Re: Large number of repeated rules with only differing -s ipaddrs/cidrs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

* Feizhou <feizhou@xxxxxxxxxxxxx> 19. Apr 04:
> I have a whole bunch of ips/cidrs that I want to apply the rule to.

First match the general part of the rule and jump into a user defined
chain to match the specific IPs.  Eg.:

# iptables -N http_hosts
# iptables -A FORWARD -j http_hosts -p tcp --sport 1024:65535 --dport 80
# iptables -A http_hosts -j ACCEPT -s $ip1
# iptables -A http_hosts -j ACCEPT -s $ip2
# # [some more here]
# iptables -A http_hosts -j LOG --log-prefix='forbidden http: '
# iptables -A http_hosts -j REJECT

> Is there any way to insert one rule where the -s would be able to look 
> up a table (btree/hash/cdb whatever) that contains those ips/cidrs 
> instead of insert gazillion rules?

AFAIK, not as built in, unfortunately.  You can simulate something like
a btree (well, it's not balanced) with user defined chains, too.  Eg.
you have to match IPs in 192.168.0.0/24 you could 

# iptables -F http_hosts
# iptables -N http_hosts_l
# iptables -N http_hosts_h
# iptables -A http_hosts         -s 192.168.0.0/25   -j http_hosts_l
# iptables -A http_hosts         -s 192.168.0.128/25 -j http_hosts_h
# iptables -A http_hosts -j REJECT
# iptables -N http_hosts_ll
# iptables -N http_hosts_lh
# iptables -A http_hosts_l       -s 192.168.0.0/26   -j http_hosts_ll
# iptables -A http_hosts_l       -s 192.168.0.64/26  -j http_hosts_lh
# iptables -N http_hosts_hl
# iptables -N http_hosts_hh
# iptables -A http_hosts_h       -s 192.168.0.128/26 -j http_hosts_hl
# iptables -A http_hosts_h       -s 192.168.0.192/26 -j http_hosts_hh
# # [and so on]

Somewhen you will reach a rule like

# iptables -A http_hosts_lhlhhlh -s 192.168.0.90/32  -j ACCEPT
# iptables -A http_hosts_lhlhhlh -s 192.168.0.91/32  -j REJECT

(Of course the /32 is quite superfluous.) AFAICS you will surely hit a
ACCEPT or REJECT after (at most) 16 (?) tests for all (256) IPs in the
subnet.  For /16-subnets (65536 IPs) the same scheme would hit after 48
tests.  Of course you can leave out chains like

# iptables -A http_hosts_lhlhhlh -s 192.168.0.90/32  -j REJECT
# iptables -A http_hosts_lhlhhlh -s 192.168.0.91/32  -j REJECT

and reduce them to 

# iptables -A http_hosts_lhlhhl  -s 192.168.0.90/31  -j REJECT

Maybe you (or I) can write a script generating these rules.  Uh, this
looks funny.  Any comments on this?

 Regards, Frank.
-- 
Sigmentation fault
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux