i created an ipset and added 8.8.8.8 to it and used the same iptables working all summer long but ?i can still ping 8.8.8.8 and do nslookup queries against it. ipset or iptables is broken. Anybody else rebooted since ipset-6.11-3.el6.i686 was installed and actually tested that IP addresses that are supposed to be blacklisted are actually blocked? ? Filed CentOS bug report 7977 <http://bugs.centos.org/view.php?id=7977> this morning. ipset was working great most of the year until ipset 6.11.-3 CentOS bug 7977? <http://bugs.centos.org/view.php?id=7977>
Appears the iptables update 1.4.7-14 which came with CentOS6 r6 is the most likely culprit. The solution for now is: delete ',dst' from the iptables INPUT chain delete 'src,' from the iptables OUTPUT chain. On Mon, Dec 8, 2014 at 5:39 PM, Rob Townley <rob.townley at gmail.com> wrote:> i created an ipset and added 8.8.8.8 to it and used the same iptables > working all summer long but > ?i can still ping 8.8.8.8 and do nslookup queries against it. ipset or > iptables is broken. > Anybody else rebooted since ipset-6.11-3.el6.i686 was installed and > actually tested that IP addresses that are supposed to be blacklisted are > actually blocked? > ? > > Filed CentOS bug report 7977 <http://bugs.centos.org/view.php?id=7977> > this morning. ipset was working great most of the year until ipset 6.11.-3 > CentOS bug 7977? <http://bugs.centos.org/view.php?id=7977> >
Incidentally, a different OS has a newer version of iptables 1.4.18-1.1ubuntu1, but still works the old way where SRC still matches SRC,DST. On Wed, Dec 10, 2014 at 2:03 AM, Rob Townley <rob.townley at gmail.com> wrote:> Appears the iptables update 1.4.7-14 which came with CentOS6 r6 is the > most likely culprit. > > The solution for now is: > delete ',dst' from the iptables INPUT chain > delete 'src,' from the iptables OUTPUT chain. > > > > > On Mon, Dec 8, 2014 at 5:39 PM, Rob Townley <rob.townley at gmail.com> wrote: > >> i created an ipset and added 8.8.8.8 to it and used the same iptables >> working all summer long but >> ?i can still ping 8.8.8.8 and do nslookup queries against it. ipset or >> iptables is broken. >> Anybody else rebooted since ipset-6.11-3.el6.i686 was installed and >> actually tested that IP addresses that are supposed to be blacklisted are >> actually blocked? >> ? >> >> Filed CentOS bug report 7977 <http://bugs.centos.org/view.php?id=7977> >> this morning. ipset was working great most of the year until ipset 6.11.-3 >> CentOS bug 7977? <http://bugs.centos.org/view.php?id=7977> >> > >
Reasonably Related Threads
- ipset not actually blocking
- ipset module loaded at startup on CentOS 6.5
- [Bug 1719] New: ipset wrongly blocking undefined ranges and not blocking ranges that are defined
- [Bug 783] New: ipset fails to parse port names with hyphen for bitmap:port type
- Using "ipset" under CentOS7