On Wednesday 28 October 2009 16:36, Marcus Moeller wrote:
Dear Ryan.
is there a way to combine iptables parameters like: iptables -A OUTPUT -p UDP & -p TCP -d $IP1 & -d $IP2 ?
Each of those parameters is called a "match", in IPTables-speak. You can specify multiple matches in one rule, but all matches are combined with an implicit logical AND. There is no way to get a logical OR amongst multiple matches in a single rule. If you want OR logic, you use multiple rules.
So, your example could not work as single rule, because no single IP packet can be both TCP and UDP, and no single IP packet can have multiple destination IP addresses. IPTables tries to prevent you from creating nonsensical rules like that in most situations.
You would have to specify the required match space across multiple rules, maybe something like this:
iptables -A OUTPUT -p UDP -d $IP1-j DROP iptables -A OUTPUT -p TCP -d $IP1 -j DROP iptables -A OUTPUT -p UDP -d $IP2 -j DROP iptables -A OUTPUT -p TCP -d $IP2 -j DROP
That's what I am doing atm. Thanks for the update.
Even simpler;
iptables -A OUTPUT -d $IP1 -j DROP iptables -A OUTPUT -d $IP2 -j DROP
This will catch everything doesn't matter if its UDP or TCP or ICMP.