From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1GkU4l-0005E1-NK for garchives@archives.gentoo.org; Wed, 15 Nov 2006 23:21:52 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.8/8.13.8) with SMTP id kAFNIYRo000398; Wed, 15 Nov 2006 23:18:34 GMT Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.190]) by robin.gentoo.org (8.13.8/8.13.8) with ESMTP id kAFNFQoq025502 for ; Wed, 15 Nov 2006 23:15:26 GMT Received: by nf-out-0910.google.com with SMTP id c31so1379010nfb for ; Wed, 15 Nov 2006 15:15:25 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id; b=cQ2myEHBZgiMYKIKrr9WXts3dK4Iu0i82K5VRqr2mG16DnJnDNNeoMoRj18rQ9TbRFOWc8g/VBcyel3C/vPLnGXlXI0RNZ+3BMkacIUxo/hKxPeHKMHIA8I984p9l3SmsybHs67d3Gh0xVI85MxYe1igoUHd06ZAb9HLEqXBWlI= Received: by 10.49.20.5 with SMTP id x5mr1681322nfi.1163632525621; Wed, 15 Nov 2006 15:15:25 -0800 (PST) Received: from ?192.168.0.5? ( [213.162.120.196]) by mx.google.com with ESMTP id d2sm1124834nfe.2006.11.15.15.15.23; Wed, 15 Nov 2006 15:15:24 -0800 (PST) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Help with script for iptables Date: Wed, 15 Nov 2006 23:15:04 +0000 User-Agent: KMail/1.9.5 References: <200611152029.35737.michaelkintzios@gmail.com> In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1399041.p9lYczgGSB"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200611152315.17728.michaelkintzios@gmail.com> X-Archives-Salt: e6672979-7b4e-4d98-a79a-55b579a8634d X-Archives-Hash: 800583dd3509d9ad999628584b43d55f --nextPart1399041.p9lYczgGSB Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Thanks Joe, On Wednesday 15 November 2006 21:25, Flophouse Joe wrote: > On Wed, 15 Nov 2006, Mick wrote: > > iptables -P INPUT DROP > > iptables -A INPUT -i ! ${UPLINK} -j ACCEPT > > I would like to define more than one iface in UPLINK, e.g. eth0, wlan0, > > ppp0. > > It sounds like you want to write a rule that says, > > "If the packet arrives on any of the interfaces eth0, wlan0, or ppp0, > then do ${something} with it." Yes. I was thinking is it possible to define the interfaces like: UPLINK=3D"eth0 wlan0 ppp0" and then add something like: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D for x in ${INTERFACES} do iptables -A INPUT -i ! ${x} -j ACCEPT . . . more rules . . . iptables -A INPUT -p tcp -i ${x} -j DROP fi =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D type of think. Not sure if the syntax is correct, but the idea is that we= =20 define multiple interfaces, but only write the rules once with the=20 variable 'x' where the interface is meant to go. > Here is one of the easiest of the bad ways: > > Make separate rules which effectively test for each of the interfaces > you're interested in. If the rules match, then make the packets jump to > a new chain for further testing. That's a simple enough way although as you say it can quickly get complicat= ed=20 especially so if you want to modify rules, change chains and so on. > It's entirely possible that I'm misunderstanding the design of > netfilter, but it seems to me that the solution to complicated rulesets > is to permit boolean logic in rules like so: > > iptables -A INPUT \ > \(-i eth0 -or -i wlan0) -and \(-p tcp --dport ssh\) \ > -j ACCEPT Is there a legit way of specifying such rules? =2D-=20 Regards, Mick --nextPart1399041.p9lYczgGSB Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQBFW5+F5Fp0QerLYPcRAgQIAJ4l46/mlDrcau032HznTvoNb4oEjQCgk6KV VOmIq4F1/B/YzE2Wsxe+gCk= =dqss -----END PGP SIGNATURE----- --nextPart1399041.p9lYczgGSB-- -- gentoo-user@gentoo.org mailing list