On Wednesday 26 February 2003 01:23 am, William Olbrys wrote: > is there a syntax to to create a generic match for a range of ips > instead of the whole thing? > > ex.: $IPTABLES -t filter -A FORWARD -s 10.1.2.0-10.1.5.255 -j ACCEPT > > i tried to do this and it gave me an error about not being able to > find the host. is there a workaround? > > will olbrys Using a mask value. You won't get that particular range into a single rule with a mask though. 10.1.2.0/21 or 10.1.2.0/255.255.248.0 will match 10.1.0.0 through 10.1.7.255, for example. Your simplest rules for an accurate match to the range you listed above are: $IPTABLES -A FORWARD -s 10.1.2.0/23 -j ACCEPT $IPTABLES -A FORWARD -s 10.1.4.0/23 -j ACCEPT where the first will match 10.1.2.0-10.1.3.255 and the second will match 10.1.4.0-10.1.5.255. Keep in mind that the mask used in an iptables rule doesn't have to have any real meaning outside the rule - it's not the subnet mask, just specifying which bits are fixed and which are variable to match the rule. It's also handy sometimes to know that you can use non-contiguous bits in the mask: 10.1.1.1/255.255.0.1 is valid, and will match all odd numbers in the last octet, throughout the whole 10.1.x.y address range. (obviously this mask can't be expressed as an integer, and cannot be a valid subnet mask) You can accomplish really interesting things with this, like routing odd vs even DHCP-assigned IP's out different routes with the MARK target. (often closer to an even distribution than trying to split into 2 fixed ranges of IPs :^) It can also be convenient for DROPping some broadcasts - 10.1.1.255/0.0.0.255 will match ANY address that ends in a 255. j
