Groups | Search | Server Info | Login | Register
Groups > comp.os.linux.networking > #8560
| From | Lew Pitcher <lew.pitcher@digitalfreehold.ca> |
|---|---|
| Newsgroups | comp.os.linux.networking |
| Subject | Need advice solving problems with testing netfilter and ipsets |
| Date | 2026-02-09 17:51 +0000 |
| Organization | A noiseless patient Spider |
| Message-ID | <10md6rs$2ucqu$1@dont-email.me> (permalink) |
Question: Does anyone see a problem with the ipsets/iptables rules
that I've built, below?
I run my router/firewall system on 64bit Slackware 14.2 (kernel 4.4.301,
iptables 1.6.0, ipset 6.20) and recently have undertaken a project to
isolate several of my internal hosts through the use of iptables and
ipsets.
The goal is to, without disrupting the lan and internet communication of
the other hosts on my lan networks, ensure that a specified set of hosts
(specified by IP address) can communicate with other hosts on my lan
networks, but NOT with the internet.
The solution I am testing (in a containerize virtual environment modeled
after my lan and router/firewall configuration) utilizes two ipsets and
an iptables rule.
The sets are:
# Build an ipset list of all the internal hosts that
# we prevent from obtaining outgoing internet access
# Only one untrusted device in this list for testing
ipset create IMMURED hash:ip family inet
ipset add IMMURED 192.168.55.10
# Build an ipset list of all the internal networks
# that we allow the IMMURED host to access
ipset create LOCALNETS hash:net family inet
ipset add LOCALNETS 192.168.55.0/24
ipset add LOCALNETS 192.168.56.0/24
and the model iptables rule is
iptables -t filter -P FORWARD DROP
iptables -t filter -A FORWARD -i lo -j ACCEPT
iptables -t filter -i eth1 \
-m set --match-set IMMURED src \
-m set ! --match-setset LOCALNETS dst \
-j LOG --log-level notice --log-prefix 'netfilter (immured debug)'
iptables -t filter -A FORWARD -i eth1 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -j ACCEPT
In this version, I simply report attempts, but the final version will,
instead, both report AND reject attempts with an additional rule that
will
-j REJECT --reject-with icmp-admin-prohibited
In testing this (the "reporting" version) in a virtualized environment,
I can see that iptables invokes my reporting rule by watching the
associated packet count increase appropriately.
However, I /do not/ see my logging sentinal ('netfilter (immured debug)')
in any syslog.
I can (and will) attempt the "-j REJECT" version, but the problem of
logging remains. In production, I'll use this log to determine which
of these (untrusted) devices attempt to access the internet, so I can
make further network adjustments as necessary.
So, my question:
Does anyone see a problem with the ipsets/iptables rules that I've
generated? Will they do what I want, as I have outlined above?
--
Lew Pitcher
"In Skills We Trust"
Not LLM output - I'm just like this.
Back to comp.os.linux.networking | Previous | Next — Next in thread | Find similar
Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-09 17:51 +0000
Re: Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-09 17:54 +0000
Re: Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-09 18:39 +0000
Re: Need advice solving problems with testing netfilter and ipsets David Brown <david.brown@hesbynett.no> - 2026-02-10 10:10 +0100
Re: Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-10 15:20 +0000
Re: Need advice solving problems with testing netfilter and ipsets David Brown <david.brown@hesbynett.no> - 2026-02-10 21:13 +0100
Re: Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-18 19:52 +0000
Re: Need advice solving problems with testing netfilter and ipsets David Brown <david.brown@hesbynett.no> - 2026-02-18 21:12 +0100
csiph-web