Re: iptables: using the same address lists against multiple ports

Jerry Peters <jerry@xxxxxxxxxxxxxxx> wrote:

One of the iptables modules allows filtering on multiple ports.
It's under Netfilter Xtables support and is called "multiport"
multiple port match support.

Hmmm. ok. I just had a quick look at that.

How do I deploy this from my script?

The iptables documentation is awful, and I am really struggling to
decipher
it.

I may eventually use the same address list against a completely
different set of rules. I was wondering if I could somehow create some
sort of custom table or chain of permitted IP addresses and then use input
rules to jump to my table.

for example:

if port=7500 then jump to my_chain
if port=20000 then jump to my_chain
allow # port is not filtered

then rules for custom_table simply match against source ip address and
allow traffic for listed ip addresses, otherwise deny. (There would be
no port matching in custom_chain, and custom_chain is only effective if
explicitly called.

I guess this would look something like:

Chain INPUT (policy ACCEPT)
my_chain tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
my_chain tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000

Chain my_chain (policy DENY)
ACCEPT tcp -- 12.0.0.0/8 0.0.0.0/0 tcp
ACCEPT tcp -- 27.3.0.0/16 0.0.0.0/0 tcp

Can I do something like this?

Mark.

--
Mark Hobley
Linux User: #370818 http://markhobley.yi.org/

.

Relevant Pages