[CentOS] combining iptables parameters
Marcus Moeller
mail at marcus-moeller.de
Wed Oct 28 20:36:05 UTC 2009
Dear Ryan.
>> is there a way to combine iptables parameters like: iptables -A OUTPUT
>> -p UDP & -p TCP -d $IP1 & -d $IP2 ?
>
> Each of those parameters is called a "match", in IPTables-speak. You
> can specify multiple matches in one rule, but all matches are combined
> with an implicit logical AND. There is no way to get a logical OR
> amongst multiple matches in a single rule. If you want OR logic, you
> use multiple rules.
>
> So, your example could not work as single rule, because no single IP
> packet can be both TCP and UDP, and no single IP packet can have
> multiple destination IP addresses. IPTables tries to prevent you from
> creating nonsensical rules like that in most situations.
>
> You would have to specify the required match space across multiple
> rules, maybe something like this:
>
> iptables -A OUTPUT -p UDP -d $IP1-j DROP
> iptables -A OUTPUT -p TCP -d $IP1 -j DROP
> iptables -A OUTPUT -p UDP -d $IP2 -j DROP
> iptables -A OUTPUT -p TCP -d $IP2 -j DROP
That's what I am doing atm. Thanks for the update.
Best Regards
Marcus
More information about the CentOS
mailing list