Re: can this be written as one rule ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

U. George wrote:

$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.124.176.0/20 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.124.32.0/20 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 121.127.64.0/17 -j DROP

<snip />

And so on ?



You could use ipset:
    http://ipset.netfilter.org

Once a set of type nethash has been created and populated its usage is
very simple.   e.g. To test whether a source|destination address is in a
nethash set named BADNETS use:

    iptables -A INPUT -m set --set BADNETS src|dst -j NETHANDLER

Not sure if this extension is in the kernel yet but it's relatively easy
to add by following the instructions at their website.

:m)
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux