Re: combining iptables parameters

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wednesday 28 October 2009 16:36, Marcus Moeller wrote:

>  Dear Ryan.
>
>  >> is there a way to combine iptables parameters like: iptables -A OUTPUT
>  >> -p UDP & -p TCP -d $IP1 & -d $IP2 ?
>  >
>  > Each of those parameters is called a "match", in IPTables-speak. You
>  > can specify multiple matches in one rule, but all matches are combined
>  > with an implicit logical AND. There is no way to get a logical OR
>  > amongst multiple matches in a single rule. If you want OR logic, you
>  > use multiple rules.
>  >
>  > So, your example could not work as single rule, because no single IP
>  > packet can be both TCP and UDP, and no single IP packet can have
>  > multiple destination IP addresses. IPTables tries to prevent you from
>  > creating nonsensical rules like that in most situations.
>  >
>  > You would have to specify the required match space across multiple
>  > rules, maybe something like this:
>  >
>  >  iptables -A OUTPUT -p UDP -d $IP1-j DROP
>  >  iptables -A OUTPUT -p TCP -d $IP1 -j DROP
>  >  iptables -A OUTPUT -p UDP -d $IP2 -j DROP
>  >  iptables -A OUTPUT -p TCP -d $IP2 -j DROP
>
>  That's what I am doing atm. Thanks for the update.

Even simpler;

iptables -A OUTPUT -d $IP1 -j DROP
iptables -A OUTPUT -d $IP2 -j DROP

This will catch everything doesn't matter if its UDP or TCP or ICMP.


-- 

Regards
Robert

Linux User #296285
http://counter.li.org
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux