[CentOS] combining iptables parameters

Marcus Moeller mail at marcus-moeller.de
Wed Oct 28 22:06:24 UTC 2009


Dear Ryan.

>>>  iptables -A OUTPUT -p UDP -d $IP1-j DROP
>>>  iptables -A OUTPUT -p TCP -d $IP1 -j DROP
>>>  iptables -A OUTPUT -p UDP -d $IP2 -j DROP
>>>  iptables -A OUTPUT -p TCP -d $IP2 -j DROP
>>
>> That's what I am doing atm. Thanks for the update.
>
> BTW, if you have some complex chain of action logic (more than just a
> simple -j DROP), you could simplify your rules by creating a custom
> chain and having the rules on the builtin chain (OUTPUT, or whatever)
> jump to your custom chain instead of DROP.
>
> For example, If I wanted to use the same four rules from above, but I
> wanted to both log AND drop the incoming packets, a "naive"
> implementation might be something like this:
>
>  iptables -A OUTPUT -p UDP -d $IP1 -j LOG --log-prefix 'MYDROP: '
> --log-level notice
>  iptables -A OUTPUT -p UDP -d $IP1 -j DROP
>  iptables -A OUTPUT -p TCP -d $IP1 -j LOG --log-prefix 'MYDROP: '
> --log-level notice
>  iptables -A OUTPUT -p TCP -d $IP1 -j DROP
>  iptables -A OUTPUT -p UDP -d $IP2 -j LOG --log-prefix 'MYDROP: '
> --log-level notice
>  iptables -A OUTPUT -p UDP -d $IP2 -j DROP
>  iptables -A OUTPUT -p TCP -d $IP2 -j LOG --log-prefix 'MYDROP: '
> --log-level notice
>  iptables -A OUTPUT -p TCP -d $IP2 -j DROP
>
> You could do the same thing in a much more compact fashion by creating
> a custom chain called MYDROP:
>
>  iptables -N MYDROP
>  iptables -A MYDROP -j LOG --log-prefix 'MYDROP: ' --log-level notice
>  iptables -A MYDROP -j DROP
>  iptables -A OUTPUT -p UDP -d $IP1 -j MYDROP
>  iptables -A OUTPUT -p TCP -d $IP1 -j MYDROP
>  iptables -A OUTPUT -p UDP -d $IP2 -j MYDROP
>  iptables -A OUTPUT -p TCP -d $IP2 -j MYDROP

That's what I am doing, too. Just wondered if there is a way to
combile parameters with a logical OR.

Thanks
Marcus


More information about the CentOS mailing list