Re: Multiple discrete IP match rule - iptables

To: debian-firewall@lists.debian.org
Subject: Re: Multiple discrete IP match rule - iptables
From: Daniel Pittman <daniel@rimspace.net>
Date: Mon, 05 Apr 2004 10:44:45 +1000
Message-id: <[🔎] 87zn9rmewy.fsf@enki.rimspace.net>
References: <[🔎] 00e701c417bb$0e67e6b0$6400a8c0@A2600> <[🔎] 87hdw3q0px.fsf@enki.rimspace.net> <[🔎] pet3k1-r9h.ln1@grendel.myth>

On Sat, 3 Apr 2004, Jim Richardson wrote:
> On Thu, 01 Apr 2004 16:10:07 +0200,
>  Daniel Pittman <daniel@rimspace.net> wrote:
>> On Thu, 1 Apr 2004, Alano Stolf wrote:
>>> I have not found any reference on how to specify more than one IP
>>> (discrete IPs, not a range) in an iptables rule.
>>> For example, how can I log only the access to SMTP servers that are
>>> not the ones I may allow.
>>> For instance, a rule like this should be fine:
>>>
>>> iptables -A FORWARD -p tcp -d ! (IP_of_MySMTP_1 IP_of_MySMTP_2) \
>>>  --dport 25 -j LOG --log-prefix "Access to suspicious SMTP: "
>>
>> As others have pointed out, this isn't really the way that iptables
>> works. You could, in theory, write a "multi-ip" match extension, then
>> use that, or to create a chain for it by hand, or ...
>>
>> ...a better bet would be to use some sort of high level iptables tool
>> that does the hard work for you.
>>
>> For example, I use 'firehol', which is in testing and unstable, and
>> trivial to backport.
>>
>> This would allow your rule to be written as:
>>
>>   server smtp dst not "smtp1 smtp2" log "Access to suspicious SMTP: "
>>
>> In general, I find that the iptables tool itself should be treated
>> like assembly language for programming - it's nice to know how it
>> works, but better to be using a high level language.
>
> The nice thing about this approach, and the division of frontend and
> backend, is you can use a different machine to create the iptables
> rules, and simply apply them on the server, with no need for
> extraneous software to be installed on the server.

*nod*  I agree with that statement, but would like to point out that
this isn't how `firehol' was implemented;  it runs on the firewall
system rather than generating a "compiled" iptables ruleset.

This is, in part, because it adds a few features like a "test" mode
where it will revert to the previous ruleset unless there is user
intervention within 30 seconds.

This is *incredibly* valuable when you test changes to a ruleset made on
a router half way across the city (or, worse, the country), both of
which I have had to do at times...

      Daniel

-- 
The greatest humiliation in life, is to work hard on something from which you
expect great appreciation, and then fail to get it.
        -- Edgar Watson Howe, _Ventures in Common Sense_, 1919

Reply to:

References:
- Multiple discrete IP match rule - iptables
  - From: "Alano Stolf" <alano@stolf.com>
- Re: Multiple discrete IP match rule - iptables
  - From: Daniel Pittman <daniel@rimspace.net>
- Re: Multiple discrete IP match rule - iptables
  - From: Jim Richardson <warlock@eskimo.com>

Prev by Date: no way to get out
Next by Date: Re: no way to get out
Previous by thread: Re: Multiple discrete IP match rule - iptables
Next by thread: Re: Multiple discrete IP match rule - iptables
Index(es):
- Date
- Thread