Thu, 18 Oct 2001 16:06:07 -0400
just as a general rule, you should probably have -i $INTERNAL_IFACE in those
rules. Generally a frowned-upon practice to accept bogons from the
But I believe the only way to do this would be to use three rules:
iptables -A FORWARD -p tcp -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -p tcp -s 220.127.116.11/24 -j ACCEPT
iptables -A FORWARD -p tcp -j DROP
or set your FORWARD policy to DROP, and use the first two rules.
There are, of course, many ways to do this. You might for instance set
/proc/sys/net/ipv4/conf/*/rp_filter, which, although not using iptables,
would block spoofed addresses from your internal net.
The other thing (that may have changed while I wasn't looking) is that
bridging and iptables don't often get along well. Packets get bridged
before they hit the ip stack (and therefore before being examined by
iptables). I recall something in Rusty's guides saying basically "yeah,
that'd be really cool. Too bad it doesn't work."
[mailto:firstname.lastname@example.org]On Behalf Of Grimes, Shawn
Sent: Thursday, October 18, 2001 3:35 PM
Subject: Multiple IP's...
Is there a way to specify multiple IP ranges on a single line? The reason I
ask is, I'm using bridging and IPTables 1.2.1a to create a firewall for my
company. We have three IP ranges. And I want to have my firewall block
anything going out that is not in our IP ranges (to prevent spoofing).
This is what I want in theory:
iptables -A FORWARD -p tcp -s ! [192.168.1.0/24,18.104.22.168/24] -j DROP
It's my understanding that if I did it on two separate lines:
iptables -A FORWARD -p tcp -s ! 192.168.1.0/24 -j DROP
iptables -A FORWARD -p tcp -s ! 22.214.171.124/24 -j DROP
At the first line ( ! 192.168.1.0/24 ) it would block anything not matching
that range, so it would block my other range 126.96.36.199/24