On Tuesday, 03.05.2005 at 09:45 -0600, Jamin W.Collins wrote:
> On May 3, 2005, at 9:35 AM, Dave Ewart wrote:
> >
> >But how does one refer to a list of different IP addresses (e.g. a more
> >general version of "-s 10.1.1.5")? Is this possible without writing
> >multiple rules?
> >
> >I wish to introduce a rule to only allow SSH access to the firewall
> >from
> >three different IPs on the internal network and have only found this
> >way
> >to do it so far:
> >
> >iptables -A INPUT -i eth0 -s 10.1.1.5 -p tcp --dport 22 -j ACCEPT
> >iptables -A INPUT -i eth0 -s 10.1.1.11 -p tcp --dport 22 -j ACCEPT
> >iptables -A INPUT -i eth0 -s 10.1.1.20 -p tcp --dport 22 -j ACCEPT
> >iptables -A OUTPUT [...] (the corresponding rule for related traffic)
> >
> >The experiment:
> >
> >iptables -A INPUT -i eth0 -s 10.1.1.5,10.1.1.11,10.1.1.20 -p tcp
> >--dport 22 -j ACCEPT
> >
> >does not work ("host/network not found").
> >
> >Is there a proper syntax for this?
>
> Not that I'm aware of. You could simplify it a bit through the use of
> a shell loop:
>
> IPS="10.1.1.5 10.1.1.11 10.1.1.20"
> for IP in $IPS; do
> iptables -A INPUT -i eth0 -s $IP -p tcp --dport 22 -j ACCEPT
> done
> iptables -A OUTPUT [...] (the corresponding rule for related traffic)
>
> Thought the first variable (IPS) isn't truly necessary I find that it
> helps make it more readable overall.
Thanks Jamin ... the shell loop is actually what I'm using, I just
simplified it slightly for posting. This is actually Good Enough, since
other parts of the ruleset are generated from a script.
Cheers,
Dave.
--
Please don't CC me on list messages!
...
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92
Attachment:
signature.asc
Description: Digital signature