Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Quick iptables question

  • 02-07-2004 3:20pm
    #1
    Chad ghostal
    Registered Users, Registered Users 2 Posts: 3,958 ✭✭✭


    Is there a sytnax for AND in iptables...
    e.g.
    iptables -s 192.168.1.1 AND 192.168.1.2

    or something along those lines.
    iv googled all over and cant find anything,
    its a bit of a difficult request to search for.#

    thanks,
    chad ghostal


Comments

  • #2
    ressem
    Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    Any more details on the problem? (pedantic crap, that's an OR operation, as in: if source is X OR Y)

    If you're specifying a list of source of destination addresses/subnets, you need to build a multiline rule rule, adding each address individually.

    ...
    iptables –A INPUT –s 192.168.1.1 -j DROP
    iptables –A INPUT –s 192.168.1.2 -j DROP
    ...

    If you're trying to use multiple IPs you'll usually use a subnet description,
    or arrange the ips so that they can described as a subnet.
    e.g change 192.168.1.1 to 192.168.1.3
    so the pair can be described as
    iptables -A INPUT –s 192.168.1.2/31 -j DROP


  • #3
    Chad ghostal
    Registered Users, Registered Users 2 Posts: 3,958 ✭✭✭Chad ghostal


    sorry about the lack of detail,
    what i want to do is basicaly say
    if the if the data isnt going to either of two networks then the address will be translated to some other ip address..
    so this is what i had more or less (cant get to it at the moment)
    iptables -t nat -s ! 192.168.1.0/24 <and> ! 192.168.2.0/24 -j SNAT --source-to x.x.x.x

    is there some way i could treat them all as the same network, as you said?
    im pretty lost with iptables, so much to learn so little time.. :dunno:


  • #4
    ressem
    Registered Users, Registered Users 2 Posts: 2,426 ✭✭✭ressem


    Interpretation :If the data isn't coming from these subnets then you want to change the source address to some other ip address.

    Obvious alternative is use a larger subnet mask and cover the alternatives:

    iptables -t nat -A POSTROUTING -s !192.168.0.0/22 -j SNAT --to-source x.x.x.x:1024-32000
    iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source x.x.x.x:1024-32000
    iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j SNAT --to-source x.x.x.x:1024-32000

    There's probably better ways, depending on what you want the other outgoing packets to do.
    Filtering here isn't meant to be recommended.

    In some places you can use a hyphen to create a group of IPs (e.g. your can use --to-source x.x.x.x-x.x.y.y ) but don't think that this works with the -s field.

    obligitory links
    http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERSINGGENERAL
    http://www.knowplace.org/netfilter/syntax.html#conf5


  • #5
    Chad ghostal
    Registered Users, Registered Users 2 Posts: 3,958 ✭✭✭Chad ghostal


    Nice one for the help ressem that last one worked perfectly. (minus the end parts)
    iptables -t nat -A POSTROUTING -s !192.168.0.0/22 -j SNAT --to-source x.x.x.x
    (just in time too:):D )


Advertisement