On Tuesday, 03.05.2005 at 09:45 -0600, Jamin W.Collins wrote:
On May 3, 2005, at 9:35 AM, Dave Ewart wrote:
But how does one refer to a list of different IP addresses (e.g. a more
general version of "-s 10.1.1.5")? Is this possible without writing
multiple rules?
I wish to introduce a rule to only allow SSH access to the firewall
from
three different IPs on the internal network and have only found this
way
to do it so far:
iptables -A INPUT -i eth0 -s 10.1.1.5 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -s 10.1.1.11 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -s 10.1.1.20 -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT [...] (the corresponding rule for related traffic)
The experiment:
iptables -A INPUT -i eth0 -s 10.1.1.5,10.1.1.11,10.1.1.20 -p tcp
--dport 22 -j ACCEPT
does not work ("host/network not found").
Is there a proper syntax for this?
Not that I'm aware of. You could simplify it a bit through the use of
a shell loop:
IPS="10.1.1.5 10.1.1.11 10.1.1.20"
for IP in $IPS; do
iptables -A INPUT -i eth0 -s $IP -p tcp --dport 22 -j ACCEPT
done
iptables -A OUTPUT [...] (the corresponding rule for related traffic)
Thought the first variable (IPS) isn't truly necessary I find that it
helps make it more readable overall.
Thanks Jamin ... the shell loop is actually what I'm using, I just
simplified it slightly for posting. This is actually Good Enough, since
other parts of the ruleset are generated from a script.
Cheers,
Dave.