* ipset: update timeout when IP matches
@ 2023-02-23 11:04 Fourhundred Thecat
2023-02-23 11:34 ` Kerin Millar
0 siblings, 1 reply; 5+ messages in thread
From: Fourhundred Thecat @ 2023-02-23 11:04 UTC (permalink / raw
To: netfilter
Hello,
I have an ipset named "PORTSCAN".
I allow traffic to legitimate ports, but if any IP tries to access
(scan) any other port, I add it to PORTSCAN.
The purpose is to protect my hidden services, here in this example
listening on 22222:
-A INPUT -m set --match-set PORTSCAN src -j DROP
...
-A INPUT -p tcp -m tcp --dport 22222 -j ACCEPT
...
-A INPUT -j SET --add-set PORTSCAN src --timeout 3600
So, now when IP is alredy in PORTSCAN, in addition to DROP, I need to
update the timeout (reset to 3600 again), so that if IP continuously
tries to scan me, the timeout gets constantly extended/reset.
This was possible when I was using the "-m recent" module:
-A INPUT -m recent --rsource --name GREYLIST --seconds 3600 --update
-j DROP
how can I update the timeout of IP in ipset?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ipset: update timeout when IP matches
2023-02-23 11:04 ipset: update timeout when IP matches Fourhundred Thecat
@ 2023-02-23 11:34 ` Kerin Millar
2023-02-23 12:04 ` Mathew Heard
2023-02-23 12:50 ` Fourhundred Thecat
0 siblings, 2 replies; 5+ messages in thread
From: Kerin Millar @ 2023-02-23 11:34 UTC (permalink / raw
To: Fourhundred Thecat; +Cc: netfilter
On Thu, 23 Feb 2023 12:04:44 +0100
Fourhundred Thecat <400thecat@gmx.ch> wrote:
> Hello,
>
> I have an ipset named "PORTSCAN".
>
> I allow traffic to legitimate ports, but if any IP tries to access
> (scan) any other port, I add it to PORTSCAN.
>
> The purpose is to protect my hidden services, here in this example
> listening on 22222:
>
>
> -A INPUT -m set --match-set PORTSCAN src -j DROP
> ...
> -A INPUT -p tcp -m tcp --dport 22222 -j ACCEPT
> ...
> -A INPUT -j SET --add-set PORTSCAN src --timeout 3600
>
>
> So, now when IP is alredy in PORTSCAN, in addition to DROP, I need to
> update the timeout (reset to 3600 again), so that if IP continuously
> tries to scan me, the timeout gets constantly extended/reset.
>
> This was possible when I was using the "-m recent" module:
>
> -A INPUT -m recent --rsource --name GREYLIST --seconds 3600 --update
> -j DROP
>
> how can I update the timeout of IP in ipset?
The following option is detailed by iptables-extensions(8).
--exist
when adding an entry if it already exists, reset the timeout
value to the specified one or to the default from the set defi‚Äê
nition
--
Kerin Millar
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ipset: update timeout when IP matches
2023-02-23 11:34 ` Kerin Millar
@ 2023-02-23 12:04 ` Mathew Heard
2023-02-23 12:50 ` Fourhundred Thecat
1 sibling, 0 replies; 5+ messages in thread
From: Mathew Heard @ 2023-02-23 12:04 UTC (permalink / raw
To: netfilter
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="windows-1252", Size: 1485 bytes --]
We built a module for that for our usage (it's open source too).
https://github.com/splitice/xt_setset
On Thu, 23 Feb 2023, 10:34 pm Kerin Millar, <kfm@plushkava.net> wrote:
>
> On Thu, 23 Feb 2023 12:04:44 +0100
> Fourhundred Thecat <400thecat@gmx.ch> wrote:
>
> > Hello,
> >
> > I have an ipset named "PORTSCAN".
> >
> > I allow traffic to legitimate ports, but if any IP tries to access
> > (scan) any other port, I add it to PORTSCAN.
> >
> > The purpose is to protect my hidden services, here in this example
> > listening on 22222:
> >
> >
> > -A INPUT -m set --match-set PORTSCAN src -j DROP
> > ...
> > -A INPUT -p tcp -m tcp --dport 22222 -j ACCEPT
> > ...
> > -A INPUT -j SET --add-set PORTSCAN src --timeout 3600
> >
> >
> > So, now when IP is alredy in PORTSCAN, in addition to DROP, I need to
> > update the timeout (reset to 3600 again), so that if IP continuously
> > tries to scan me, the timeout gets constantly extended/reset.
> >
> > This was possible when I was using the "-m recent" module:
> >
> > -A INPUT -m recent --rsource --name GREYLIST --seconds 3600 --update
> > -j DROP
> >
> > how can I update the timeout of IP in ipset?
>
> The following option is detailed by iptables-extensions(8).
>
> --exist
> when adding an entry if it already exists, reset the timeout
> value to the specified one or to the default from the set defi‐
> nition
>
> --
> Kerin Millar
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ipset: update timeout when IP matches
2023-02-23 11:34 ` Kerin Millar
2023-02-23 12:04 ` Mathew Heard
@ 2023-02-23 12:50 ` Fourhundred Thecat
2023-02-23 13:39 ` Reindl Harald
1 sibling, 1 reply; 5+ messages in thread
From: Fourhundred Thecat @ 2023-02-23 12:50 UTC (permalink / raw
To: netfilter
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="windows-1252"; format="flowed", Size: 1018 bytes --]
> On 2023-02-23 12:34, Kerin Millar wrote:
> On Thu, 23 Feb 2023 12:04:44 +0100
> Fourhundred Thecat <400thecat@gmx.ch> wrote:
>
> The following option is detailed by iptables-extensions(8).
>
> --exist
> when adding an entry if it already exists, reset the timeout
> value to the specified one or to the default from the set defi‐
> nition
OK, thank you. But now I have this problem:
I want to:
1) reset timeout if IP alredy in PORTSCAN
2) drop the packet
I wrote these 2 rules:
1) -A INPUT -j SET --add-set PORTSCAN src --timeout 3600 --exist
2) -A INPUT -m set --match-set PORTSCAN src -j DROP
but the problem is, rule 1) matches everything, not just IPs already in
PORTSCAN. This basically adds everything to PORTSCAN
How can I combine these two rules into one, so that I only reset IPs
that are already in PORTSCAN ?
I tried this (naively), but get error: unknown option "--exist"
-A INPUT -m set --match-set PORTSCAN src --exist -j DROP
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: ipset: update timeout when IP matches
2023-02-23 12:50 ` Fourhundred Thecat
@ 2023-02-23 13:39 ` Reindl Harald
0 siblings, 0 replies; 5+ messages in thread
From: Reindl Harald @ 2023-02-23 13:39 UTC (permalink / raw
To: Fourhundred Thecat, netfilter
Am 23.02.23 um 13:50 schrieb Fourhundred Thecat:
> > On 2023-02-23 12:34, Kerin Millar wrote:
>> On Thu, 23 Feb 2023 12:04:44 +0100
>> Fourhundred Thecat <400thecat@gmx.ch> wrote:
>>
>> The following option is detailed by iptables-extensions(8).
>>
>> --exist
>> when adding an entry if it already exists, reset the timeout
>> value to the specified one or to the default from the set defi‐
>> nition
>
> OK, thank you. But now I have this problem:
>
> I want to:
>
> 1) reset timeout if IP alredy in PORTSCAN
> 2) drop the packet
>
> I wrote these 2 rules:
>
> 1) -A INPUT -j SET --add-set PORTSCAN src --timeout 3600 --exist
> 2) -A INPUT -m set --match-set PORTSCAN src -j DROP
>
> but the problem is, rule 1) matches everything, not just IPs already in
> PORTSCAN. This basically adds everything to PORTSCAN
what else should it do without a condition
"-A INPUT -j SET --add-set PORTSCAN src --timeout 3600 --exist" says
"whatever it is, add it to the ipset"
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-02-23 13:39 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-02-23 11:04 ipset: update timeout when IP matches Fourhundred Thecat
2023-02-23 11:34 ` Kerin Millar
2023-02-23 12:04 ` Mathew Heard
2023-02-23 12:50 ` Fourhundred Thecat
2023-02-23 13:39 ` Reindl Harald
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.