Re: IPTables question

To: Pascal Hambourg <pascal@plouf.fr.eu.org>,debian-user@lists.debian.org
Subject: Re: IPTables question
From: Shawn Wilson <ag4ve.us@gmail.com>
Date: Sat, 09 Nov 2013 17:34:38 -0500
Message-id: <[🔎] 4d539f94-5809-483f-bfa8-fc50e6e73faa@email.android.com>
In-reply-to: <[🔎] 527EB0FA.8080801@plouf.fr.eu.org>
References: <[🔎] 527E7517.9070508@uniserve.com> <[🔎] 527EB0FA.8080801@plouf.fr.eu.org>


Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
>Hello,
>
>Bill.M a écrit :
>> 
>> In IPTables one can specify multiple addresses, and multiple ports,
>but 
>> is there anyway to specify multiple interfaces.
>> 
>> For example,  -m multiport --destination-port 22,25,80
>> 
>> Or 	      -s 1.2.3.4,1.2.3.5,1.2.3.7 or -s 1.2.3.4:1.2.3.10
>
>In addition to David's answer :
>Unless recent change I am not aware of, you cannot specify an address
>range in -s or -d. You must use the "iprange" match instead (or ipset
>if
>your kernel supports it). Also, note that specifying multiple
>comma-separated addresses or prefixes in -s or -d will result in
>multiple rules being actually created, which can have undesirable
>side-effects and impact efficiency.

The speed impact of a small rule set is negligible. One ipset vs 20 rules, yes please - it's easier to look at. Also, idk any way to match interface with ipset - ip and port (even src and dst in one line) but not interface.

Reply to:

Follow-Ups:
- Re: IPTables question
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

References:
- IPTables question
  - From: "Bill.M" <bill3@uniserve.com>
- Re: IPTables question
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

Prev by Date: Re: Grub, Raid, LVM
Next by Date: Re: Why Debian
Previous by thread: Re: IPTables question
Next by thread: Re: IPTables question
Index(es):
- Date
- Thread