combining iptables parameters

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Message-ID:
<fac47fca0910281232x71fbf92cva80095483d210db1@xxxxxxxxxxxxxx>

On: Wed, 28 Oct 2009 20:32:14 +0100, Marcus Moeller
<mail@xxxxxxxxxxxxxxxxx> wrote:

> Hi all,
>
> is there a way to combine iptables parameters like: iptables
> -A OUTPUT -p UDP & -p TCP -d $IP1 & -d $IP2 ?


man iptables
...

       -p, --protocol [!] protocol
              The  protocol of the rule or of the packet to check.
              The specified protocol can be one of tcp, udp, icmp,
              or all, or it can be a  numeric  value, representing
              one of these protocols or a different  one.   A
              protocol  name  from  /etc/protocols  is  also
              allowed.   A  "!" argument before the protocol
              inverts the test. The number zero is equivalent to
              all.  Protocol all  will  match with  all  protocols
              and is taken as default when this option is omitted.

       -s, --source [!] address[/mask]
              Source specification.  Address can be either a network
              name,  a hostname  (please  note  that specifying any
              name to be resolved with a remote query such as DNS
              is a really bad idea), a network IP address (with
              /mask), or a plain IP address.  The mask can be
              either a network mask or a plain number, specifying
              the  number of 1?s at the left side of the network
              mask.  Thus, a mask of 24 is equivalent to
              255.255.255.0.   A  "!"  argument  before  the
              address specification inverts the sense of the
              address. The flag --src is an alias for this option.

If both TCP and UDP are both to be blocked it may be inferred that
no other protocol is desired to connect either, so simply not
specifying any protocol will block all protocols including both TCP
and UDP.  If both are allowed then again there seems little purpose
in blocking any others and again by not specifying any protocol you
will obtain the desired result.  If instead you do want to allow
ICMP but nothing else then !icmp will match all protocols other than
icmp.

If IP1 and IP2 belong to a CIDR group and no intervening addresses
are permitted access as well then a suitable netblock mask will
archive the desired results.  If not then each IP must be separately
specified.

So, something like this should work as a block for all protocols to
either address:

iptables -A OUTPUT -d $IP1 -j DROP
iptables -A OUTPUT -d $IP2 -j DROP

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux