Re: iprange match

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



robO:

I'm understand very well that you are telling me ... I need the ability
to define ranges, the firewallS are over 1400 lines ...I don't want loss
my time establishing individual rules for each ip or for w.x.y.z/mask
when maybe the source of the traffic (or the resource that is reached)
overlaps the defined addresss or range used to define the users
(accessor) or the boxes and the services running in those boxes and
considering the changes in the firewall configurations because of
changes in the bussines.

I need flexibility ... this "fine" tool is a "required" tool for me :-(

Can you give me some light about how to solve this issue?

Again:

I'm using

fedora core 3
kernel 2.4.30
iptables 1.3.3

Best regards,

Jorge.
El mar, 11-10-2005 a las 15:06 -0500, /dev/rob0 escribió:
> > El mar, 11-10-2005 a las 13:51 -0500, /dev/rob0 escribió:
> > > Please don't top-post your replies. It makes it very difficult to
> > > follow, especially since the post you're replying to has not (yet?)
> > > reached the list.
> 
> > > On Tuesday 2005-October-11 13:36, Jorge I. Davila L. wrote:
> > > > iptables -A OUTPUT -p tcp -m iprange \
> > > > --src-range 192.168.223.1-192.168.223.2 \
> > > > -j ACCEPT
> > > >
> > > > iptables: No chain/target/match by that name
> > >
> > > I guess this means that your kernel lacks support for the iprange
> > > target. "CONFIG_IP_NF_MATCH_IPRANGE=m"
> > >
> > > This is at most a minor inconvenience. You can always use CIDR
> > > addressing and multiple rules. (I always try to keep logical breaks
> > > in network space on CIDR boundaries, to facilitate this.)
> 
> On Tuesday 2005-October-11 14:39, Jorge I. Davila L. wrote:
> > I need the iprange working because I don't want use a large set of
> > rules.
> 
> Are you not familiar with CIDR addressing?
> 
> The example you posted would only be two rules for individual IP's. I 
> understand, that was only an example, but creative use of CIDR can do 
> the job quite well. You can jump a CIDR block larger than your iprange 
> to a special chain, and put exception rules with -j RETURN targets at 
> the top.
> 
> And again, in designing your networks, it helps to think in hexadecimal 
> terms. In a class C (/24) I often use 128-191 as the DHCP range. That 
> would be x.x.x.128/26 in CIDR. I try to keep static IP ranges in blocks 
> of 8, 16 or 32 and grouped by purpose.
> 
> There's nothing wrong with -m iprange; it's a fine tool.  But I get 
> along quite well without it.
-- 
Jorge Isaac Davila Lopez




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux