[NCLUG] Iptables - ip range
Mike Loseke
mike at verinet.com
Mon Nov 25 15:08:36 MST 2002
Thus spake Jesse Courchaine:
>
> It would be nice if they had that built in.. but unfortunately that does
> not work.
> I think the only option now is have the multiple rules, I'm just not
> sure if it will
> cause a slowdown in my network connections.
You might be able to specify a block/subnet of those addresses though.
Re-numbering some might be the only hurdle but that would at least let you
make a one-line entry. Something like:
Iptables -A INPUT -S 10.10.10.33/27 -i eth0 -p tcp --dport 21 -j ACCEPT
I don't currently have a system handy to check that against but I'd
imagine it would work. It would corrall 10.10.10.33 through 10.10.10.62 I
believe. If you can't renumber then you could go with a few smaller subnets
and some one-per-lines to at least reduce the overall number of lines and
make it a little more efficient.
> Thanks,
> Jesse
>
> -----Original Message-----
> From: nclug-admin at nclug.org [mailto:nclug-admin at nclug.org] On Behalf Of
> Michael Dwyer
> Sent: Monday, November 25, 2002 11:05 AM
> To: nclug at nclug.org
> Subject: Re: [NCLUG] Iptables - ip range
>
>
> Jesse Courchaine wrote:
> > Hi,
> >
> > If anyone is knowledgable in iptables, I have a question for you. I
> > would
> > like to select a range of IP addresses (i.e. 10.10.10.30 -
> 10.10.10.60,
> > not a subnet)
> > Ex.
> > Iptables -A INPUT -S 10.10.10.30 -i eth0 -p tcp --dport 21 -j ACCEPT
> > Iptables -A INPUT -S 10.10.10.31 -i eth0 -p tcp --dport 21 -j ACCEPT
> > Iptables -A INPUT -S 10.10.10.32 -i eth0 -p tcp --dport 21 -j ACCEPT
>
> I don't see it in the man page, but does a range specification work?
>
> iptables -A INPUT -S 10.10.10.31:10.10.10.60 -i eth0 -p tcp --dport 21
> -j ACCEPT
--
| If you hear a Southerner exclaim, "Hey, y'all,
Mike Loseke | watch this!" stay out of his way. These are
mike at verinet.com | likely the last words he will ever say.
More information about the NCLUG
mailing list