Message-ID: <fac47fca0910281232x71fbf92cva80095483d210db1@xxxxxxxxxxxxxx> On: Wed, 28 Oct 2009 20:32:14 +0100, Marcus Moeller <mail@xxxxxxxxxxxxxxxxx> wrote: > Hi all, > > is there a way to combine iptables parameters like: iptables > -A OUTPUT -p UDP & -p TCP -d $IP1 & -d $IP2 ? man iptables ... -p, --protocol [!] protocol The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted. -s, --source [!] address[/mask] Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1?s at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. The flag --src is an alias for this option. If both TCP and UDP are both to be blocked it may be inferred that no other protocol is desired to connect either, so simply not specifying any protocol will block all protocols including both TCP and UDP. If both are allowed then again there seems little purpose in blocking any others and again by not specifying any protocol you will obtain the desired result. If instead you do want to allow ICMP but nothing else then !icmp will match all protocols other than icmp. If IP1 and IP2 belong to a CIDR group and no intervening addresses are permitted access as well then a suitable netblock mask will archive the desired results. If not then each IP must be separately specified. So, something like this should work as a block for all protocols to either address: iptables -A OUTPUT -d $IP1 -j DROP iptables -A OUTPUT -d $IP2 -j DROP -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos