Re: Multiple discrete IP match rule - iptables
On Thu, 01 Apr 2004 16:10:07 +0200,
Daniel Pittman <daniel@rimspace.net> wrote:
> On Thu, 1 Apr 2004, Alano Stolf wrote:
>> I have not found any reference on how to specify more than one IP
>> (discrete IPs, not a range) in an iptables rule.
>> For example, how can I log only the access to SMTP servers that are
>> not the ones I may allow.
>> For instance, a rule like this should be fine:
>>
>> iptables -A FORWARD -p tcp -d ! (IP_of_MySMTP_1 IP_of_MySMTP_2) \
>> --dport 25 -j LOG --log-prefix "Access to suspicious SMTP: "
>
> As others have pointed out, this isn't really the way that iptables
> works. You could, in theory, write a "multi-ip" match extension, then
> use that, or to create a chain for it by hand, or ...
>
> ...a better bet would be to use some sort of high level iptables tool
> that does the hard work for you.
>
> For example, I use 'firehol', which is in testing and unstable, and
> trivial to backport.
>
> This would allow your rule to be written as:
>
> server smtp dst not "smtp1 smtp2" log "Access to suspicious SMTP: "
>
> In general, I find that the iptables tool itself should be treated like
> assembly language for programming - it's nice to know how it works, but
> better to be using a high level language.
>
> Daniel
>
The nice thing about this approach, and the division of frontend and
backend, is you can use a different machine to create the iptables
rules, and simply apply them on the server, with no need for extraneous
software to be installed on the server.
--
Jim Richardson http://www.eskimo.com/~warlock
I came; I saw; I fucked up
Reply to: