Le mer 17/12/2003 à 09:25, Knight, Steve a écrit :
> Justa quick one - I use $DMZPORTS to define the ports I wish to be allowed
> inbound on the forward chain - can I use
> ! -m multiport --dports $DMZPORTS
> to mean "any port that isn't specified by $DMZPORTS"?
Match is called "mport", not "multiport". So you call it using :
-m mport [...]
The syntax you show is not good. You would have to write :
-m mport ! --dports $DMZPORTS
Eventhough, mport help does not mention inversion :
cbr@elendil:~$ iptables -m mport --help
[...]
mport v1.2.8 options:
--source-ports port[,port:port,port...]
--sports ...
match source port(s)
--destination-ports port[,port:port,port...]
--dports ...
match destination port(s)
--ports port[,port:port,port]
match both source and destination
port(s)
So it seems that inversion is not available. If you try to invert, it
will not appear afterwards :
cbr@elendil:~$ sudo iptables -A INPUT -p tcp -m mport \
! --dports 22,23 -j ACCEPT
cbr@elendil:~$ sudo iptables -L INPUT -vn Chain INPUT (policy ACCEPT
16456 packets, 13M bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 mport dports 22,23
So I guess inverting mport is not possible. By the way, you can get it
using a user chain :
iptables -N invert
iptables -A invert -p tcp -m mport --dports 22,23 -j RETURN
iptables -A INPUT -p tcp -j invert
Now you'll have all TCP packets that does not match TCP 22 and 23 as
destination port in invert chain.
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
