All of lore.kernel.org
 help / color / mirror / Atom feed
* How do you specify an odd group of hosts?
@ 2002-05-15 23:12 Adrian Hobbs
  2002-06-13 16:37 ` Antony Stone
  0 siblings, 1 reply; 3+ messages in thread
From: Adrian Hobbs @ 2002-05-15 23:12 UTC (permalink / raw)
  To: netfilter

I am wondering what is the best way to specify an odd group of hosts. For 
example, I want to allow managment hosts access to 192.168.0.5. The 
managment hosts are 192.168.1.4, 192.168.1.12, 192.168.1.96.

As far as I can tell from the iptables docs you can only specify groups by 
netmask according to the following extract from the packet filtering 
HOWTO:
*******************************************************
The third and fourth ways allow specification of a group of IP addresses, 
such as `199.95.207.0/24' or `199.95.207.0/255.255.255.0'. These both 
specify any IP address from 199.95.207.0 to 199.95.207.255 inclusive; the 
digits after the `/' tell which parts of the IP address are significant. `/32' or 
`/255.255.255.255' is the default (match all of the IP address). To specify 
any IP address at all `/0' can be used, like so: 
*******************************************************

This will not work with odd hosts such as the management hosts above.

Should I create a managment chain where I list all the managment hosts 
and accept the packet if it matches a managment host and use this chain 
as the target? 

eg:
iptables -A FORWARD -p tcp -d 192.168.0.5 --dport 22 -j MNG_HOST

iptables -A MNG_HOST -s 192.168.1.4 -j ACCEPT
iptables -A MNG_HOST -s 192.168.1.12 -j ACCEPT
iptables -A MNG_HOST -s 192.168.1.96 -j ACCEPT
iptables -A MNG_HOST -j DENY

I think this could be a little cumbersome when dealing with large numbers 
of hosts. Maybe a comma separated list of source hosts would be good, 
or a way to group.

Adrian.





UTS CRICOS Provider Code:  00099F

DISCLAIMER
========================================================================
This email message and any accompanying attachments may contain
confidential information.  If you are not the intended recipient, do not
read, use, disseminate, distribute or copy this message or attachments.
If you have received this message in error, please notify the sender
immediately and delete this message. Any views expressed in this message
are those of the individual sender, except where the sender expressly,
and with authority, states them to be the views the University of
Technology Sydney. Before opening any attachments, please check them for
viruses and defects.
========================================================================




^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: How do you specify an odd group of hosts?
  2002-05-15 23:12 How do you specify an odd group of hosts? Adrian Hobbs
@ 2002-06-13 16:37 ` Antony Stone
  2002-06-13 20:31   ` Fred Richards
  0 siblings, 1 reply; 3+ messages in thread
From: Antony Stone @ 2002-06-13 16:37 UTC (permalink / raw)
  To: netfilter

On Thursday 16 May 2002 12:12 am, Adrian Hobbs wrote:

> I am wondering what is the best way to specify an odd group of hosts. For
> example, I want to allow managment hosts access to 192.168.0.5. The
> managment hosts are 192.168.1.4, 192.168.1.12, 192.168.1.96.
>
> eg:
> iptables -A FORWARD -p tcp -d 192.168.0.5 --dport 22 -j MNG_HOST
>
> iptables -A MNG_HOST -s 192.168.1.4 -j ACCEPT
> iptables -A MNG_HOST -s 192.168.1.12 -j ACCEPT
> iptables -A MNG_HOST -s 192.168.1.96 -j ACCEPT
> iptables -A MNG_HOST -j DENY

Looks like the best way of doing it to me.   There's no way to specify 
multiple source or destination addresses in a single iptables rule except for 
the contiguous network ranges you've already found in the docs.

 

Antony.


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: How do you specify an odd group of hosts?
  2002-06-13 16:37 ` Antony Stone
@ 2002-06-13 20:31   ` Fred Richards
  0 siblings, 0 replies; 3+ messages in thread
From: Fred Richards @ 2002-06-13 20:31 UTC (permalink / raw)
  To: netfilter

This is what I did ... write a script!  You could have several parts, 
one for accepted hosts, etc... I actually had certain ports that I had a 
bunch of eggdrops allowed access on... listed the rules for the ports 
and added the IPs to the first line ...

for i in a.b.c.d  e.f.g.h  i.j.k.l
do
iptables -A inet-in -s $i  -j ACCEPT
done



Antony Stone wrote:

>On Thursday 16 May 2002 12:12 am, Adrian Hobbs wrote:
>
>  
>
>>I am wondering what is the best way to specify an odd group of hosts. For
>>example, I want to allow managment hosts access to 192.168.0.5. The
>>managment hosts are 192.168.1.4, 192.168.1.12, 192.168.1.96.
>>
>>eg:
>>iptables -A FORWARD -p tcp -d 192.168.0.5 --dport 22 -j MNG_HOST
>>
>>iptables -A MNG_HOST -s 192.168.1.4 -j ACCEPT
>>iptables -A MNG_HOST -s 192.168.1.12 -j ACCEPT
>>iptables -A MNG_HOST -s 192.168.1.96 -j ACCEPT
>>iptables -A MNG_HOST -j DENY
>>    
>>
>
>Looks like the best way of doing it to me.   There's no way to specify 
>multiple source or destination addresses in a single iptables rule except for 
>the contiguous network ranges you've already found in the docs.
>
> 
>
>Antony.
>
>
>  
>





^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-06-13 20:31 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-05-15 23:12 How do you specify an odd group of hosts? Adrian Hobbs
2002-06-13 16:37 ` Antony Stone
2002-06-13 20:31   ` Fred Richards

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.