Re: combining iptables parameters

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Wed, Oct 28, 2009 at 16:36, Marcus Moeller <mail@xxxxxxxxxxxxxxxxx> wrote:
>> You would have to specify the required match space across multiple
>> rules, maybe something like this:
>>
>>  iptables -A OUTPUT -p UDP -d $IP1-j DROP
>>  iptables -A OUTPUT -p TCP -d $IP1 -j DROP
>>  iptables -A OUTPUT -p UDP -d $IP2 -j DROP
>>  iptables -A OUTPUT -p TCP -d $IP2 -j DROP
>
> That's what I am doing atm. Thanks for the update.

BTW, if you have some complex chain of action logic (more than just a
simple -j DROP), you could simplify your rules by creating a custom
chain and having the rules on the builtin chain (OUTPUT, or whatever)
jump to your custom chain instead of DROP.

For example, If I wanted to use the same four rules from above, but I
wanted to both log AND drop the incoming packets, a "naive"
implementation might be something like this:

 iptables -A OUTPUT -p UDP -d $IP1 -j LOG --log-prefix 'MYDROP: '
--log-level notice
 iptables -A OUTPUT -p UDP -d $IP1 -j DROP
 iptables -A OUTPUT -p TCP -d $IP1 -j LOG --log-prefix 'MYDROP: '
--log-level notice
 iptables -A OUTPUT -p TCP -d $IP1 -j DROP
 iptables -A OUTPUT -p UDP -d $IP2 -j LOG --log-prefix 'MYDROP: '
--log-level notice
 iptables -A OUTPUT -p UDP -d $IP2 -j DROP
 iptables -A OUTPUT -p TCP -d $IP2 -j LOG --log-prefix 'MYDROP: '
--log-level notice
 iptables -A OUTPUT -p TCP -d $IP2 -j DROP

You could do the same thing in a much more compact fashion by creating
a custom chain called MYDROP:

 iptables -N MYDROP
 iptables -A MYDROP -j LOG --log-prefix 'MYDROP: ' --log-level notice
 iptables -A MYDROP -j DROP
 iptables -A OUTPUT -p UDP -d $IP1 -j MYDROP
 iptables -A OUTPUT -p TCP -d $IP1 -j MYDROP
 iptables -A OUTPUT -p UDP -d $IP2 -j MYDROP
 iptables -A OUTPUT -p TCP -d $IP2 -j MYDROP

In programming, it would be analogous to factoring duplicative code
into a common function. In this example, you really don't compress the
expression very much (7 lines versus 8 lines). If you imagine a
situation where MYDROP would contain 10 or 15 different actions,
you'll understand how powerful it can be.

-Ryan
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux