Vitaly wrote:
--- Martijn Lievaart <m@xxxxxxx> wrote:
Vitaly wrote:
How I can combine a few addresses in one rule? For
example, I'd like to add two IPs 10.10.10.1 and
10.10.10.2 to the same rule.
Either use ipset (needs a patched kernel), or
iprange (if the addresses
are consecutive) or use a subchain, e.g:
-A -s 10.10.10.1 -j CUSTOM
-A -s 10.10.10.2 -j CUSTOM
-N CUSTOM
-A CUSTOM <rest of rule>
Thank you!
Subchains seem to be OK for my needs. But will
subchains work in case when I need to *exclude* some
IPs?
For example, can I add 10.10.10.2 to this rule using
subchain?
iptables -I INPUT -p tcp --dport 80 ! -s 10.10.10.1
-m state --state NEW -m recent --set
Yes.
-I INPUT -p tcp --dport 80 -j CUSTOM
-A CUSTOM -s 10.10.10.1 -j RETURN
-A CUSTOM -s 10.10.10.2 -j RETURN
-A CUSTOM -m state --state NEW -m recent --set
HTH,
M4
