On Wednesday 27 August 2003 3:44 pm, Masiero Giorgio, PD wrote: > Is it possible to use objects like Checkpoint Groups (that is a set of > host and/or networks) into an Iptables rule. You can achieve a 'groups' functionality by defining new tables, e.g. $IPTABLES -N UNIXSERVERS $IPTABLES -N WINSERVERS $IPTABLES -A FORWARD -p tcp -d 11.22.33.44 -j UNIXSERVERS $IPTABLES -A FORWARD -p tcp -d 11.22.33.45 -j UNIXSERVERS $IPTABLES -A FORWARD -p tcp -d 11.22.33.46 -j UNIXSERVERS $IPTABLES -A FORWARD -p tcp -d 11.22.33.54 -j WINSERVERS $IPTABLES -A FORWARD -p tcp -d 11.22.33.55 -j WINSERVERS $IPTABLES -A FORWARD -p tcp -d 11.22.33.56 -j WINSERVERS Now any traffic for the UNIX servers with IP addresses 44, 45, 46 will go to the UNIXSERVERS table, and likewise any traffic for the Windows servers with IPs 54. 55, 56 will go to the WINSERVERS table. You can now apply 'group policy' by doing $IPTABLES -A WINSERVERS -p tcp --dport 135:139 -j DROP $IPTABLES -A WINSERVERS -p tcp --dport 445 -j DROP $IPTABLES -A UNIXSERVERS -p tcp --dport 5900 -j DROP etc. Cheers, Gavin.
