iptables - Open all ports between 3 ips

Hi,

im searching and searching.... but..

Can someone give me a hint?

I want to open all ports between 5 IPs (5 Servers - totally different
ips) but just between them.

Is it possible to do that without create a rule for every ip to ip pair?
Something very easy or at least:

-s 1.1.1.1,2.2.2.2,3.3.3.3... --sport 1:65535
-d 1.1.1.1,2.2.2.2,3.3.3.3... --dport 1:65535

How? or any keyword-hits for google?

Thanx

Gerhard Haslberger <(E-Mail Removed)> wrote:
> I want to open all ports between 5 IPs (5 Servers - totally different
> ips) but just between them.

> Is it possible to do that without create a rule for every ip to ip pair?

What's your network topology (i.e. where are the servers in relation to
your firewall)?

A,B,C -- firewall -- D,E

A -- firewall -- B,C,D,E

A -- firewall -- B
| | |
C D E

etc.
Chris

Web -- port 80 -- ( LoadBalancer (on A) distributes vom A-E)

A - E should have Access to all ports from each other (they share nfs,
myslq ...)

A should also open port 80 (in this example)

Better shown like this:


Web
|
port 80
|
Loadbalancer on A
|||||
ABCDE

------
I know how to do it in MANY-iptable-Code-Lines, but is it possible to
use only a few for the A-E pool to open all ports inside this pool?
Remember that A-E has different ips bec there are hosted in different
Datacenters

> Web
> |
> port 80
> |
> Loadbalancer on A
> |||||
> ABCDE

and right now i say

A -> B
<-> C
<-> D
<-> E

B <-> A
<-> C
<-> D
<-> E


and so on for specific ports ....

but iam looking for one "Line" which i can copy to all servers which
enables all communications within a given ip-pool

Gerhard Haslberger <(E-Mail Removed)> wrote:

> Web -- port 80 -- ( LoadBalancer (on A) distributes vom A-E)

> A - E should have Access to all ports from each other (they share nfs,
> myslq ...)

Strikes me that one way to do this is as follows. Put two NICs
in A and one in each of B-E. Create an unroutable private subnet
(e.g. 192.168.0.0/24) that encompasses all of A-E. (If necessary make
them secondary IP addresses on each of the NICs.) Use this subnet to
route between A,B,C,D,E. Allow the entire subnet on the back-end NIC
for A (one or two iptables rules). Disallow it on the front side (two
rules). Allow inbound requests to A from everywhere (one rule).

Chris

Gerhard Haslberger <(E-Mail Removed)> écrivait
news:gu44j0$n0b$(E-Mail Removed):

> Hi,
>
> im searching and searching.... but..
>
> Can someone give me a hint?
>
> I want to open all ports between 5 IPs (5 Servers - totally different
> ips) but just between them.
>
> Is it possible to do that without create a rule for every ip to ip
> pair? Something very easy or at least:
>
> -s 1.1.1.1,2.2.2.2,3.3.3.3... --sport 1:65535
> -d 1.1.1.1,2.2.2.2,3.3.3.3... --dport 1:65535
>
> How? or any keyword-hits for google?
>
> Thanx

Did you try the iptables 'iprange' module :

http://iptables-tutorial.frozentux.n...bles.html#lbBC ?


Regards