[gentoo-user] iptables: how can I include multiple hosts/IPs in "-s" and "-d"?

[gentoo-user] iptables: how can I include multiple hosts/IPs in "-s" and "-d"?

[Jarry]

Hi

I'd like to ask if there is some way to include multiple discrete
hosts/IP's in --source and --destination options of iptables.

I'm trying to write firewall rules for my server, but it has
12 IP's from different segments (and maybe it gets a few more
later), and the script grows up as I have to write nearly
identical rules with difference only in -s/-d IP's.

What I'm looking for is a way to define some variable at the
beginning of my script, like MY_IP="IP1 IP2 IP3 IP4..." and
later to use is in rules (iptables -A INPUT -s $MY_IP...).
But I do not know how to use it. As far as I understand it,
--source/--destination accepts only single IP's or continuous
IP-segments...

Jarry

-- 
_______________________________________________________________
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] iptables: how can I include multiple hosts/IPs in "-s" and "-d"?

[Kostyantyn]

On Mon, 2010-04-05 at 19:32 +0200, Jarry wrote:
> Hi
> 
> I'd like to ask if there is some way to include multiple discrete
> hosts/IP's in --source and --destination options of iptables.
> 
> I'm trying to write firewall rules for my server, but it has
> 12 IP's from different segments (and maybe it gets a few more
> later), and the script grows up as I have to write nearly
> identical rules with difference only in -s/-d IP's.
> 
> What I'm looking for is a way to define some variable at the
> beginning of my script, like MY_IP="IP1 IP2 IP3 IP4..." and
> later to use is in rules (iptables -A INPUT -s $MY_IP...).
> But I do not know how to use it. As far as I understand it,
> --source/--destination accepts only single IP's or continuous
> IP-segments...

You can do something like:
(100) iptables -N IP_SET_CHECK
(110) iptables -A IP_SET_CHECK -s $IP1 -j RETURN
(120) iptables -A IP_SET_CHECK -s $IP2 -j RETURN
(130) iptables -A IP_SET_CHECK -s $IP3/16 -j RETURN
(140) iptables -A IP_SET_CHECK -s $IP4 -j RETURN
(150) iptables -A IP_SET_CHECK -j DROP
 
(210) iptables -A INPUT -j IP_SET_CHECK
(220) iptables -A INPUT some other rules....
(230) iptables -A INPUT some other rules....

So, when it comes to the the line 210, it will start checking newly
created chain IP_SET_CHECK. If it won't find appropriate rule it will be
dropped at the line (150), but if manages to find one, it will return to
the line 220 and will continue looking for "-j ACCEPT" or "-j DROP".

The same applies for the OUTPUT chain.

> Jarry
> 

Re: [gentoo-user] iptables: how can I include multiple hosts/IPs in "-s" and "-d"?

[Alex Schuster]

Jarry writes:

> I'd like to ask if there is some way to include multiple discrete
> hosts/IP's in --source and --destination options of iptables.
> 
> I'm trying to write firewall rules for my server, but it has
> 12 IP's from different segments (and maybe it gets a few more
> later), and the script grows up as I have to write nearly
> identical rules with difference only in -s/-d IP's.
> 
> What I'm looking for is a way to define some variable at the
> beginning of my script, like MY_IP="IP1 IP2 IP3 IP4..." and
> later to use is in rules (iptables -A INPUT -s $MY_IP...).
> But I do not know how to use it. As far as I understand it,
> --source/--destination accepts only single IP's or continuous
> IP-segments...

Well, as your iptables script is probably written in bash, you can do 
loops as you like:

myIPs="IP1 IP2 IP3 IP4 ..."
for ip in $myIPs do   # use $myIPs here, not "$myIPs"!
	iptables -A INPUT -s $ip ...
done

	Wonko

Re: [gentoo-user] iptables: how can I include multiple hosts/IPs in "-s" and "-d"?

[Stefan Schulte]

[-- Attachment #1: Type: text/plain, Size: 1485 bytes --]

Hi,


you can define a rule like that:

iptables -A FORWARD -s 192.168.235.43,192.168.235.46 -d
10.0.0.1,192.168.0.1 -j ACCEPT

it will create 4 rules.

be sure to activate Networking support->Networking options->Network
packet filtering framework->Core Netfilter Configuration->iprange
address range match support

Now you can do something like

iptables -A FORWARD -m iprange --src-range '10.0.0.1-10.0.0.44' -j
ACCEPT

hope it helps

-Stefan

On Mon, Apr 05, 2010 at 07:32:17PM +0200, Jarry wrote:
> Hi
> 
> I'd like to ask if there is some way to include multiple discrete
> hosts/IP's in --source and --destination options of iptables.
> 
> I'm trying to write firewall rules for my server, but it has
> 12 IP's from different segments (and maybe it gets a few more
> later), and the script grows up as I have to write nearly
> identical rules with difference only in -s/-d IP's.
> 
> What I'm looking for is a way to define some variable at the
> beginning of my script, like MY_IP="IP1 IP2 IP3 IP4..." and
> later to use is in rules (iptables -A INPUT -s $MY_IP...).
> But I do not know how to use it. As far as I understand it,
> --source/--destination accepts only single IP's or continuous
> IP-segments...
> 
> Jarry
> 
> -- 
> _______________________________________________________________
> This mailbox accepts e-mails only from selected mailing-lists!
> Everything else is considered to be spam and therefore deleted.
> 

[-- Attachment #2: Type: application/pgp-signature, Size: 665 bytes --]