I'm doing something like this:
ipset create local_allowed hash:net,port
iptables -A INPUT -p tcp -m set --match-set local_allowed src,dst -j ACCEPT
Now I can use the set to control who can connect to my machine:
# allow ssh from 192.0.2.0/24
ipset add local_allowed 192.0.2.0/24,22
I would like to be able to do this:
# everyone can connect to HTTPS
ipset add local_allowed 0.0.0.0/0,443
But that is not allowed. Fine, I can do this instead:
ipset add local_allowed 0.0.0.0/1,443
ipset add local_allowed 128.0.0.0/1,443
That isn't beautiful but it works. (Is there a reason why zero prefix is
not allowed?)
The real issue is that I would like to be able to do this:
# these hosts can connect to any local port
ipset add local_allowed 10.0.0.10/32,0
ipset add local_allowed 10.0.0.20/32,0
ipset add local_allowed 10.0.0.30/32,0
ipset add local_allowed 10.0.0.40/32,0
The entries are added but they don't match anything. Apparently zero is
not used as a wildcard for the port. It is possible to do this:
ipset add local_allowed 10.0.0.10/32,1-65535
ipset add local_allowed 10.0.0.20/32,1-65535
ipset add local_allowed 10.0.0.30/32,1-65535
ipset add local_allowed 10.0.0.40/32,1-65535
...but that creates hundreds of thousands of set entries, one for each
port in the range for each address.
I am probably just going to end up using two separate sets
(hash:net,port and hash:net) with two separate rules, but can anyone
think of an efficient way to do this without using two separate rules?
For example, is there any way to use two sets in the same rule, matching
either (OR) rather than both (AND)?