fw3 IP set examples

See also: fw3 IP set configuration

IP sets is a relative recent netfilter feature to manage a large group of stations/networks as a single named set. The netfilter rules can then match packet fields on the set rather than individual stations. This creates a number of efficiencies, for example a hash lookup of the station addresses in the set.

firewall3 supports the most common IP sets functions. This section provides some examples to illustrate how to incorporate an IP sets into netfilter rules.

In order to use the IP set netfilter feature:

  • The Linux kernel must be built with the netfilter kernel modules implementing IP sets.
  • The ipset application package must be installed.

In LuCI under System → Software, in the Download and install package: box, type ipset and confirm the package is installed by clicking on OK. It will not install if the kernel does not support the IP sets feature.

:!: The 18.06 OpenWrt release do not include support for IP sets by default, so you will need to install the appropriate packages to use this facility.

IP sets is great for collecting a large set of IP addresses/networks under one label and then using the label in subsequent rules as a single match criteria for any entry in the IP set.

One of the big uses of IP sets is to block spam generators (stations or networks that randomly generate billions of spam emails daily.) There are thousands of spam generators; adding a reject rule for each makes the netfilter rule list huge and inefficient.

So all Spam networks are added to a single IP set name and then that name is used in the match rules.

In the /etc/config/firewall rules add:

config	ipset
	option	name		'dropcidr'
	option	match		'src_net'
	option	storage		'hash'
	option	enabled		'1'
	list	entry		''
	list	entry		''
	list	entry		''
	list	entry		''
	list	entry		''
config	rule
	option	src		'wan'
	option	ipset		'dropcidr'
	option	dest_port	'25'
	option	target		'DROP'
	option	name		'DROP-SMTP-WAN-LAN'
	option	enabled		'1'

The ipset configuration instructs the firewall to create an IP set named dropcidr and matches it to the source network field using a traffic rule.

Notice the storage type is hash. There is a good deal of internal optimization that can be done inside the IP sets kernel modules. This IP set is configured to use a highly efficient hash rather than a linear search to match the source network.

The rule section matches on a network in dropcidr and port 25(SMTP). If there is a match, the DROP target is called. Use DROP and not REJECT for this rule.

See Netfilter Managment to view and verify the new firewall sections. With fw3, one should see a rule like this:

iptables \
-t filter -A zone_wan_forward \
-p tcp -m tcp --dport 25 \
-m set --match-set dropcidr src \
-m comment --comment "!fw3: DROP-SMTP-WAN-LAN" \
-j zone_lan_dest_DROP

The configuration above uses a number of list entry lines to populate the IP set with some initial IP ranges. is a private network on the WAN-side used to test this feature. The others are actual spam sources.

In practice it is better to use the loadfile option instead which allows specifying the IP set contents in an external file for easier maintenance. Such an external file can be for example created from publicly available blocklists or populated by other programs for use with the IP set.

To use the loadfile option, first create a plaintext file containing the IP ranges to add to the set:

cat << "EOF" > /etc/dropcidr.txt

Afterwards, modify the IP set declaration in the firewall configuration by removing the list entry lines and replacing them with a sole loadfile option:

config	ipset
	option	name		'dropcidr'
	option	match		'src_net'
	option	storage		'hash'
	option	enabled		'1'
	option	loadfile	'/etc/dropcidr.txt'

Additionally, the ipset application can be used instead of or in addition to the loadfile option to add entries to the set after it has been created and populated by the firewall:

ipset add dropcidr
ipset add dropcidr
ipset add dropcidr
ipset add dropcidr
ipset add dropcidr

Entries can be added and deleted from the set at any time:

ipset del dropcidr
ipset list dropcidr

:!: The CIDRs can be dynamically added and deleted in the dropcidr table while the netfilter rule is active.

Besides adding IPs manually, package dnsmasq-full can automatically populate the list. It can be used to add IPs that were send to hosts for certain names. This is helpful if names are used for filtering.

ipset destroy dropcidr

:!: The IP set table cannot be destroyed while being referenced by a netfilter rule. First remove it from the firewall config and reload.

The IP sets is not supported in the OpenWrt image by default, but it can be added fairly easily through opkg or by including it in a custom build.

For installing with opkg, use the following commands:

opkg update
opkg install ipset

When compiling a custom build, use the OpenWrt make menuconfig and select ipset as built-in within the Network menu. Then rebuild and install the resulting image.

When the image is running, confirm the ip_set modules are loaded. It will look something like the following:

# cat /proc/modules | grep ip_set
ip_set_list_set 6704 0 - Live 0x8301c000
ip_set_hash_netiface 23888 0 - Live 0x830f0000
ip_set_hash_netport 23856 0 - Live 0x830e8000
ip_set_hash_netnet 25584 0 - Live 0x830e0000
ip_set_hash_net 22480 1 - Live 0x830d8000
ip_set_hash_netportnet 26960 0 - Live 0x830d0000
ip_set_hash_mac 10000 0 - Live 0x830cc000
ip_set_hash_ipportnet 25520 0 - Live 0x83038000
ip_set_hash_ipportip 20848 0 - Live 0x830c0000
ip_set_hash_ipport 19792 0 - Live 0x83030000
ip_set_hash_ipmark 19056 0 - Live 0x83020000
ip_set_hash_ip 18768 0 - Live 0x83028000
ip_set_bitmap_port 5648 0 - Live 0x8301e000
ip_set_bitmap_ipmac 6544 0 - Live 0x8301a000
ip_set_bitmap_ip 6384 0 - Live 0x8300e000
ip_set 22250 16 xt_set,ip_set_list_set,ip_set_hash_netiface,ip_set_hash_netport,ip_set_hash_netnet,ip_set_hash_net,ip_set_hash_netportnet,ip_set_hash_mac,ip_set_hash_ipportnet,ip_set_hash_ipportip,ip_set_hash_ipport,ip_set_hash_ipmark,ip_set_hash_ip,ip_set_bitmap_port,ip_set_bitmap_ipmac,ip_set_bitmap_ip, Live 0x83010000
nfnetlink 4199 1 ip_set, Live 0x830b6000

Then confirm the ipset application is working.

An example is given at Blocking IPs based on their hostname This is really useful if large CDNs need to be filtered based on their names.

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2021/03/06 02:37
  • by vgaetera