Inverted IP range matching

[SaimenSays]

Hello,

with iptables it is possible to invert an ip range by using an exclamtion mark in front of the IP. Is there a way to get this behaviour on proxmox firewall / GUI? Using "!" is not allowed and results in error below.
The intend is to allow web traffic, but block local address range. I actually use a drop rule before each allow rule, but it would be more convienient to invert local range on destination.

 

[shrdlicka]

Hi,

you can create an Alias with an IP range. then in IP Set you can create an IP set and add the alias you created and then select "nomatch":

 

[SaimenSays]

@shrdlicka Oh thanks, missed that tickbox!
the "nomatch" is shown as exclamation mark in the IP set, so they might have allowed this sign in the string as well

 

[SaimenSays]

Tried it, but does not seem to work. Can't ping any wepage anymore when using following rule with output policy DROP and IPSet set as screenshot above.
What I am missing?

 

[shrdlicka]

I just reread what ipset "nomatch" does. and it is not what I was expecting.

   nomatch
       The  hash  set types which can store net type of data (i.e. hash:*net*)
       support the optional nomatch option when adding entries. When  matching
       elements  in the set, entries marked as nomatch are skipped as if those
       were not added to the set, which makes possible to build up  sets  with
       exceptions. See the example at hash type hash:net below.

       When elements are tested by ipset, the nomatch flags are taken into ac‐
       count. If one wants to test the existence of an element marked with no‐
       match in a set, then the flag must be specified too.

What I did in the past instead of inverse matching is allow traffic from everywhere and then drop the local stuff.