWARD -m set --match-set allnetworks dst -g 2devnulls-chain
#the next would be an allow rule for the sources in 'alloweddevices'
#you set the chain '2devnulls-chain' to DROP all other traffic by default

2devnull · January 24, 2018, 7:49pm

ok, perhaps the fundamental question needs to be asked, can this be done (defined) in /etc/config/firewall? I have a lot of forwarding, rule and redirects in /etc/config/firewall already.

I think you mentioned the following wouldn't work and it doesn't seem to be because a rule cannot use two ipsets each defined with its own match statements (as defined previously above):

config rule
    option target 'ACCEPT'
    option name '2devnull-allowed-devices'
    option ipset 'allnetworks'
    option ipset 'alloweddevices'

So then, if I can only use one ipset per rule definition, then what I think you're saying is to change the target of the first one to a chain name then create another rule with input from the chain name that uses the other ipset? Again, if this cannot be done in this config file, I'm wasting my time and should just create manual iptable statements in the firewall.user file?

lleachii · January 24, 2018, 8:09pm

OK, I think we're clearer now...

Reading the manual at: https://wiki.openwrt.org/doc/uci/firewall

It seems the answer is no, because a custom chain cannot be a value in "TARGET." You can define it in custom firewall rules (/etc/firewall.user). Since this information is covered in the manual, I didn't mention it.

You simply use -I FORWARD to place the rule at the top of the main Forwarding table. You use -A FORWARD to place it at the bottom. Since there are no rules in the new chain, there wouldn't be an issue regarding rule ordering once the chain is created.

Not exactly...what you typed isn't a rule at all. The rule you wrote above won't work because the TARGET IS WRONG (you want to go to a chain), YOU HAVEN'T DEFINED ANY CONDITIONS (e.g. src or dst IP or interfaces), there's no such thing as "option ipset," nor did you define something TO BE DONE IN THE RULE.

All it says is: "accept allnetworks and alloweddevices..." no source is defined, no destinations, and no firewall zone...and you can't match 2 sets of values, to make one condition, in one variable true (you would never reach a 'true' condition were traffic was allowed to be forwarded).

dlakelan · January 24, 2018, 8:31pm

Even if you can do this in LEDE's /etc/config/firewall it's probably more trouble than it's worth. Just put something like 3 lines in /etc/firewall.user

iptables -N some_chain_name

iptables -A FORWARD -m set --match-set mysrcset src -j some_chain_name

iptables -A some_chain_name -m set --match-set mydestset dest -j ACCEPT

Or something like that, please have a look at iptables manual to customize for your purposes.

2devnull · January 24, 2018, 8:34pm

Check here.

config rule
    option name             Drop-games-blacklist
    option src              lan
    option ipset            games_blacklist
    option proto            tcpudp
    option target           DROP

You're referencing openwrt documents and I am looking at the LEDE firewall document. Perhaps that is where these communication issues lie.

2devnull · January 24, 2018, 8:35pm

Well, in that case, now I know. Thanks for the example also.

EDIT: Got this error (weird spelling for specify):

iptables v1.4.21: You must spefify (the comma separated list of) 'src' or 'dst'.

lleachii · January 24, 2018, 8:37pm

Please read @dlakelan's post.

Regardless if that can be used, you can ONLY USE IT ONCE. It doesn't help your purposes
You haven't noted if that CREATES a set or CHECKS a set (I'll read the LEDE manual)
You still cant TARGET a chain
There have been many additions and fixes to fw3 (you will see I made a bug for does-not-equal rules) that have been updated

Per @dlakelan:

Hope this helps.