Re: iptables/ipset syntax

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 20 Jan 2011 23:20:16 +0100 (CET), Jozsef Kadlecsik wrote:
On Thu, 20 Jan 2011, Arthur Titeica wrote:

I'm having some trouble understanding the correct syntax for an iptables rule
involving ipset.

I need to forward between IPs within the same ipset. So I've tried using
something like this:

iptables -A FORWARD -i eth0 -o eth0 -m set --match-set testset src,dst -p tcp
--dport 9000:9020 -j ACCEPT

It'd be good to know the type of "testset". Anyway, if you want to match the same IPs in both the source and destination directions by a set, then
you should use a rule like this

iptables -A FORWARD -i eth0 -o eth0 \
	-m set --match-set testset src \
	-m set --match-set testset dst \
	-p tcp -dport 9000:9020 -j ACCEPT

The keywords "src" and "dst" instructs the set match which parameter to grab from the packet ("source IP" or "destination IP") and try to match it
with the elements in the set. If it's a multidimensional set, then
multiple "src", "dst" parameters can be used.


Thanks for replying. The ipsets used are hash:ip so no wonder it doesn't work as I thought. In my defence the misleading part was the online iptables man [ http://ipset.netfilter.org/iptables.man.html ] which isn't quite clear.


--
Arthur Titeica
PharmEc Software Constanta
Mobil: 0729 290 969
Tel: 0241 616 747
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux