Hi there, On Wed, 1 Aug 2007 Grant Taylor wrote: > Wrong logic operator. The question could also be written as "How do I > block all connections not from the set A or B or C or ...". > > One way to achieve this is with the IPSet match extension (which I > have not worked with, so this may not be syntactically correct). > > iptables -A INPUT ! -m set --set sshclients src -j DROP Looks good to me. Here's the most recent addition to my roughly two dozen ipsets: iptables -I INPUT 98 -m set --set BLOCKSET08 src -j DROP (My BLOCKSET08 set blocks /8 IP ranges. :) FWIW I have currently block a little over 26,000 IP ranges in 25 sets and the performance is fine on very modest hardware. At present I believe there are some issues compiling ipsets and the latest 2.6 kernels, probably worth looking before you leap. -- 73, Ged.
