Sample Header Ad - 728x90

Why aren't my ipset counters incremented?

0 votes
1 answer
192 views
iptables firewall ipset
I'm trying to configure a firewall (using iptables on a Docker host) that allows inbound HTTP and HTTPS from everywhere, SSH from a certain set of IPs and no other incoming connections. I liked what I read about ipset, as it seems to be easier to configure than raw iptables and also allows easier automated re-configuration of sets. But somehow it does not seem to work: I'm not able to connect via HTTPS, albeit port 443 should be open. SSH connections work (albeit I haven't tried to lock myself out). While trying to debug this issue, I added counters to the various sets in ipset. But they stay at 0, albeit the counters in iptables increase. Why aren't my connections counted in ipset? Are there other/better ways for debugging list:set? And how can I fix it? Here is the firewall script (intention: allow port 22 from 93.241.223.2, anything on port 80 and 443, and nothing else): 
#!/bin/sh

# suffix for set names, to avoid overwriting old sets
timestamp=$(date +%s)

# allow HTTP in general (duplicate sets are due to automated generation of script)
ipset create mds-c-allowhttp4-$timestamp bitmap:port range 0-1024 counters
ipset add mds-c-allowhttp4-$timestamp 80
ipset add mds-c-allowhttp4-$timestamp 443
ipset create mds-c-allowhttp6-$timestamp bitmap:port range 0-1024 counters
ipset add mds-c-allowhttp6-$timestamp 80
ipset add mds-c-allowhttp6-$timestamp 443

# create set with allowed IPv4 ssh connections
ipset create mds-c-allowssh4-$timestamp hash:ip,port family inet counters
ipset add mds-c-allowssh4-$timestamp 93.241.223.2,22
# create set with allowed IPv6 ssh connections
ipset create mds-c-allowssh6-$timestamp hash:ip,port family inet6 counters

# create union of allowed sets
ipset create mds-c-allowcombined-$timestamp list:set counters
ipset add mds-c-allowcombined-$timestamp mds-c-allowhttp4-$timestamp
ipset add mds-c-allowcombined-$timestamp mds-c-allowhttp6-$timestamp
ipset add mds-c-allowcombined-$timestamp mds-c-allowssh4-$timestamp
ipset add mds-c-allowcombined-$timestamp mds-c-allowssh6-$timestamp
# create mds-allowcombined if not already there
ipset create mds-allowcombined list:set counters
# activate new sets
ipset swap mds-c-allowcombined-$timestamp mds-allowcombined

# add iptables rule if not already there
iptables -C DOCKER-USER -i eth0 -m set ! --match-set mds-allowcombined src,dst -j DROP || iptables -I DOCKER-USER -i eth0 -m set ! --match-set mds-allowcombined src,dst -j DROP
ip6tables -C INPUT -i eth0 -m set ! --match-set mds-allowcombined src,dst -j DROP || ip6tables -I INPUT -i eth0 -m set ! --match-set mds-allowcombined src,dst -j DROP
Here's the output from "ipset --list": 
Name: mds-c-allowhttp4-1712053688
Type: bitmap:port
Revision: 3
Header: range 0-1024 counters
Size in memory: 16608
References: 1
Number of entries: 2
Members:
80 packets 0 bytes 0
443 packets 0 bytes 0

Name: mds-c-allowhttp6-1712053688
Type: bitmap:port
Revision: 3
Header: range 0-1024 counters
Size in memory: 16608
References: 1
Number of entries: 2
Members:
80 packets 0 bytes 0
443 packets 0 bytes 0

Name: mds-c-allowssh4-1712053688
Type: hash:ip,port
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 counters bucketsize 12 initval 0xac582e33
Size in memory: 280
References: 1
Number of entries: 1
Members:
93.241.223.2,tcp:22 packets 0 bytes 0

Name: mds-c-allowssh6-1712053688
Type: hash:ip,port
Revision: 6
Header: family inet6 hashsize 1024 maxelem 65536 counters bucketsize 12 initval 0x0bd9d478
Size in memory: 216
References: 1
Number of entries: 0
Members:

Name: mds-allowcombined
Type: list:set
Revision: 3
Header: size 8 counters
Size in memory: 336
References: 2
Number of entries: 4
Members:
mds-c-allowhttp4-1712053688 packets 0 bytes 0
mds-c-allowhttp6-1712053688 packets 0 bytes 0
mds-c-allowssh4-1712053688 packets 0 bytes 0
mds-c-allowssh6-1712053688 packets 0 bytes 0
And here's the output from iptables --list --verbose: 
Chain INPUT (policy ACCEPT 14268 packets, 12M bytes)
 pkts bytes target     prot opt in     out     source               destination
11611   11M f2b-sshd   tcp  --  any    any     anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 8765  525K DOCKER-USER  all  --  any    any     anywhere             anywhere
 1939  116K DOCKER-ISOLATION-STAGE-1  all  --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    docker0  anywhere             anywhere
    0     0 ACCEPT     all  --  docker0 !docker0  anywhere             anywhere
    0     0 ACCEPT     all  --  docker0 docker0  anywhere             anywhere
    0     0 ACCEPT     all  --  any    br-34e695d35afc  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  any    br-34e695d35afc  anywhere             anywhere
 1939  116K ACCEPT     all  --  br-34e695d35afc !br-34e695d35afc  anywhere             anywhere
    0     0 ACCEPT     all  --  br-34e695d35afc br-34e695d35afc  anywhere             anywhere

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !br-34e695d35afc br-34e695d35afc  anywhere             172.18.0.2           tcp dpt:snpp
    0     0 ACCEPT     tcp  --  !br-34e695d35afc br-34e695d35afc  anywhere             172.18.0.2           tcp dpt:https
    0     0 ACCEPT     tcp  --  !br-34e695d35afc br-34e695d35afc  anywhere             172.18.0.2           tcp dpt:http

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  anywhere             anywhere
 1939  116K DOCKER-ISOLATION-STAGE-2  all  --  br-34e695d35afc !br-34e695d35afc  anywhere             anywhere
 1939  116K RETURN     all  --  any    any     anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  any    docker0  anywhere             anywhere
    0     0 DROP       all  --  any    br-34e695d35afc  anywhere             anywhere
 1939  116K RETURN     all  --  any    any     anywhere             anywhere

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 6826  409K DROP       all  --  eth0   any     anywhere             anywhere             ! match-set mds-allowcombined src,dst
 1939  116K RETURN     all  --  any    any     anywhere             anywhere

Chain f2b-sshd (1 references)
 pkts bytes target     prot opt in     out     source               destination
11522   11M RETURN     all  --  any    any     anywhere             anywhere
Asked by T. Baum (1 rep)
Apr 2, 2024, 11:00 AM
Last activity: Apr 3, 2024, 07:46 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "iptables"
More questions tagged "firewall"
More questions tagged "ipset"
Footer Ad - 728x90