[CentOS] combining iptables parameters

Ryan Lynch ryan.b.lynch at gmail.com
Fri Oct 30 01:09:40 UTC 2009


On Thu, Oct 29, 2009 at 16:57, Robert Spangler <mlists at zoominternet.net> wrote:
> Even simpler;
>
> iptables -A OUTPUT -d $IP1 -j DROP
> iptables -A OUTPUT -d $IP2 -j DROP
>
> This will catch everything doesn't matter if its UDP or TCP or ICMP.

I think you're missing the point of the original question: It's just
an example rule set to illustrate multiple matches. Marcus wanted to
know, generally, whether IPTables supports logical ORing matches
together.

And assuming it is a real-world example: Why would you assume he'd
want to block ICMP, too? I allow ICMP in a lot of rule sets that
forbid just TCP/UDP traffic, so I can check host uptime and link
latency without exposing any listening daemons. My routers use a
similar ruleset, too: They need to be able to talk ICMP with anybody
on the Internet, but not anything else.

-R


More information about the CentOS mailing list