iptables wilcard-like?

Hello,
I found myself in the need of doing something like this:

iptables -A INPUT -s 10.0.0.0/24 -d 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -s 10.0.1.0/24 -d 10.0.1.1/24 -j ACCEPT
iptables -A INPUT -s 10.0.2.0/24 -d 10.0.0.2/24 -j ACCEPT
iptables -A INPUT -s 10.0.3.0/24 -d 10.0.0.3/24 -j ACCEPT
....
iptables -A INPUT -s 10.0.254.0/24 -d 10.0.254.0/24 -j ACCEPT
(policy drop)

That is, I need to force the router to split the /16 in 254 /24's, and
allow only the users of said subnet to communicate with each other, but
not with the other subnets. Much like an actual subnetting on the
user's machine.

I need to do this because the users' machines are configured to use a
/30, each one with its own router address, and they are connected to an
access point in "isolate" mode (that is, the ap only allows
wired->wireless and wireless->wired communication, and not
wireless->wireless so all traffic has to go through the router).

Is there a quicker way to do this or do I really have to type all those
rules ?
Regards,
Hernan

On 22 Feb 2006 17:44:52 -0800, "drg" <(E-Mail Removed)> wrote:

>iptables -A INPUT -s 10.0.0.0/24 -d 10.0.0.0/24 -j ACCEPT
>iptables -A INPUT -s 10.0.1.0/24 -d 10.0.1.1/24 -j ACCEPT
>iptables -A INPUT -s 10.0.2.0/24 -d 10.0.0.2/24 -j ACCEPT
>iptables -A INPUT -s 10.0.3.0/24 -d 10.0.0.3/24 -j ACCEPT
>...
>Is there a quicker way to do this or do I really have to type all those
>rules ?

Write a bash script to create the rules from a configuration file.

An example, /etc/rc.d/rc.firewall (Copyright material GPLv2):
....
# blockendropper
# ```````````````

block_entry_count=0

strip_sort_by_ip_address() # input_file, output_file
{
# comment strip source, sort by ip then remove duplicates
sed -e 's/#.*$//' $1 | sort -t. -n -k1,1 -k2,2 -k3,3 -k4,4 | uniq > $2
}

load_iptables_chain_from_file() # input_file, chain, action
{
local addr="" rest=""

block_entry_count=0
while read addr rest; do
[ -z "$addr" ] && continue # ignore blank lines
report " $addr"
iptables -A $2 -p all --src $addr -j $3
(( block_entry_count++ ))
done < $1
}

install_blockendropper() # input_file, chain, action
{
local data_file="$INCLUDE_FILE_PATH/$1" temp_file=""

report " $2 "
block_entry_count=0

if [ -r $data_file ]; then

temp_file="$(mktemp -t fw.XXXXXX)" || exit 2
iptables -N $2
strip_sort_by_ip_address $data_file $temp_file
load_iptables_chain_from_file $temp_file $2 $3
rm -f $temp_file
else
echo "$2: error, cannot read $data_file"; return
fi

report " loaded $block_entry_count blocks"
}
....
install_blockendropper block_host_list drophost DROP
....

Not what you want at all, but outlines a possible approach?

Script context: http://bugsplatter.mine.nu/bash/firewall/

Grant.
--
.... The computer scientist, who had listened to all of this said,
"Yes, but where do you think the chaos came from?"

I mean, yes, I could have typed or write a program to make all the
rules, it's a one-time process anyway... What I'm worried about is the
kernel, it will need to match hundreds of rules for every packet. I'm
worried about the performance of this.

Am Mittwoch, den 22.02.2006, 20:23 -0800 schrieb drg:
> I mean, yes, I could have typed or write a program to make all the
> rules, it's a one-time process anyway... What I'm worried about is the
> kernel, it will need to match hundreds of rules for every packet. I'm
> worried about the performance of this.
>
what you can do is split up in different chains,like

iptables -A INPUT -s 10.0.0.0/28 -j chain0
iptables -A INPUT -s 10.0.16.0/28 -j chain16
....

iptables -N chain0
iptables -A chain0 -s 10.0.0.0/24 -j ACCEPT
iptables -A chain0 -s 10.0.1.0/24 -j ACCEPT
....

iptables -N chain16
iptables -A chain16 -s 10.0.16.0/24 -j ACCEPT
iptables -A chain16 -s 10.0.17.0/24 -j ACCEPT
....

This way, the maximum rules a packet has to travel is 32 instead of 254.
If it's more performant, I don't know.

Greets
Chris

Am Donnerstag, den 23.02.2006, 13:04 +0100 schrieb Christoph Scheurer:
> Am Mittwoch, den 22.02.2006, 20:23 -0800 schrieb drg:
> > I mean, yes, I could have typed or write a program to make all the
> > rules, it's a one-time process anyway... What I'm worried about is the
> > kernel, it will need to match hundreds of rules for every packet. I'm
> > worried about the performance of this.
> >
> what you can do is split up in different chains,like
>
> iptables -A INPUT -s 10.0.0.0/28 -j chain0
> iptables -A INPUT -s 10.0.16.0/28 -j chain16
^^^
Oops, should have been /20
>
> iptables -N chain0
> iptables -A chain0 -s 10.0.0.0/24 -j ACCEPT
> iptables -A chain0 -s 10.0.1.0/24 -j ACCEPT
> ...
>
> iptables -N chain16
> iptables -A chain16 -s 10.0.16.0/24 -j ACCEPT
> iptables -A chain16 -s 10.0.17.0/24 -j ACCEPT
> ...
>
> This way, the maximum rules a packet has to travel is 32 instead of 254.
> If it's more performant, I don't know.
>
> Greets
> Chris
>

"drg" <(E-Mail Removed)> said:
>I mean, yes, I could have typed or write a program to make all the
>rules, it's a one-time process anyway... What I'm worried about is the
>kernel, it will need to match hundreds of rules for every packet. I'm
>worried about the performance of this.

One thing is, do use stateful filtering. That way the full chains are
only traversed when a new connection is opened. Packets belonging to
established connections will be handled in a more efficient way (though,
if you expect a high number of simultaneous connections, then be
prepared that the connection lookup table will take a fair amount
of memory).
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Seems to me that should be iptables -A FORWARD... not INPUT. Input is
for packets going to applications running on the router. The forward
table is where you would pass packets going through the router.

I think this is more of an application for policy routing rather than
netfilter.

Another method would be to use PPPoE.

Just my 2 canadian cents worth ...

Yes but PPPoE, PPTP and L2TP, they all suck. Tried all of them on Linux
and FreeBSD. PPPoE breaks when there is more than one access point
(because it's a Layer-2 protocol). PPTP and L2TP/IPSec suffer from the
same problem, these disconnect randomly (I never found out why) when
running on a busy wireless access point. Sessions are left opened, some
braindead OSes (win98) don't answer to LCP echoes so some sessions get
closed, etc. So I have to make some kind of a more secured MAC-address
based authentication (because I cannot add WPA + EAP + RADIUS because
clients with win98 or with a client bridge instead of a computer cannot
connect).