Hi all,
is there a way to combine iptables parameters like: iptables -A OUTPUT -p UDP & -p TCP -d $IP1 & -d $IP2 ?
Best Regards Marcus
On Wed, Oct 28, 2009 at 15:32, Marcus Moeller mail@marcus-moeller.de wrote:
is there a way to combine iptables parameters like: iptables -A OUTPUT -p UDP & -p TCP -d $IP1 & -d $IP2 ?
Each of those parameters is called a "match", in IPTables-speak. You can specify multiple matches in one rule, but all matches are combined with an implicit logical AND. There is no way to get a logical OR amongst multiple matches in a single rule. If you want OR logic, you use multiple rules.
So, your example could not work as single rule, because no single IP packet can be both TCP and UDP, and no single IP packet can have multiple destination IP addresses. IPTables tries to prevent you from creating nonsensical rules like that in most situations.
You would have to specify the required match space across multiple rules, maybe something like this:
iptables -A OUTPUT -p UDP -d $IP1-j DROP iptables -A OUTPUT -p TCP -d $IP1 -j DROP iptables -A OUTPUT -p UDP -d $IP2 -j DROP iptables -A OUTPUT -p TCP -d $IP2 -j DROP
-Ryan
Dear Ryan.
is there a way to combine iptables parameters like: iptables -A OUTPUT -p UDP & -p TCP -d $IP1 & -d $IP2 ?
Each of those parameters is called a "match", in IPTables-speak. You can specify multiple matches in one rule, but all matches are combined with an implicit logical AND. There is no way to get a logical OR amongst multiple matches in a single rule. If you want OR logic, you use multiple rules.
So, your example could not work as single rule, because no single IP packet can be both TCP and UDP, and no single IP packet can have multiple destination IP addresses. IPTables tries to prevent you from creating nonsensical rules like that in most situations.
You would have to specify the required match space across multiple rules, maybe something like this:
iptables -A OUTPUT -p UDP -d $IP1-j DROP iptables -A OUTPUT -p TCP -d $IP1 -j DROP iptables -A OUTPUT -p UDP -d $IP2 -j DROP iptables -A OUTPUT -p TCP -d $IP2 -j DROP
That's what I am doing atm. Thanks for the update.
Best Regards Marcus
On Wed, Oct 28, 2009 at 16:36, Marcus Moeller mail@marcus-moeller.de wrote:
You would have to specify the required match space across multiple rules, maybe something like this:
iptables -A OUTPUT -p UDP -d $IP1-j DROP iptables -A OUTPUT -p TCP -d $IP1 -j DROP iptables -A OUTPUT -p UDP -d $IP2 -j DROP iptables -A OUTPUT -p TCP -d $IP2 -j DROP
That's what I am doing atm. Thanks for the update.
BTW, if you have some complex chain of action logic (more than just a simple -j DROP), you could simplify your rules by creating a custom chain and having the rules on the builtin chain (OUTPUT, or whatever) jump to your custom chain instead of DROP.
For example, If I wanted to use the same four rules from above, but I wanted to both log AND drop the incoming packets, a "naive" implementation might be something like this:
iptables -A OUTPUT -p UDP -d $IP1 -j LOG --log-prefix 'MYDROP: ' --log-level notice iptables -A OUTPUT -p UDP -d $IP1 -j DROP iptables -A OUTPUT -p TCP -d $IP1 -j LOG --log-prefix 'MYDROP: ' --log-level notice iptables -A OUTPUT -p TCP -d $IP1 -j DROP iptables -A OUTPUT -p UDP -d $IP2 -j LOG --log-prefix 'MYDROP: ' --log-level notice iptables -A OUTPUT -p UDP -d $IP2 -j DROP iptables -A OUTPUT -p TCP -d $IP2 -j LOG --log-prefix 'MYDROP: ' --log-level notice iptables -A OUTPUT -p TCP -d $IP2 -j DROP
You could do the same thing in a much more compact fashion by creating a custom chain called MYDROP:
iptables -N MYDROP iptables -A MYDROP -j LOG --log-prefix 'MYDROP: ' --log-level notice iptables -A MYDROP -j DROP iptables -A OUTPUT -p UDP -d $IP1 -j MYDROP iptables -A OUTPUT -p TCP -d $IP1 -j MYDROP iptables -A OUTPUT -p UDP -d $IP2 -j MYDROP iptables -A OUTPUT -p TCP -d $IP2 -j MYDROP
In programming, it would be analogous to factoring duplicative code into a common function. In this example, you really don't compress the expression very much (7 lines versus 8 lines). If you imagine a situation where MYDROP would contain 10 or 15 different actions, you'll understand how powerful it can be.
-Ryan
Dear Ryan.
iptables -A OUTPUT -p UDP -d $IP1-j DROP iptables -A OUTPUT -p TCP -d $IP1 -j DROP iptables -A OUTPUT -p UDP -d $IP2 -j DROP iptables -A OUTPUT -p TCP -d $IP2 -j DROP
That's what I am doing atm. Thanks for the update.
BTW, if you have some complex chain of action logic (more than just a simple -j DROP), you could simplify your rules by creating a custom chain and having the rules on the builtin chain (OUTPUT, or whatever) jump to your custom chain instead of DROP.
For example, If I wanted to use the same four rules from above, but I wanted to both log AND drop the incoming packets, a "naive" implementation might be something like this:
iptables -A OUTPUT -p UDP -d $IP1 -j LOG --log-prefix 'MYDROP: ' --log-level notice iptables -A OUTPUT -p UDP -d $IP1 -j DROP iptables -A OUTPUT -p TCP -d $IP1 -j LOG --log-prefix 'MYDROP: ' --log-level notice iptables -A OUTPUT -p TCP -d $IP1 -j DROP iptables -A OUTPUT -p UDP -d $IP2 -j LOG --log-prefix 'MYDROP: ' --log-level notice iptables -A OUTPUT -p UDP -d $IP2 -j DROP iptables -A OUTPUT -p TCP -d $IP2 -j LOG --log-prefix 'MYDROP: ' --log-level notice iptables -A OUTPUT -p TCP -d $IP2 -j DROP
You could do the same thing in a much more compact fashion by creating a custom chain called MYDROP:
iptables -N MYDROP iptables -A MYDROP -j LOG --log-prefix 'MYDROP: ' --log-level notice iptables -A MYDROP -j DROP iptables -A OUTPUT -p UDP -d $IP1 -j MYDROP iptables -A OUTPUT -p TCP -d $IP1 -j MYDROP iptables -A OUTPUT -p UDP -d $IP2 -j MYDROP iptables -A OUTPUT -p TCP -d $IP2 -j MYDROP
That's what I am doing, too. Just wondered if there is a way to combile parameters with a logical OR.
Thanks Marcus
On Wednesday 28 October 2009 16:36, Marcus Moeller wrote:
Dear Ryan.
is there a way to combine iptables parameters like: iptables -A OUTPUT -p UDP & -p TCP -d $IP1 & -d $IP2 ?
Each of those parameters is called a "match", in IPTables-speak. You can specify multiple matches in one rule, but all matches are combined with an implicit logical AND. There is no way to get a logical OR amongst multiple matches in a single rule. If you want OR logic, you use multiple rules.
So, your example could not work as single rule, because no single IP packet can be both TCP and UDP, and no single IP packet can have multiple destination IP addresses. IPTables tries to prevent you from creating nonsensical rules like that in most situations.
You would have to specify the required match space across multiple rules, maybe something like this:
iptables -A OUTPUT -p UDP -d $IP1-j DROP iptables -A OUTPUT -p TCP -d $IP1 -j DROP iptables -A OUTPUT -p UDP -d $IP2 -j DROP iptables -A OUTPUT -p TCP -d $IP2 -j DROP
That's what I am doing atm. Thanks for the update.
Even simpler;
iptables -A OUTPUT -d $IP1 -j DROP iptables -A OUTPUT -d $IP2 -j DROP
This will catch everything doesn't matter if its UDP or TCP or ICMP.
On Thu, Oct 29, 2009 at 16:57, Robert Spangler mlists@zoominternet.net wrote:
Even simpler;
iptables -A OUTPUT -d $IP1 -j DROP iptables -A OUTPUT -d $IP2 -j DROP
This will catch everything doesn't matter if its UDP or TCP or ICMP.
I think you're missing the point of the original question: It's just an example rule set to illustrate multiple matches. Marcus wanted to know, generally, whether IPTables supports logical ORing matches together.
And assuming it is a real-world example: Why would you assume he'd want to block ICMP, too? I allow ICMP in a lot of rule sets that forbid just TCP/UDP traffic, so I can check host uptime and link latency without exposing any listening daemons. My routers use a similar ruleset, too: They need to be able to talk ICMP with anybody on the Internet, but not anything else.
-R