iprange match
/dev/rob0
rob0 at gmx.co.uk
Tue Oct 11 22:06:03 CEST 2005
> El mar, 11-10-2005 a las 13:51 -0500, /dev/rob0 escribió:
> > Please don't top-post your replies. It makes it very difficult to
> > follow, especially since the post you're replying to has not (yet?)
> > reached the list.
> > On Tuesday 2005-October-11 13:36, Jorge I. Davila L. wrote:
> > > iptables -A OUTPUT -p tcp -m iprange \
> > > --src-range 192.168.223.1-192.168.223.2 \
> > > -j ACCEPT
> > >
> > > iptables: No chain/target/match by that name
> >
> > I guess this means that your kernel lacks support for the iprange
> > target. "CONFIG_IP_NF_MATCH_IPRANGE=m"
> >
> > This is at most a minor inconvenience. You can always use CIDR
> > addressing and multiple rules. (I always try to keep logical breaks
> > in network space on CIDR boundaries, to facilitate this.)
On Tuesday 2005-October-11 14:39, Jorge I. Davila L. wrote:
> I need the iprange working because I don't want use a large set of
> rules.
Are you not familiar with CIDR addressing?
The example you posted would only be two rules for individual IP's. I
understand, that was only an example, but creative use of CIDR can do
the job quite well. You can jump a CIDR block larger than your iprange
to a special chain, and put exception rules with -j RETURN targets at
the top.
And again, in designing your networks, it helps to think in hexadecimal
terms. In a class C (/24) I often use 128-191 as the DHCP range. That
would be x.x.x.128/26 in CIDR. I try to keep static IP ranges in blocks
of 8, 16 or 32 and grouped by purpose.
There's nothing wrong with -m iprange; it's a fine tool. But I get
along quite well without it.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
More information about the netfilter
mailing list