On Wed, 2009-04-15 at 18:59 +0300, Mihamina Rakotomandimby (R12y) wrote: > Hi, > I have this kind of shell script in order to set something on a bunch of IP > addresses: > > for ACCEPTED_MACHINE in \ > 192.168.0.10 \ > 192.168.0.11 \ > 192.168.0.12 \ > 192.168.0.13 \ > 192.168.0.14 \ > 192.168.0.15 \ > 192.168.0.16 \ > 192.168.0.17 \ > 192.168.0.18 \ > 192.168.0.19 \ > 192.168.0.20 \ > 192.168.0.21 \ > 192.168.0.22 \ > 192.168.0.23 \ > 192.168.0.24 \ > 192.168.0.25 \ > 192.168.0.26 \ > 192.168.0.27 \ > 192.168.0.28 \ > 192.168.0.29 > do > $IPTABLES [...] > done > > > How could I use a mask such as 192.168.0.0/NN to exactly match the list? > Thank you. > Hi Mihamina, Possible exact solutions include either: aggregate - { ftp://ftp.isc.org/isc/aggregate/ | http://packages.debian.org/aggregate } - cidr aggregation or, iptables -m iprange - non-cidr consecutive IP-ranges matching Examples: aggregate anticimex@natalie:/tmp$ awk '{print $1 "/32"}' << EOF | aggregate > 192.168.0.10 > 192.168.0.11 > 192.168.0.12 > 192.168.0.13 > 192.168.0.14 > 192.168.0.15 > 192.168.0.16 > 192.168.0.17 > 192.168.0.18 > 192.168.0.19 > 192.168.0.20 > 192.168.0.21 > 192.168.0.22 > 192.168.0.23 > 192.168.0.24 > 192.168.0.25 > 192.168.0.26 > 192.168.0.27 > 192.168.0.28 > 192.168.0.29 > EOF aggregate: maximum prefix length permitted will be 32 192.168.0.10/31 192.168.0.12/30 192.168.0.16/29 192.168.0.24/30 192.168.0.28/31 anticimex@natalie:/tmp$ iptables -m iprange natalie:~# iptables -A INPUT -i eth2 -m iprange --src-range 192.168.0.10-192.168.0.29 natalie:~# iptables -nvL INPUT Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 all -- eth2 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.0.10-192.168.0.29 natalie:~# anticimex@natalie:/tmp$ /sbin/iptables -m iprange -h <snip> iprange match options: [!] --src-range ip-ip Match source IP in the specified range [!] --dst-range ip-ip Match destination IP in the specified range Hope this helps. Regards, -- Martin Millnert <millnert@xxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part