MESSENGER, IPSET and subnet block

[sdarot]

Hello,
When messenger service is active, and specific subnet is blocked (in csf.deny), but one IP address of this subnet is whitelisted (in csf.allow), the user (whitelisted IP) is still being redirected to messenger service.
I think it because of IPSET chains order, messenger chain before allow chain.

for example:
csf.deny

Code: Select all

192.168.1.0/24

csf.allow

Code: Select all

192.168.1.100

csf -g 192.168.1.100

Code: Select all

Table  Chain            num   pkts bytes target     prot opt in     out     source               destination
No matches found for 192.168.1.100 in iptables


IPSET: Set:MESSENGER Match:192.168.1.100

IPSET: Set:chain_ALLOW Match:192.168.1.100 Setting: File:/etc/csf/csf.allow

IPSET: Set:chain_DENY Match:192.168.1.100 Setting: File:/etc/csf/csf.deny


ip6tables:

Table  Chain            num   pkts bytes target     prot opt in     out     source               destination
No matches found for 192.168.1.100 in ip6tables

csf.allow: 192.168.1.100

Permanent Blocks (csf.deny): 192.168.1.0/24 # test - Fri Jan 17 11:28:36 2020

CSF version: csf: v14.00 (generic)
IPSET version: ipset v7.1, protocol version: 7

[ForumAdmin]

That's a limitation of how the MESSENGER service works, as PREROUTING is used to reroute connections in the deny list to the MESSENGER listening port. This comes before any other iptables chains (such as allow and deny). The only way around it would be to rework the CIDR to exclude that single IP.

[sdarot]

Forgot to update my solution here.
Above problem can be easily solved by adding NAT rule, using csfpre.sh, for example
iptables -t nat -I PREROUTING -s 192.168.1.100 -j ACCEPT