User Tools

Site Tools


docs:guide-user:firewall:fw3_configurations:fw3_config_ipset

fw3 IPSET Configuration Examples

ipset is a relative recent netfilter feature to manage a large group of stations/networks as a single named set. The netfilter rules can then match packet fields on the set rather than individual stations. This creates a number of efficiencies, for example a hash lookup of the station addresses in the set.

firewall3 supports the most common ipset functions. This section provides some examples to illustrate how to incorporate an ipset into netfilter rules.

OpenWrt ipset Configuration

In order to use the ipset netfilter feature, 1) the linux kernel must be built with the netfilter kernel modules implementing ipset and 2) the ipset application package must be installed.

In LuCI under Admin → System → Packages , confirm the ipset package is installed. It will not install if the kernel does not support the ipset feature.

:!: The 18.06 OpenWrt release does not support ipset by default, so this will likely fail. See below for building a custom image including ipset.

Using ipset to Drop SMTP Spam

ipset is great for collecting a large set of IP addresses/networks under one label and then using the label in subsequent rules as a single match criteria for any entry in the ipset.

One of the big uses of ipset is to block spam generators (stations or networks that randomly generate billions of spam emails daily.) There are thousands of spam generators; adding a reject rule for each makes the netfilter rule list huge and inefficient.

So all Spam networks are added to a single ipset name and then that name is used in the match rules.

In the /etc/config/firewall rules add:

config ipset
    option external dropcidr
    option match src_net
    option storage hash
    option name IPSET-DROPCIDR
    option enabled 1

config rule
    option src wan
    option ipset IPSET-DROPCIDR
    option dest_port 25
    option target DROP
    option name DROP-SMTP-WAN-LAN
    option enabled 1

The ipset configuration references an externally created ipset and matches to source network field. Notice the storage type is hash. There is a good deal of internal optimization that can be done inside the ipset kernel modules. This ipset is configured to use a highly efficient hash rather than a linear search to match the source network.

:!: The dropcidr ipset must be created prior to loading the firewall table. See the next section. Note, the firewall3 loadfile option was intended to be used in place of the ipset command to create and manage an ipset but it has not been fully implemented yet (see the dummy code in *ipsets.c:load_file*) When it is implemented it will be easier to maintain.

The rule section matches on a network in IPSET-DROPCIDR and port 25(SMTP). If there is a match, the DROP target is called. Use DROP and not REJECT for this rule.

See Netfilter Managment to view and verify the new firewall sections. With fw3, one should see a rule like this:

iptables -t filter -A zone_wan_forward -p tcp -m tcp --dport 25 -m set --match-set dropcidr src -m comment --comment "!fw3: DROP-SMTP-WAN-LAN" -j zone_lan_dest_DROP

Create the ipset

Using the ipset application, create the ipset and add an initial set of entries.

ipset create dropcidr hash:net
ipset add dropcidr 42.56.0.0/16
ipset add dropcidr 180.178.160.0/20
ipset add dropcidr 79.133.43.0/24
ipset add dropcidr 27.44.0.0/15
ipset add dropcidr 192.168.3.0/24
...

:!: 192.168.3.0 is a private network on the WAN-side used to test this feature. The others are actual spam sources.

Entries can be added and deleted from the set at any time:

ipset del dropcidr 192.168.3.0/24
ipset list dropcidr

:!: The CIDRs can be dynamically added and deleted in the dropcidr table while the netfilter rule is active.

Destroy the ipset

ipset destroy dropcidr

:!: The ipset table cannot be destroyed while being referenced by a netfilter rule. First remove it from the firewall config and reload.

Build a Custom OpenWrt Image Adding ipset Support

The ipset is not supported in the OpenWrt image by default, but it can be added fairly easily in a custom build.

Use the OpenWrt make menuconfig and follow Kernel Modules → Netfilter Extensions → kmod-ipt-ipset. Set it to built-in (not a loadable module). Then rebuild and install the image.

When the image is running and the ipset modules are confirmed, install the user-space interface package ipset.

:!: The user-space package will fail to install if the kernel does not support it. DO NOT FORCE install or it will panic the router.

Confirm the ip_set modules are loaded. It will look something like the following:

root# cat /proc/modules | grep ip_set
ip_set_list_set 6704 0 - Live 0x8301c000
ip_set_hash_netiface 23888 0 - Live 0x830f0000
ip_set_hash_netport 23856 0 - Live 0x830e8000
ip_set_hash_netnet 25584 0 - Live 0x830e0000
ip_set_hash_net 22480 1 - Live 0x830d8000
ip_set_hash_netportnet 26960 0 - Live 0x830d0000
ip_set_hash_mac 10000 0 - Live 0x830cc000
ip_set_hash_ipportnet 25520 0 - Live 0x83038000
ip_set_hash_ipportip 20848 0 - Live 0x830c0000
ip_set_hash_ipport 19792 0 - Live 0x83030000
ip_set_hash_ipmark 19056 0 - Live 0x83020000
ip_set_hash_ip 18768 0 - Live 0x83028000
ip_set_bitmap_port 5648 0 - Live 0x8301e000
ip_set_bitmap_ipmac 6544 0 - Live 0x8301a000
ip_set_bitmap_ip 6384 0 - Live 0x8300e000
ip_set 22250 16 xt_set,ip_set_list_set,ip_set_hash_netiface,ip_set_hash_netport,ip_set_hash_netnet,ip_set_hash_net,ip_set_hash_netportnet,ip_set_hash_mac,ip_set_hash_ipportnet,ip_set_hash_ipportip,ip_set_hash_ipport,ip_set_hash_ipmark,ip_set_hash_ip,ip_set_bitmap_port,ip_set_bitmap_ipmac,ip_set_bitmap_ip, Live 0x83010000
nfnetlink 4199 1 ip_set, Live 0x830b6000

Then confirm the ipset application is working.

docs/guide-user/firewall/fw3_configurations/fw3_config_ipset.txt · Last modified: 2018/09/20 00:11 by dturvene