Hello All, >From my routers point of view internet devided in 3 zones: 1) MYNET="10.20.0.0/16" 2) FRIENDNET="10.21.0.0/16 10.22.0.0/16 10.23.0.3 10.24.0.4" 3) all other networks and IPs As you can see $FRIENDNET contains not just NETs, but IPs too. I can't use one IPSET set, so i decided not to use IPSET functionally and wait for some "union" types in IPSET in future releases [http://lists.netfilter.org/pipermail/netfilter/2006-March/065103.html]. Problem is that manipulation with $FRIENDNET in form: ---%<----------------------------------- for net in $FRIENDNET do iptables -A (FORWARD|INPUT) (-s|-d) $net [...] done ---%<----------------------------------- Is not elegant when you need to grant/drop access to many resourses/services/etc. netfilter will be clutter up with identical rules... So I want to find elegant solution for this situation :)) My current approach is: ---%<----------------------------------- iptables -N FRIENDNET_IN_ACCEPT iptables -F FRIENDNET_IN_ACCEPT for net in $FRIENDNET do iptables -s $net -j ACCEPT done iptables -N FRIENDNET_OUT_ACCEPT iptables -F FRIENDNET_OUT_ACCEPT for net in $FRIENDNET do iptables -d $net -j ACCEPT done # grant access to some service iptables -p tcp -A INPUT -s $MYNET --dport some-service -j ACCEPT iptables -p tcp -A INPUT --dport some-service -j FRIENDNET_IN_ACCEPT iptables -p tcp -A INPUT --dport some-service -j DROP # forward from my net to friends net and vice versa iptables -P FORWARD DROP iptables -A FORWARD -d $MYNET -j FRIENDNET_IN_ACCEPT iptables -A FORWARD -s $MYNET -j FRIENDNET_OUT_ACCEPT ---%<----------------------------------- Maybe you know more elegant solution? -- Biomechanica Artificial Sabotage Humanoid
