Using IPset with CSF question
Posted: 09 Feb 2015, 22:47
I have a question about using IPSet with CSF. I'm fairly familiar with IPset but I'm not sure how it works with CSF. For example:
[~]# ipset create bruteforcers hash:ip hashsize 4096
[~]# iptables -I INPUT -m set --match-set bruteforcers src -j DROP
[~]# ipset add bruteforcers 128.230.193.152
[~]# ipset test bruteforcers 128.230.193.152
128.230.193.152 is in set bruteforcers.
[~]# iptables -L | grep brute
DROP all -- anywhere anywhere match-set bruteforcers src
ipset is setup and appears to be working. When I restart CSF, it flushes the rules:
iptables -L | grep brute now returns no results.
I see it adds to IPSet when I do csf -d:
root@dedicated2250 [~]# csf -d 173.247.244.100
Adding 173.247.244.100 to csf.deny and iptables DROP...
csf: IPSET adding [173.247.244.100] to set [chain_DENY]
root@dedicated2250 [~]# iptables -L | grep chain
ACCEPT all -- anywhere anywhere match-set chain_ALLOW src
ACCEPT all -- anywhere anywhere match-set chain_ALLOW dst
LOGDROPIN all -- anywhere anywhere match-set chain_DENY src
LOGDROPOUT all -- anywhere anywhere match-set chain_DENY dst
root@dedicated2250 [~]# ipset list chain_DENY
Name: chain_DENY
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16784
References: 2
Members:
173.247.244.100
But this doesn't allow me to maintain multiple lists, just the one at chain_DENY. Am I able to create lists from IPset and have them stay after a flush, or do I need to only be adding IPs via csf -d to have CSF add them to IPset for me instead of adding them manually via ipset?
[~]# ipset create bruteforcers hash:ip hashsize 4096
[~]# iptables -I INPUT -m set --match-set bruteforcers src -j DROP
[~]# ipset add bruteforcers 128.230.193.152
[~]# ipset test bruteforcers 128.230.193.152
128.230.193.152 is in set bruteforcers.
[~]# iptables -L | grep brute
DROP all -- anywhere anywhere match-set bruteforcers src
ipset is setup and appears to be working. When I restart CSF, it flushes the rules:
iptables -L | grep brute now returns no results.
I see it adds to IPSet when I do csf -d:
root@dedicated2250 [~]# csf -d 173.247.244.100
Adding 173.247.244.100 to csf.deny and iptables DROP...
csf: IPSET adding [173.247.244.100] to set [chain_DENY]
root@dedicated2250 [~]# iptables -L | grep chain
ACCEPT all -- anywhere anywhere match-set chain_ALLOW src
ACCEPT all -- anywhere anywhere match-set chain_ALLOW dst
LOGDROPIN all -- anywhere anywhere match-set chain_DENY src
LOGDROPOUT all -- anywhere anywhere match-set chain_DENY dst
root@dedicated2250 [~]# ipset list chain_DENY
Name: chain_DENY
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16784
References: 2
Members:
173.247.244.100
But this doesn't allow me to maintain multiple lists, just the one at chain_DENY. Am I able to create lists from IPset and have them stay after a flush, or do I need to only be adding IPs via csf -d to have CSF add them to IPset for me instead of adding them manually via ipset?