Re: combining multiple ip's into one variable on iptables script?
On Wed, Jul 30, 2003 at 01:20:47PM +0100, Mark C wrote:
> i.e I use ftp.www.mirror.ac.uk
>
> running nslookup on this gives me multiple ip addresses, I could create
> a variable for each IP, i.e
>
> APT_MIRROR_AC_UK_1="194.83.57.3"
> APT_MIRROR_AC_UK_2="194.83.57.7"
>
> and so forth, then create rules that allow outbound connections to each
> of theses sites, is it possible to combine them all into one variable,
> like
>
> APT_MIRROR_AC_UK="194.83.57.3, 194.83.57.7"
iptables only allows a single netblock per rule (where a netblock can be
as small as a single host when it's specified as /32). You have two
choices. You could specify ftp.www.mirror.ac.uk as 194.83.57/29, which
actually open up all hosts in the range of 194.873.57.0 to 194.83.57.7.
Or you could change your iptables scripts so that they treat each host
variable as a list, and loop over the list:
APT_MIRROR_AC_UK="194.83.57.3 194.83.57.7"
for host in $APT_MIRROR_AC_UK; do
iptables -A block ... -s $host -j ACCEPT
done
This still would work correctly even if at a later date you changed
APT_MIRROR_AC_UK to only be a single host.
--
Dave Carrigan
Seattle, WA, USA
dave@rudedog.org | http://www.rudedog.org/ | ICQ:161669680
UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-C++-DNS-PalmOS-PostgreSQL-MySQL
Reply to: