Re: Multiple discrete IP match rule - iptables
On Thu, 1 Apr 2004, Alano Stolf wrote:
> I have not found any reference on how to specify more than one IP
> (discrete IPs, not a range) in an iptables rule.
> For example, how can I log only the access to SMTP servers that are
> not the ones I may allow.
> For instance, a rule like this should be fine:
>
> iptables -A FORWARD -p tcp -d ! (IP_of_MySMTP_1 IP_of_MySMTP_2) \
> --dport 25 -j LOG --log-prefix "Access to suspicious SMTP: "
As others have pointed out, this isn't really the way that iptables
works. You could, in theory, write a "multi-ip" match extension, then
use that, or to create a chain for it by hand, or ...
...a better bet would be to use some sort of high level iptables tool
that does the hard work for you.
For example, I use 'firehol', which is in testing and unstable, and
trivial to backport.
This would allow your rule to be written as:
server smtp dst not "smtp1 smtp2" log "Access to suspicious SMTP: "
In general, I find that the iptables tool itself should be treated like
assembly language for programming - it's nice to know how it works, but
better to be using a high level language.
Daniel
--
It goes against the grain of modern education to teach children to
program. What fun is there in making plans, acquiring discipline in
organizing thoughts, devoting attention to detail and learning to be
self-critical?
-- Alan J. Perlis, _Epigrams in Programming_ (September, 1982)
Reply to: