Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Mick <michaelkintzios@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Help with script for iptables
Date: Wed, 15 Nov 2006 23:21:52
Message-Id: 200611152315.17728.michaelkintzios@gmail.com
In Reply to: Re: [gentoo-user] Help with script for iptables by Flophouse Joe
1 Thanks Joe,
2
3 On Wednesday 15 November 2006 21:25, Flophouse Joe wrote:
4 > On Wed, 15 Nov 2006, Mick wrote:
5 > > iptables -P INPUT DROP
6 > > iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
7
8 > > I would like to define more than one iface in UPLINK, e.g. eth0, wlan0,
9 > > ppp0.
10 >
11 > It sounds like you want to write a rule that says,
12 >
13 > "If the packet arrives on any of the interfaces eth0, wlan0, or ppp0,
14 > then do ${something} with it."
15
16 Yes. I was thinking is it possible to define the interfaces like:
17
18 UPLINK="eth0 wlan0 ppp0"
19
20 and then add something like:
21 =====================================================
22 for x in ${INTERFACES}
23 do
24 iptables -A INPUT -i ! ${x} -j ACCEPT
25 . . . more rules . . .
26 iptables -A INPUT -p tcp -i ${x} -j DROP
27 fi
28 =====================================================
29 type of think. Not sure if the syntax is correct, but the idea is that we
30 define multiple interfaces, but only write the rules once with the
31 variable 'x' where the interface is meant to go.
32
33 > Here is one of the easiest of the bad ways:
34 >
35 > Make separate rules which effectively test for each of the interfaces
36 > you're interested in. If the rules match, then make the packets jump to
37 > a new chain for further testing.
38
39 That's a simple enough way although as you say it can quickly get complicated
40 especially so if you want to modify rules, change chains and so on.
41
42 > It's entirely possible that I'm misunderstanding the design of
43 > netfilter, but it seems to me that the solution to complicated rulesets
44 > is to permit boolean logic in rules like so:
45 >
46 > iptables -A INPUT \
47 > \(-i eth0 -or -i wlan0) -and \(-p tcp --dport ssh\) \
48 > -j ACCEPT
49
50 Is there a legit way of specifying such rules?
51 --
52 Regards,
53 Mick

Replies

Subject Author
Re: [gentoo-user] Help with script for iptables Flophouse Joe <flophousejoe-gentoo-user-xdzvne@××××××××××××.org>
Report Message
Find on MARC Find on Google Groups