-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Manish Jain : > Hi, > > I have a requirement as follows - > > Say there are 2 source IPs - src1 and src2, and 2 destination IP - dst1, > dst2. > I need to limit src1->dst1 as well as src2-dst2 communication but want > unlimited src2->dst1 communication. > I have a ipset KNOWN, which contains src1, src2, dst1, dst2 > > Now i write a rule as follows - > iptables -A INPUT_CHAIN --match hashlimit --hashlimit 1000/s > --hashlimit-mode srcipdstip --hashlimit-name foo -m set --set KNOWN > src,dst -j ACCEPT > > But this will limit the src2->dst1 communication as well, which I dont want. > > 1. Is there a way to add ip1,ip2 as a tuple in a ipset the way we can do for > ip1%port? Yes , look the ipset manual to find the binding . > 2. Is there a mode which can help me do this, using a single iptable rule as > above? Following maybe : ipset -N from ipmap --network 192.168.0.0/24 ipset -A from src1 ipset -A from src2 ipset -N to ipmap --network 192.168.0.0/24 ipset -A to dst1 ipset -A to dst2 ipset -B from default -b to iptables -A INPUT_CHAIN --match hashlimit --hashlimit 1000/s - --hashlimit-mode srcipdstip --hashlimit-name foo -m set --set KNOWN src,dst -j ACCEPT > 3. Is there a way to specify multiple ipsets in 1 iptable rule? I think one set with its bindings can do everything for you ~ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFMyha7tZp58UCwyMRAhWDAJ9o8DdSFxcMDUbK8djcqtTF3Va7MACgsbU1 e5JKNYI/P62IGXKtVD3i7wY= =mDXZ -----END PGP SIGNATURE-----
