Re: [gentoo-user] Help with script for iptables

[Mick <michaelkintzios@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 1790 bytes --]

Thanks Joe,

On Wednesday 15 November 2006 21:25, Flophouse Joe wrote:
> On Wed, 15 Nov 2006, Mick wrote:
> >        iptables -P INPUT DROP
> >        iptables -A INPUT -i ! ${UPLINK} -j ACCEPT

> > I would like to define more than one iface in UPLINK, e.g. eth0, wlan0,
> > ppp0.
>
> It sounds like you want to write a rule that says,
>
> "If the packet arrives on any of the interfaces eth0, wlan0, or ppp0,
> then do ${something} with it."

Yes. I was thinking is it possible to define the interfaces like:

UPLINK="eth0 wlan0 ppp0"

and then add something like:
=====================================================
 for x in ${INTERFACES}
	do
		iptables -A INPUT -i ! ${x} -j ACCEPT
		. . . more rules . . .
		iptables -A INPUT -p tcp -i ${x} -j DROP
	fi
=====================================================
type of think.  Not sure if the syntax is correct, but the idea is that we 
define multiple interfaces, but only write the rules once with the 
variable 'x' where the interface is meant to go.

> Here is one of the easiest of the bad ways:
>
> Make separate rules which effectively test for each of the interfaces
> you're interested in.  If the rules match, then make the packets jump to
> a new chain for further testing.

That's a simple enough way although as you say it can quickly get complicated 
especially so if you want to modify rules, change chains and so on.

> It's entirely possible that I'm misunderstanding the design of
> netfilter, but it seems to me that the solution to complicated rulesets
> is to permit boolean logic in rules like so:
>
>  	iptables -A INPUT \
>  	\(-i eth0 -or -i wlan0) -and \(-p tcp --dport ssh\) \
>  	-j ACCEPT

Is there a legit way of specifying such rules?
-- 
Regards,
Mick

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]