Re: combining multiple ip's into one variable on iptables script?

From: Dave Carrigan (dave_at_rudedog.org)
Date: 07/30/03

  • Next message: Jeetu Golani: "Re: Kernel 2.6.0-test2,Nvidia and The story of the missing X :)" 
    Date: Wed, 30 Jul 2003 06:02:32 -0700
To: "debian-user@lists.debian.org" <debian-user@lists.debian.org>

    On Wed, Jul 30, 2003 at 01:20:47PM +0100, Mark C wrote:

    > i.e I use ftp.www.mirror.ac.uk
    >
    > running nslookup on this gives me multiple ip addresses, I could create
    > a variable for each IP, i.e
    >
    > APT_MIRROR_AC_UK_1="194.83.57.3"
    > APT_MIRROR_AC_UK_2="194.83.57.7"
    >
    > and so forth, then create rules that allow outbound connections to each
    > of theses sites, is it possible to combine them all into one variable,
    > like
    >
    > APT_MIRROR_AC_UK="194.83.57.3, 194.83.57.7"

    iptables only allows a single netblock per rule (where a netblock can be
    as small as a single host when it's specified as /32). You have two
    choices. You could specify ftp.www.mirror.ac.uk as 194.83.57/29, which
    actually open up all hosts in the range of 194.873.57.0 to 194.83.57.7.

    Or you could change your iptables scripts so that they treat each host
    variable as a list, and loop over the list:

     APT_MIRROR_AC_UK="194.83.57.3 194.83.57.7"

     for host in $APT_MIRROR_AC_UK; do
       iptables -A block ... -s $host -j ACCEPT
     done

    This still would work correctly even if at a later date you changed
    APT_MIRROR_AC_UK to only be a single host. 

    -- 
Dave Carrigan
Seattle, WA, USA
dave@rudedog.org | http://www.rudedog.org/ | ICQ:161669680
UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-C++-DNS-PalmOS-PostgreSQL-MySQL
-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
  • Next message: Jeetu Golani: "Re: Kernel 2.6.0-test2,Nvidia and The story of the missing X :)"