On 10.08.2009 10:48, Pascal Hambourg wrote: >> iptables -A OUTPUT -d 10.10.97.1/255.255.255.253 -m iprange --dst-range >> 10.10.97.1-10.10.97.7 -j REJECT >> >> this should match on 10.10.97.1,3,5,7 but matches only 1 and 3 > > 253 is binary 11111101, so this is the expected behaviour. > BTW, what is the use of iprange in this rule ? The rule is mainly a copy n paste from http://jengelh.medozas.de/documents/Perfect_Ruleset.pdf page 7 (just changing the input to output direction) to get the desired/described behaviour one should set this mask: 255.255.255.1 the line -A INPUT -s 10.10.97.1/255.255.255.253 should be changed to -A INPUT -s 10.10.97.1/255.255.255.1 Jan, would you correct this in the paper (if you agree with my correction of the mask) thanks Christoph A.
Attachment:
signature.asc
Description: OpenPGP digital signature
