Skynet Ipset and Iptables

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

atomicRPM

Occasional Visitor
Ok, I installed Skynet and I guess I'm missing something... Maybe someone can explain this to me.

I can see the lists created by Skynet by executing 'ipset -list -t'. I'll just list to a couple for example.

Name: Skynet-BlockedRanges
Type: hash:net
Revision: 6
Header: family inet hashsize 8192 maxelem 200000 comment
Size in memory: 1506668
References: 1
Number of entries: 20102

Name: Skynet-IOT
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 comment
Size in memory: 352
References: 0
Number of entries: 0

Why don't I see the match-set(s) in iptables when executing 'iptables -vnL? i,e.

0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 match-set list-name src

It's all fine and dandy to create lists of things but if they aren't being applied then what good are they?
 

atomicRPM

Occasional Visitor
Check the raw table

iptables -t raw

Thanks. I see that now after digging around. I started analyzing the script to see how things were done and I found that the author does add the lists to the raw table in the PREROUTING and OUTPUT chain.

Code:
        iptables -t raw -I PREROUTING -i "$iface" -m set ! --match-set Skynet-Whitelist src -m set --match-set Skynet-Master src -j DROP 2>/dev/null
        iptables -t raw -I PREROUTING -i br0 -m set ! --match-set Skynet-Whitelist dst -m set --match-set Skynet-Master dst -j DROP 2>/dev/null
        iptables -t raw -I OUTPUT -m set ! --match-set Skynet-Whitelist dst -m set --match-set Skynet-Master dst -j DROP 2>/dev/null

The master list is a combination of the blacklist and blocked ranges list.

Code:
ipset -q -A Skynet-Master Skynet-Blacklist; ipset -q -A Skynet-Master Skynet-BlockedRanges
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top