Multiple IP's...

[Joe Patterson]

just as a general rule, you should probably have -i $INTERNAL_IFACE in those
rules.  Generally a frowned-upon practice to accept bogons from the
internet.

But I believe the only way to do this would be to use three rules:
iptables -A FORWARD -p tcp -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -s 172.0.0.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -j DROP

or set your FORWARD policy to DROP, and use the first two rules.

There are, of course, many ways to do this.  You might for instance set
/proc/sys/net/ipv4/conf/*/rp_filter, which, although not using iptables,
would block spoofed addresses from your internal net.

The other thing (that may have changed while I wasn't looking) is that
bridging and iptables don't often get along well.  Packets get bridged
before they hit the ip stack (and therefore before being examined by
iptables).  I recall something in Rusty's guides saying basically "yeah,
that'd be really cool.  Too bad it doesn't work."

-Joe

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of Grimes, Shawn
(NIA/IRP)
Sent: Thursday, October 18, 2001 3:35 PM
To: 'netfilter@lists.samba.org'
Subject: Multiple IP's...


Is there a way to specify multiple IP ranges on a single line?  The reason I
ask is, I'm using bridging and IPTables 1.2.1a to create a firewall for my
company.  We have three IP ranges.  And I want to have my firewall block
anything going out that is not in our IP ranges (to prevent spoofing).
This is what I want in theory:
iptables -A FORWARD -p tcp -s ! [192.168.1.0/24,172.0.0.0/24] -j DROP

It's my understanding that if I did it on two separate lines:
iptables -A FORWARD -p tcp -s ! 192.168.1.0/24 -j DROP
iptables -A FORWARD -p tcp -s ! 172.0.0.0/24 -j DROP

At the first line ( ! 192.168.1.0/24 )  it would block anything not matching
that range, so it would block my other range 172.0.0.0/24

L8R,
(¯`·.¸Shawn¸.·´¯)