* How do you specify an odd group of hosts?
@ 2002-05-15 23:12 Adrian Hobbs
2002-06-13 16:37 ` Antony Stone
0 siblings, 1 reply; 3+ messages in thread
From: Adrian Hobbs @ 2002-05-15 23:12 UTC (permalink / raw)
To: netfilter
I am wondering what is the best way to specify an odd group of hosts. For
example, I want to allow managment hosts access to 192.168.0.5. The
managment hosts are 192.168.1.4, 192.168.1.12, 192.168.1.96.
As far as I can tell from the iptables docs you can only specify groups by
netmask according to the following extract from the packet filtering
HOWTO:
*******************************************************
The third and fourth ways allow specification of a group of IP addresses,
such as `199.95.207.0/24' or `199.95.207.0/255.255.255.0'. These both
specify any IP address from 199.95.207.0 to 199.95.207.255 inclusive; the
digits after the `/' tell which parts of the IP address are significant. `/32' or
`/255.255.255.255' is the default (match all of the IP address). To specify
any IP address at all `/0' can be used, like so:
*******************************************************
This will not work with odd hosts such as the management hosts above.
Should I create a managment chain where I list all the managment hosts
and accept the packet if it matches a managment host and use this chain
as the target?
eg:
iptables -A FORWARD -p tcp -d 192.168.0.5 --dport 22 -j MNG_HOST
iptables -A MNG_HOST -s 192.168.1.4 -j ACCEPT
iptables -A MNG_HOST -s 192.168.1.12 -j ACCEPT
iptables -A MNG_HOST -s 192.168.1.96 -j ACCEPT
iptables -A MNG_HOST -j DENY
I think this could be a little cumbersome when dealing with large numbers
of hosts. Maybe a comma separated list of source hosts would be good,
or a way to group.
Adrian.
UTS CRICOS Provider Code: 00099F
DISCLAIMER
========================================================================
This email message and any accompanying attachments may contain
confidential information. If you are not the intended recipient, do not
read, use, disseminate, distribute or copy this message or attachments.
If you have received this message in error, please notify the sender
immediately and delete this message. Any views expressed in this message
are those of the individual sender, except where the sender expressly,
and with authority, states them to be the views the University of
Technology Sydney. Before opening any attachments, please check them for
viruses and defects.
========================================================================
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How do you specify an odd group of hosts?
2002-05-15 23:12 How do you specify an odd group of hosts? Adrian Hobbs
@ 2002-06-13 16:37 ` Antony Stone
2002-06-13 20:31 ` Fred Richards
0 siblings, 1 reply; 3+ messages in thread
From: Antony Stone @ 2002-06-13 16:37 UTC (permalink / raw)
To: netfilter
On Thursday 16 May 2002 12:12 am, Adrian Hobbs wrote:
> I am wondering what is the best way to specify an odd group of hosts. For
> example, I want to allow managment hosts access to 192.168.0.5. The
> managment hosts are 192.168.1.4, 192.168.1.12, 192.168.1.96.
>
> eg:
> iptables -A FORWARD -p tcp -d 192.168.0.5 --dport 22 -j MNG_HOST
>
> iptables -A MNG_HOST -s 192.168.1.4 -j ACCEPT
> iptables -A MNG_HOST -s 192.168.1.12 -j ACCEPT
> iptables -A MNG_HOST -s 192.168.1.96 -j ACCEPT
> iptables -A MNG_HOST -j DENY
Looks like the best way of doing it to me. There's no way to specify
multiple source or destination addresses in a single iptables rule except for
the contiguous network ranges you've already found in the docs.
Antony.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: How do you specify an odd group of hosts?
2002-06-13 16:37 ` Antony Stone
@ 2002-06-13 20:31 ` Fred Richards
0 siblings, 0 replies; 3+ messages in thread
From: Fred Richards @ 2002-06-13 20:31 UTC (permalink / raw)
To: netfilter
This is what I did ... write a script! You could have several parts,
one for accepted hosts, etc... I actually had certain ports that I had a
bunch of eggdrops allowed access on... listed the rules for the ports
and added the IPs to the first line ...
for i in a.b.c.d e.f.g.h i.j.k.l
do
iptables -A inet-in -s $i -j ACCEPT
done
Antony Stone wrote:
>On Thursday 16 May 2002 12:12 am, Adrian Hobbs wrote:
>
>
>
>>I am wondering what is the best way to specify an odd group of hosts. For
>>example, I want to allow managment hosts access to 192.168.0.5. The
>>managment hosts are 192.168.1.4, 192.168.1.12, 192.168.1.96.
>>
>>eg:
>>iptables -A FORWARD -p tcp -d 192.168.0.5 --dport 22 -j MNG_HOST
>>
>>iptables -A MNG_HOST -s 192.168.1.4 -j ACCEPT
>>iptables -A MNG_HOST -s 192.168.1.12 -j ACCEPT
>>iptables -A MNG_HOST -s 192.168.1.96 -j ACCEPT
>>iptables -A MNG_HOST -j DENY
>>
>>
>
>Looks like the best way of doing it to me. There's no way to specify
>multiple source or destination addresses in a single iptables rule except for
>the contiguous network ranges you've already found in the docs.
>
>
>
>Antony.
>
>
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-06-13 20:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-05-15 23:12 How do you specify an odd group of hosts? Adrian Hobbs
2002-06-13 16:37 ` Antony Stone
2002-06-13 20:31 ` Fred Richards
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.