On Mon, 16 Oct 2006, Retesh wrote: > Can you let us know the way to AND 2 ipsets, with an example. It will > be really useful. Let's assume a bunch of servers (the IP addresses stored in the set 'servers') and a bunch of clients (the IP addresses stored in 'clients') and one wants to allow any listed client to access any listed server: iptables -A <chain> -m set --set clients src \ -m set --set servers dst \ -j ACCEPT Or if you want to restrict the access to the given list of services on the servers (port numbers are stored in 'services'), assuming the same list of services on each server: iptables -A <chain> -m set --set clients src \ -m set --set servers dst \ -m set --set services dst \ -j ACCEPT Or if the list of services are different on the servers, then one can use an ipporthash type of set to store (server IP, service port) pairs in 'server-service' and write: iptables -A <chain> -m set --set clients src \ -m set --set server-service dst,dst \ -j ACCEPT Hope it helps, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary