[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: How to specify a number of IP addresses in a single statement?



On Tuesday, 03.05.2005 at 09:45 -0600, Jamin W.Collins wrote:

> On May 3, 2005, at 9:35 AM, Dave Ewart wrote:
> >
> >But how does one refer to a list of different IP addresses (e.g. a more
> >general version of "-s 10.1.1.5")?  Is this possible without writing
> >multiple rules?
> >
> >I wish to introduce a rule to only allow SSH access to the firewall 
> >from
> >three different IPs on the internal network and have only found this 
> >way
> >to do it so far:
> >
> >iptables -A INPUT -i eth0 -s 10.1.1.5 -p tcp --dport 22 -j ACCEPT
> >iptables -A INPUT -i eth0 -s 10.1.1.11 -p tcp --dport 22 -j ACCEPT
> >iptables -A INPUT -i eth0 -s 10.1.1.20 -p tcp --dport 22 -j ACCEPT
> >iptables -A OUTPUT [...] (the corresponding rule for related traffic)
> >
> >The experiment:
> >
> >iptables -A INPUT -i eth0 -s 10.1.1.5,10.1.1.11,10.1.1.20 -p tcp 
> >--dport 22 -j ACCEPT
> >
> >does not work ("host/network not found").
> >
> >Is there a proper syntax for this?
> 
> Not that I'm aware of.  You could simplify it a bit through the use of 
> a shell loop:
> 
> IPS="10.1.1.5 10.1.1.11 10.1.1.20"
> for IP in $IPS; do
>   iptables -A INPUT -i eth0 -s $IP -p tcp --dport 22 -j ACCEPT
> done
> iptables -A OUTPUT [...] (the corresponding rule for related traffic)
> 
> Thought the first variable (IPS) isn't truly necessary I find that it 
> helps make it more readable overall.

Thanks Jamin ... the shell loop is actually what I'm using, I just
simplified it slightly for posting.  This is actually Good Enough, since
other parts of the ruleset are generated from a script.

Cheers,

Dave.
-- 
Please don't CC me on list messages!
...
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Attachment: signature.asc
Description: Digital signature


Reply to: