Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
If we do not hit our goal we will be forced to close the site.

Current status: https://keepboardsalive.com/

Annual subs are best for most impact. If you are still undecided on going Ad Free - you can also donate using the Paypal Donate option. All contribution helps. Thank you.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.

Quick iptables question

  • 02-07-2004 04:20PM
    #1
    Chad ghostal
    Registered Users, Registered Users 2 Posts: 3,958 ✭✭✭


    Is there a sytnax for AND in iptables...
    e.g.
    iptables -s 192.168.1.1 AND 192.168.1.2

    or something along those lines.
    iv googled all over and cant find anything,
    its a bit of a difficult request to search for.#

    thanks,
    chad ghostal


Comments

  • #2
    ressem
    Registered Users, Registered Users 2, Paid Member Posts: 2,427 ✭✭✭ressem


    Any more details on the problem? (pedantic crap, that's an OR operation, as in: if source is X OR Y)

    If you're specifying a list of source of destination addresses/subnets, you need to build a multiline rule rule, adding each address individually.

    ...
    iptables –A INPUT –s 192.168.1.1 -j DROP
    iptables –A INPUT –s 192.168.1.2 -j DROP
    ...

    If you're trying to use multiple IPs you'll usually use a subnet description,
    or arrange the ips so that they can described as a subnet.
    e.g change 192.168.1.1 to 192.168.1.3
    so the pair can be described as
    iptables -A INPUT –s 192.168.1.2/31 -j DROP


  • #3
    Chad ghostal
    Registered Users, Registered Users 2 Posts: 3,958 ✭✭✭Chad ghostal


    sorry about the lack of detail,
    what i want to do is basicaly say
    if the if the data isnt going to either of two networks then the address will be translated to some other ip address..
    so this is what i had more or less (cant get to it at the moment)
    iptables -t nat -s ! 192.168.1.0/24 <and> ! 192.168.2.0/24 -j SNAT --source-to x.x.x.x

    is there some way i could treat them all as the same network, as you said?
    im pretty lost with iptables, so much to learn so little time.. :dunno:


  • #4
    ressem
    Registered Users, Registered Users 2, Paid Member Posts: 2,427 ✭✭✭ressem


    Interpretation :If the data isn't coming from these subnets then you want to change the source address to some other ip address.

    Obvious alternative is use a larger subnet mask and cover the alternatives:

    iptables -t nat -A POSTROUTING -s !192.168.0.0/22 -j SNAT --to-source x.x.x.x:1024-32000
    iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source x.x.x.x:1024-32000
    iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j SNAT --to-source x.x.x.x:1024-32000

    There's probably better ways, depending on what you want the other outgoing packets to do.
    Filtering here isn't meant to be recommended.

    In some places you can use a hyphen to create a group of IPs (e.g. your can use --to-source x.x.x.x-x.x.y.y ) but don't think that this works with the -s field.

    obligitory links
    http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERSINGGENERAL
    http://www.knowplace.org/netfilter/syntax.html#conf5


  • #5
    Chad ghostal
    Registered Users, Registered Users 2 Posts: 3,958 ✭✭✭Chad ghostal


    Nice one for the help ressem that last one worked perfectly. (minus the end parts)
    iptables -t nat -A POSTROUTING -s !192.168.0.0/22 -j SNAT --to-source x.x.x.x
    (just in time too:):D )


Advertisement