iptables: allow multiple source addresses

It's clear to me how to drop all packets except those coming from one
address/mask:
.... -s ! address/[mask] ... -j DROP

What's not so clear is what to do if I want to allow more than one
address/[mask]. Currently I'm doing it via a simple user-defined chain,
e.g.
.... -s ! address1/[mask1] ... -j chain_1
.... chain_1 ... -s ! address2/[mask2] -j DROP

Is there a more clever way of doing it than this?

TIA



Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com

Hello,

jqpx37 a écrit :
> It's clear to me how to drop all packets except those coming from one
> address/mask:
> ... -s ! address/[mask] ... -j DROP

No, obviously this is not clear to you. :-)

> What's not so clear is what to do if I want to allow more than one
> address/[mask]. Currently I'm doing it via a simple user-defined chain,
> e.g.
> ... -s ! address1/[mask1] ... -j chain_1
> ... chain_1 ... -s ! address2/[mask2] -j DROP
>
> Is there a more clever way of doing it than this?

Yes : set default policies to DROP, and ACCEPT what you want to allow
instead of DROP what you don't want to allow. This is much safer.

"Pascal Hambourg" <boite-a-(E-Mail Removed)> wrote in message
news:efusja$9pf$(E-Mail Removed)...
> Hello,
>
> jqpx37 a écrit :
>> It's clear to me how to drop all packets except those coming from one
>> address/mask:
>> ... -s ! address/[mask] ... -j DROP
>
> No, obviously this is not clear to you. :-)
>
>> What's not so clear is what to do if I want to allow more than one
>> address/[mask]. Currently I'm doing it via a simple user-defined chain,
>> e.g.
>> ... -s ! address1/[mask1] ... -j chain_1
>> ... chain_1 ... -s ! address2/[mask2] -j DROP
>>
>> Is there a more clever way of doing it than this?
>
> Yes : set default policies to DROP, and ACCEPT what you want to allow
> instead of DROP what you don't want to allow. This is much safer.

OK.

Though what if one doesn't want the ACCEPT statement to come late in the
chain?

(My policy is already DROP.)



Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com

jqpx37 a écrit :
>>
>>Yes : set default policies to DROP, and ACCEPT what you want to allow
>>instead of DROP what you don't want to allow. This is much safer.
>
> OK.
> Though what if one doesn't want the ACCEPT statement to come late in the
> chain?

What do you mean ?

"Pascal Hambourg" <boite-a-(E-Mail Removed)> wrote in message
news:efvu10$mi7$(E-Mail Removed)...
> jqpx37 a écrit :
>>>
>>>Yes : set default policies to DROP, and ACCEPT what you want to allow
>>>instead of DROP what you don't want to allow. This is much safer.
>>
>> OK. Though what if one doesn't want the ACCEPT statement to come late in
>> the chain?
>
> What do you mean ?

Once you ACCEPT, no more rules can apply.



Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com

jqpx37 a écrit :
>>
>>>>Yes : set default policies to DROP, and ACCEPT what you want to allow
>>>>instead of DROP what you don't want to allow. This is much safer.
>>>
>>>OK. Though what if one doesn't want the ACCEPT statement to come late in
>>>the chain?
>>
>>What do you mean ?
>
> Once you ACCEPT, no more rules can apply.

Sure. Same when you DROP. That's the goal, isn't it ?
Again, I don't see your point. When a chain contains only ACCEPT rules,
the rule ordering does not matter so much.

Do you mean that in your case the source address is not the only match
needed to ACCEPT packets ? Then put the other matches in the rule, and
if you cannot put them all in a single rule, user-defined chains come in
handy. Every time you have an AND condition, you create a new chain.
Every time you have an OR condition, you create a new rule.

Example :
if condition1 AND (condition2 OR condition3) then ACCEPT

-A step1 condition1 -j step2
-A step2 condition2 -j ACCEPT
-A step2 condition3 -j ACCEPT

or

-A step1 condition2 -j step2
-A step1 condition3 -j step2
-A step2 condition1 -j ACCEPT

"Pascal Hambourg" <boite-a-(E-Mail Removed)> wrote in message
news:eg0178$nur$(E-Mail Removed)...
> jqpx37 a écrit :
>>>
>>>>>Yes : set default policies to DROP, and ACCEPT what you want to allow
>>>>>instead of DROP what you don't want to allow. This is much safer.
>>>>
>>>>OK. Though what if one doesn't want the ACCEPT statement to come late in
>>>>the chain?
>>>
>>>What do you mean ?
>>
>> Once you ACCEPT, no more rules can apply.
>
> Sure. Same when you DROP. That's the goal, isn't it ?
> Again, I don't see your point. When a chain contains only ACCEPT rules,
> the rule ordering does not matter so much.
>
> Do you mean that in your case the source address is not the only match
> needed to ACCEPT packets ?

Yes.

> Then put the other matches in the rule, and if you cannot put them all in
> a single rule, user-defined chains come in handy. Every time you have an
> AND condition, you create a new chain. Every time you have an OR
> condition, you create a new rule.
>
> Example :
> if condition1 AND (condition2 OR condition3) then ACCEPT
>
> -A step1 condition1 -j step2
> -A step2 condition2 -j ACCEPT
> -A step2 condition3 -j ACCEPT
>
> or
>
> -A step1 condition2 -j step2
> -A step1 condition3 -j step2
> -A step2 condition1 -j ACCEPT

Thanks for the informative reply.

Cheers.



Posted Via Usenet.com Premium Usenet Newsgroup Services
----------------------------------------------------------
** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
----------------------------------------------------------
http://www.usenet.com

"jqpx37" <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

>
> "Pascal Hambourg" <boite-a-(E-Mail Removed)> wrote in message
> news:eg0178$nur$(E-Mail Removed)...
>> jqpx37 a écrit :
>>>>
>>>>>>Yes : set default policies to DROP, and ACCEPT what you want to
>>>>>>allow instead of DROP what you don't want to allow. This is much
>>>>>>safer.
>>>>>
>>>>>OK. Though what if one doesn't want the ACCEPT statement to come late
>>>>>in the chain?
>>>>
>>>>What do you mean ?
>>>
>>> Once you ACCEPT, no more rules can apply.
>>
>> Sure. Same when you DROP. That's the goal, isn't it ?
>> Again, I don't see your point. When a chain contains only ACCEPT rules,
>> the rule ordering does not matter so much.
>>
>> Do you mean that in your case the source address is not the only match
>> needed to ACCEPT packets ?
>
> Yes.
>
>> Then put the other matches in the rule, and if you cannot put them all
>> in a single rule, user-defined chains come in handy. Every time you
>> have an AND condition, you create a new chain. Every time you have an
>> OR condition, you create a new rule.
>>
>> Example :
>> if condition1 AND (condition2 OR condition3) then ACCEPT
>>
>> -A step1 condition1 -j step2
>> -A step2 condition2 -j ACCEPT
>> -A step2 condition3 -j ACCEPT
>>
>> or
>>
>> -A step1 condition2 -j step2
>> -A step1 condition3 -j step2
>> -A step2 condition1 -j ACCEPT
>
> Thanks for the informative reply.
>
> Cheers.
>
>
>
> Posted Via Usenet.com Premium Usenet Newsgroup Services
> ----------------------------------------------------------
> ** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
> ----------------------------------------------------------
> http://www.usenet.com
>

Another thing. For maximum efficiency you want the bulk of the traffic
dealt with as early in the chain as possible as that minimises the
overhead. Typically you want a rule to accept established and related
packets near the start of the chain.

Klazmon.