Did you get your issue figured out? Out of interest, I tried it and it seems to work.
Here is my test iptables rule set script:
Code:
doug@s19:~/iptables$ cat add-set.sh
#!/bin/sh
#
# add-set.sh 2021.06.29
# experiment with add-set
# see also: https://ubuntuforums.org/showthread.php?t=2464167
# currently on s19.
#
# The location of the iptables program
#
IPTABLES=/sbin/iptables
# Set some stuff
#
EXTIF="enp3s0"
UNIVERSE="0.0.0.0/0"
EXTIP="192.168.111.136"
# Clearing any previous configuration
# and setting policies
echo clearing main tables
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD ACCEPT
iptables -F FORWARD
echo clearing nat tables
iptables -t nat -P INPUT ACCEPT
iptables -t nat -F INPUT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -F OUTPUT
iptables -t nat -P FORWARD ACCEPT
iptables -t nat -F FORWARD
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -F PREROUTING
# Otherwise, I can not seem to delete it later on
echo delete chains main
iptables -X
echo delete chains nat
iptables -t nat -X
# Clear the counters
iptables -Z
iptables -t nat -Z
# Restore ipset stuff
#
echo " Restoring any ipset lists.."
# Flush any existing lists.
# I wonder if I actually need to do this.
# Yes.
# broken. Hack seems to be sleeps
#
echo " ipset: flush and destroy china..."
ipset flush jail
sleep 1
ipset destroy jail
ipset restore --file /home/doug/iptables/doug.ipset
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# for this testing use the telent port as the get into jail port
#
$IPTABLES -A INPUT -p tcp --dport 23 -d $EXTIP -j SET --add-set jail src
# now check jail birds list
#
$IPTABLES -A INPUT -m set --match-set jail src -j DROP
Here is a current inquiry:
Code:
doug@s19:~/iptables$ sudo iptables -xvnL
Chain INPUT (policy ACCEPT 4771 packets, 507326 bytes)
pkts bytes target prot opt in out source destination
3261 5556228 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
7 420 SET tcp -- * * 0.0.0.0/0 192.168.111.136 tcp dpt:23 add-set jail src
334 31146 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set jail src
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2817 packets, 10867155 bytes)
pkts bytes target prot opt in out source destination
Here is the current jail list:
Code:
doug@s19:~/iptables$ sudo ipset list jail
Name: jail
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 248
References: 2
Number of entries: 1
Members:
192.168.111.1
And I created it with:
Code:
doug@s19:~/iptables$ sudo ipset create jail hash:ip
doug@s19:~/iptables$ sudo ipset save --file doug.ipset