Groups | Search | Server Info | Login | Register

Groups > comp.os.linux.networking > #8563

Re: Need advice solving problems with testing netfilter and ipsets

From David Brown <david.brown@hesbynett.no>
Newsgroups comp.os.linux.networking
Subject Re: Need advice solving problems with testing netfilter and ipsets
Date 2026-02-10 10:10 +0100
Organization A noiseless patient Spider
Message-ID <10mesld$3g28q$1@dont-email.me> (permalink)
References <10md6rs$2ucqu$1@dont-email.me>

Show all headers | View raw

On 09/02/2026 18:51, Lew Pitcher wrote:
> Question: Does anyone see a problem with the ipsets/iptables rules
> that I've built, below?
> 
> I run my router/firewall system on 64bit Slackware 14.2 (kernel 4.4.301,
> iptables 1.6.0, ipset 6.20) and recently have undertaken a project to
> isolate several of my internal hosts through the use of iptables and
> ipsets.
> 
> The goal is to, without disrupting the lan and internet communication of
> the other hosts on my lan networks, ensure that a specified set of hosts
> (specified by IP address) can communicate with other hosts on my lan
> networks, but NOT with the internet.
> 
> The solution I am testing (in a containerize virtual environment modeled
> after my lan and router/firewall configuration) utilizes two ipsets and
> an iptables rule.
> 
> The sets are:
>    # Build an ipset list of all the internal hosts that
>    # we prevent from obtaining outgoing internet access
>    # Only one untrusted device in this list for testing
>    ipset create IMMURED hash:ip family inet
>    ipset add IMMURED 192.168.55.10
> 
>    # Build an ipset list of all the internal networks
>    # that we allow the IMMURED host to access
>    ipset create LOCALNETS hash:net family inet
>    ipset add LOCALNETS 192.168.55.0/24
>    ipset add LOCALNETS 192.168.56.0/24
> 
> and the model iptables rule is
>    iptables -t filter -P FORWARD DROP
>    iptables -t filter -A FORWARD -i lo	-j ACCEPT
>    iptables -t filter -i eth1				\
> 	   -m set --match-set IMMURED src 		\
> 	   -m set ! --match-setset LOCALNETS dst	\
> 	   -j LOG --log-level notice --log-prefix 'netfilter (immured debug)'
>    iptables -t filter -A FORWARD -i eth1	-j ACCEPT
>    iptables -t filter -A FORWARD -i eth0	-j ACCEPT
> 
> In this version, I simply report attempts, but the final version will,
> instead, both report AND reject attempts with an additional rule that
> will
>    -j REJECT --reject-with icmp-admin-prohibited
> 
> In testing this (the "reporting" version) in a virtualized environment,
> I can see that iptables invokes my reporting rule by watching the
> associated packet count increase appropriately.
> 
> However, I /do not/ see my logging sentinal ('netfilter (immured debug)')
> in any syslog.
> 
> I can (and will) attempt the "-j REJECT" version, but the problem of
> logging remains. In production, I'll use this log to determine which
> of these (untrusted) devices attempt to access the internet, so I can
> make further network adjustments as necessary.
> 
> So, my question:
> 
> Does anyone see a problem with the ipsets/iptables rules that I've
> generated? Will they do what I want, as I have outlined above?
> 
> 

I'm not sure if I'm being much help here, but maybe a reply can 
encourage others...

I don't see anything immediately wrong with your rules here (other than 
the typo you found yourself).  I think the rule forwarding packets from 
"lo" is redundant (local packets go out on OUTPUT, not FORWARD), but I 
don't imagine it is doing any harm.

Were I doing this, the next steps would be to split the match rule into 
two, with different logging on each, to see if those showed matches. 
And I'd check the hit counters for the iptables rules after sending some 
test pings from the IMMURED machine, to trace which rules were triggered.

Back to comp.os.linux.networking | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-09 17:51 +0000
  Re: Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-09 17:54 +0000
    Re: Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-09 18:39 +0000
  Re: Need advice solving problems with testing netfilter and ipsets David Brown <david.brown@hesbynett.no> - 2026-02-10 10:10 +0100
    Re: Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-10 15:20 +0000
      Re: Need advice solving problems with testing netfilter and ipsets David Brown <david.brown@hesbynett.no> - 2026-02-10 21:13 +0100
    Re: Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-18 19:52 +0000
      Re: Need advice solving problems with testing netfilter and ipsets David Brown <david.brown@hesbynett.no> - 2026-02-18 21:12 +0100

csiph-web