On Tue, February 15, 2005 11:41 am, Carl Holtje ;021;vcsg6; said: > All- > > Is there a way to define a rule to combine the following lines: > -A INPUT -s xxx.xxx.xxx.xxx -d yyy.yyy.yyy.yyy -j DROP > -A INPUT -s zzz.zzz.zzz.zzz -d yyy.yyy.yyy.yyy -j DROP > > ... something like > -A INPUT -s xxx.xxx.xxx.xxx -s zzz.zzz.zzz.zzz -d yyy.yyy.yyy.yyy -j DROP > or even > -A INPUT -s xxx.xxx.xxx.xxx -s zzz.zzz.zzz.zzz -j DROP Yes. But that requires an extension match. Quickly, I can think of 3: o 'recent' match part of mainline kernel since a while. You can add your `pool' of ips via /proc. See http://www.snowman.net/projects/ipt_recent/ o 'pool' match. You need ippool(8) to feed your pool. And finally, the best of all: o 'set' match. Which is part of the ultimate ipset 2.0 (the successor to pool match). See http://people.netfilter.org/kadlec/ipset/ > > which would match a packet from xxx.xxx.xxx.xxx OR zzz.zzz.zzz.zzz to > yyy.yyy.yyy.yyy... > > Thanks! > > Carl > HTH, Samuel > - -- > > "There are 10 types of people in the world: Those who understand binary > and those that don't." > >
