Re: iptables rules : two in one
Pascal Hambourg wrote:
> Hello,
>
> franck a écrit :
>>
>> I have got some iptables rules suche as :
>>
>> Code:
>>
>> iptables -A OUTPUT -o eth0 -p tcp -d pop.mail.yahoo.co.uk
>> --dport 110 --sport $UNPRIVPORTS -m state --state
>> NEW,ESTABLISHED,RELATED -j ACCEPT
>> iptables -A OUTPUT -o eth0 -p tcp -d pop.1and1.fr --dport 110
>> --sport $UNPRIVPORTS -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>> iptables -A INPUT -i eth0 -p tcp -s pop.mail.yahoo.co.uk --sport
>> 110 --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
>> iptables -A INPUT -i eth0 -p tcp -s pop.1and1.fr --sport 110
>> --dport $UNPRIVPORTS -m state --state ESTABLISHED,RELATED -j ACCEPT
>>
>> and I would like to put them on only two lines.
>
> Note that pop.1and1.fr resolves into two IP addresses, so the related
> iptables commands create two separate rules, one for each IP address.
>
>> Is that possible ?
>
> I cannot see any simple way. Maybe with "ipset".
> Why is it so important ?
It is not that important, I just wondered whether it was possible or
not. My file would have been easier to read, that is it. I will take a
look at ipset.
>
> Note : POP3 packets never match the RELATED state, so you can remove it.
>
Ok. Good to know.
Thanks.
>
--
Franck Joncourt
http://www.debian.org
http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
___________________________________________________________
Try the all-new Yahoo! Mail. "The New Version is radically easier to use" ? The Wall Street Journal
http://uk.docs.yahoo.com/nowyoucan.html
Reply to: