Dan Malvin wrote: > I'd like to gain some understanding of an existing rule on my > firewall that is allowing only a specific range if IP addresses > outside. This rule was created by the previous network admin. > > The rule is: > -A FORWARD -s 10.1.1.0/255.255.255.192 -i eth2 -j ACCEPT > > I understand that the "/255.255.255.192" part of the above rule is > allowing only a specific range of IP addresses out to the Internet. > How is this rule working and how would I expand the range or create > an new range? 255.255.255.192 is a netmask. A match to the netmask is performed by performing a binary AND on the numbers you are comparing. For instance: 255.255.255.192 11111111 11111111 11111111 11000000 10.1.1.0 00000110 00000001 00000001 00000000 10.1.1.0 AND MASK 00000110 00000001 00000001 00000000 10.1.1.252 00000110 00000001 00000001 11111100 10.1.1.252 AND MASK 00000110 00000001 00000001 11000000 (THIS DOES NOT MATCH 10.1.1.0 AND MASK) 10.1.1.1 00000110 00000001 00000001 00000001 10.1.1.1 AND MASK 00000110 00000001 00000001 00000000 (THIS DOES MATCH 10.1.1.0 AND MASK) If you want to expand the range of IP addresses within this subnet, you can either change your netmask to include the greater range of hosts from within the network, or if the subnet doesn't span the full extent of the subnet size needed, you can setup a rule for a new netmask. For instance, if I have a network with 250 computers inside it, I would use a /24 (255.255.255.0) netmask to cover all those addresses. -A FORWARD -s 192.168.0.0/255.255.255.0 -i eth2 -j ACCEPT If later I want to add an additional 250 computers to my network, I could either expand my netmask to /23 (255.255.255.254) with new addresses starting with 192.168.1.0, or I could add a rule for the new subnet with a new rule -A FORWARD -s 192.168.1.0/255.255.255.0 -I eth3 -j ACCEPT Hope this isn't too above you. You 'really' need to pick up some basic networking books to learn about this if you plan to be in network administration for very long.
