Ipset And Iptables Matching Source Or Destination IP In One Rule

Hey guys! Ever found yourself wrestling with iptables and ipset, trying to create that perfect rule that matches either the source OR destination IP in your set? You're not alone! It's a common challenge, and the syntax can be a bit tricky. This guide will dive deep into how to achieve this, making your firewall rules more efficient and manageable.

Understanding the Challenge

When dealing with network security, you often need to block or allow traffic based on IP addresses. Iptables, the powerful Linux firewall, can do this, but managing a long list of IP addresses directly in iptables rules becomes cumbersome. That's where ipset comes in. Ipset lets you create named sets of IP addresses, which you can then reference in your iptables rules. This makes your rules cleaner, faster, and easier to update.

The initial approach many try is a single rule that attempts to match both source and destination IPs against the ipset. Something like this:

iptables -A FORWARD -m set --match-set <name_of_ipset> src,dst -j DROP

However, this won't work as expected. The src,dst option in --match-set acts as an AND condition. It only matches packets where both the source and destination IPs are in the ipset. What if you want to block traffic if either the source OR the destination IP is in the set? Let's explore how to do that.

The Solution: Two Rules to the Rescue

To achieve an OR condition (either source OR destination IP matches), you need to create two separate iptables rules. One rule will check the source IP, and the other will check the destination IP. Here’s how it looks:

iptables -A FORWARD -m set --match-set <name_of_ipset> src -j DROP
iptables -A FORWARD -m set --match-set <name_of_ipset> dst -j DROP

Let's break this down:

• iptables -A FORWARD: This appends the rule to the FORWARD chain, which is used for traffic passing through your system (not traffic originating from or destined for the system itself). If you're dealing with traffic to the server itself, you might use the INPUT or OUTPUT chains instead.
• -m set: This tells iptables to use the set module, which is responsible for ipset matching.
• --match-set <name_of_ipset> src: This is the key part. It checks if the source IP of the packet is present in the ipset named <name_of_ipset>. Replace <name_of_ipset> with the actual name of your ipset.
• -j DROP: This is the target. If the source IP is in the ipset, the packet is dropped (blocked).
• --match-set <name_of_ipset> dst: This is similar to the previous rule but checks the destination IP instead.

With these two rules in place, any packet with either its source OR destination IP in the specified ipset will be dropped.

Example Scenario

Imagine you want to block traffic from or to a list of known malicious IP addresses. You could create an ipset named bad_ips and add the IPs to it. Then, these two rules would effectively block the unwanted traffic:

iptables -A FORWARD -m set --match-set bad_ips src -j DROP
iptables -A FORWARD -m set --match-set bad_ips dst -j DROP

Diving Deeper: Creating and Managing Ipsets

Okay, so you know how to use ipsets in your iptables rules, but how do you actually create and manage those sets? Let’s walk through the basics.

Creating an Ipset

The ipset command is your tool for this. Here’s the general syntax for creating an ipset:

ipset create <name_of_ipset> <type>

• <name_of_ipset>: This is the name you choose for your ipset. It should be descriptive and easy to remember (e.g., bad_ips, allowed_networks).
• <type>: This specifies the type of set. The most common type is hash:ip, which stores a set of IP addresses. Other types exist, such as hash:net (for networks) and hash:ip,port (for IP address and port combinations), but we'll focus on hash:ip for this discussion.

So, to create an ipset named bad_ips to store IP addresses, you’d use:

ipset create bad_ips hash:ip

Adding IPs to an Ipset

Once you've created an ipset, you need to add IP addresses to it. The ipset add command is your friend here:

ipset add <name_of_ipset> <ip_address>

For example, to add the IP address 192.168.1.100 to the bad_ips ipset, you’d use:

ipset add bad_ips 192.168.1.100

You can add multiple IPs one by one, or you can script the process to add IPs from a file or other source. This makes ipsets incredibly flexible for managing large lists of IPs.

Listing Ipset Contents

To see what IPs are currently in your ipset, use the ipset list command:

ipset list <name_of_ipset>

For example:

ipset list bad_ips

This will display the name of the ipset, its type, and a list of the IP addresses it contains.

Deleting IPs from an Ipset

If you need to remove an IP address from an ipset, use the ipset del command:

ipset del <name_of_ipset> <ip_address>

For instance, to remove 192.168.1.100 from bad_ips:

ipset del bad_ips 192.168.1.100

Destroying an Ipset

If you no longer need an ipset, you can destroy it using the ipset destroy command:

ipset destroy <name_of_ipset>

For example:

ipset destroy bad_ips

Important: Destroying an ipset will remove it completely. Make sure you no longer need it before destroying it. Also, if any iptables rules are referencing the ipset, they will no longer work correctly after the ipset is destroyed.

Advanced Ipset Techniques and Considerations

Now that you've got the basics down, let’s explore some more advanced techniques and considerations for using ipsets effectively.

Using Ipset with Network Addresses

As mentioned earlier, you can create ipsets that store network addresses (CIDR notation) instead of individual IPs. This is incredibly useful for blocking entire subnets or allowing access from specific network ranges. To do this, use the hash:net type when creating the ipset:

ipset create allowed_networks hash:net

Then, you can add network addresses like 192.168.0.0/24 to the set:

ipset add allowed_networks 192.168.0.0/24

Your iptables rules will work the same way, but now they’ll match entire networks instead of just single IPs.

Ipset with Ports

You can even create ipsets that store combinations of IP addresses and ports using the hash:ip,port type. This is useful for very specific filtering scenarios.

ipset create ssh_access hash:ip,port

When adding entries, you need to specify both the IP address and the port, separated by a comma:

ipset add ssh_access 192.168.1.100,22

To use this in iptables, you’ll need to use the -m multiport module along with the set module:

iptables -A INPUT -m set --match-set ssh_access src,port -m multiport -p tcp --dport 22 -j ACCEPT

This example allows SSH access (port 22) from the IP address 192.168.1.100.

Saving and Restoring Ipsets

By default, ipsets are stored in memory and will be lost when the system restarts. To make your ipsets persistent, you need to save them to a file and restore them on boot. Here’s how:

• Saving: Use the ipset save command to save the ipsets to a file:

  ipset save > /etc/ipset.conf
  

• Restoring: You can restore the ipsets by running ipset restore with the saved file:

  ipset restore < /etc/ipset.conf
  

  To automate this on boot, you can add this command to your system's startup scripts (e.g., /etc/rc.local or a systemd service).

Performance Considerations

Ipsets are generally very efficient, especially compared to using long lists of IPs directly in iptables rules. However, very large ipsets (millions of entries) can still impact performance. If you're dealing with extremely large sets, consider these tips:

• Use the appropriate ipset type: hash:ip is generally the fastest for simple IP address lookups. Use other types only when necessary.
• Optimize your rules: Ensure your iptables rules are well-structured and efficient. Avoid unnecessary rules.
• Consider alternative solutions: For extremely large blocklists, specialized solutions like BGP blackholing might be more appropriate.

Common Pitfalls and Troubleshooting

Even with a good understanding of ipsets, you might encounter some common issues. Let's look at a few and how to troubleshoot them.

Rules Not Working as Expected

If your iptables rules with ipsets aren't working as you expect, here are some things to check:

• Ipset exists and is populated: Verify that the ipset you're referencing in your rules actually exists and contains the IPs you expect. Use ipset list <name_of_ipset> to check.
• Rule order: Iptables rules are processed in order. Make sure your ipset rules are in the correct order relative to other rules.
• Chain: Ensure you're using the correct iptables chain (INPUT, OUTPUT, FORWARD). The chain depends on the direction of traffic you're trying to filter.
• Typos: Double-check for typos in your ipset names and IP addresses.

Ipset Not Restoring on Boot

If your ipsets aren't being restored on boot, make sure the ipset restore command is being executed correctly during startup. Check your system logs for any errors. Also, ensure that the /etc/ipset.conf file exists and contains the saved ipset data.

Performance Issues

If you're experiencing performance issues with large ipsets, consider the performance tips mentioned earlier. Also, monitor your system's CPU and memory usage to identify any bottlenecks.

Conclusion

Using ipsets with iptables is a powerful technique for managing firewall rules efficiently. By understanding how to create, populate, and use ipsets in your rules, you can significantly improve the performance and maintainability of your firewall. Remember, to match either source OR destination IP, you need two separate rules. Keep exploring the advanced features of ipsets, and you'll become a true firewall ninja! Happy networking, guys!