On Sun, 15 Oct 2006, Manish Jain wrote: > Say there are 2 source IPs - src1 and src2, and 2 destination IP - dst1, > dst2. > I need to limit src1->dst1 as well as src2-dst2 communication but want > unlimited src2->dst1 communication. > I have a ipset KNOWN, which contains src1, src2, dst1, dst2 What type of set is it? > Now i write a rule as follows - > iptables -A INPUT_CHAIN --match hashlimit --hashlimit 1000/s > --hashlimit-mode srcipdstip --hashlimit-name foo -m set --set KNOWN > src,dst -j ACCEPT > > But this will limit the src2->dst1 communication as well, which I dont want. > > 1. Is there a way to add ip1,ip2 as a tuple in a ipset the way we can do for > ip1%port? No, such type of set currently does not exist. > 2. Is there a mode which can help me do this, using a single iptable rule as > above? I don't think so. > 3. Is there a way to specify multiple ipsets in 1 iptable rule? Yes, you can specify as many same kind maches as you want, but please keep in mind that the matches are AND-ed. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
