Re: How to combine a few addresses?

--- Martijn Lievaart <mrtij.nl> wrote:

> Vitaly wrote:
> > How I can combine a few addresses in one rule?
For
> > example, I'd like to add two IPs 10.10.10.1 and
> > 10.10.10.2 to the same rule.
> >
> >   
> 
> Either use ipset (needs a patched kernel), or
> iprange (if the addresses 
> are consecutive) or use a subchain, e.g:
> 
> -A -s 10.10.10.1 -j CUSTOM
> -A -s 10.10.10.2 -j CUSTOM
> -N CUSTOM
> -A CUSTOM <rest of rule>
> 
Thank you!
Subchains seem to be OK for my needs. But will
subchains work in case when I need to *exclude* some
IPs?

For example, can I add 10.10.10.2 to this rule using
subchain?

iptables -I INPUT -p tcp --dport 80  ! -s 10.10.10.1  
-m state --state NEW -m recent --set



       
____________________________________________________________
________________________
Pinpoint customers who are looking for what you sell. 
http://searchmarket
ing.yahoo.com/

Vitaly wrote:
> --- Martijn Lievaart <mrtij.nl> wrote:
>
>   
>> Vitaly wrote:
>>     
>>> How I can combine a few addresses in one rule?
For
>>> example, I'd like to add two IPs 10.10.10.1
and
>>> 10.10.10.2 to the same rule.
>>>
>>>   
>>>       
>> Either use ipset (needs a patched kernel), or
>> iprange (if the addresses 
>> are consecutive) or use a subchain, e.g:
>>
>> -A -s 10.10.10.1 -j CUSTOM
>> -A -s 10.10.10.2 -j CUSTOM
>> -N CUSTOM
>> -A CUSTOM <rest of rule>
>>
>>     
> Thank you!
> Subchains seem to be OK for my needs. But will
> subchains work in case when I need to *exclude* some
> IPs?
>
> For example, can I add 10.10.10.2 to this rule using
> subchain?
>
> iptables -I INPUT -p tcp --dport 80  ! -s 10.10.10.1  
> -m state --state NEW -m recent --set
>   

Yes.

-I INPUT -p tcp --dport 80  -j CUSTOM
-A CUSTOM -s 10.10.10.1 -j RETURN
-A CUSTOM -s 10.10.10.2 -j RETURN
-A CUSTOM -m state --state NEW -m recent --set


HTH,
M4