[CentOS] combining iptables parameters

Thu Oct 29 19:43:45 UTC 2009
James B. Byrne <byrnejb at harte-lyne.ca>

Message-ID:
<fac47fca0910281232x71fbf92cva80095483d210db1 at mail.gmail.com>

On: Wed, 28 Oct 2009 20:32:14 +0100, Marcus Moeller
<mail at marcus-moeller.de> wrote:

> Hi all,
>
> is there a way to combine iptables parameters like: iptables
> -A OUTPUT -p UDP & -p TCP -d $IP1 & -d $IP2 ?


man iptables
...

       -p, --protocol [!] protocol
              The  protocol of the rule or of the packet to check.
              The specified protocol can be one of tcp, udp, icmp,
              or all, or it can be a  numeric  value, representing
              one of these protocols or a different  one.   A
              protocol  name  from  /etc/protocols  is  also
              allowed.   A  "!" argument before the protocol
              inverts the test. The number zero is equivalent to
              all.  Protocol all  will  match with  all  protocols
              and is taken as default when this option is omitted.

       -s, --source [!] address[/mask]
              Source specification.  Address can be either a network
              name,  a hostname  (please  note  that specifying any
              name to be resolved with a remote query such as DNS
              is a really bad idea), a network IP address (with
              /mask), or a plain IP address.  The mask can be
              either a network mask or a plain number, specifying
              the  number of 1’s at the left side of the network
              mask.  Thus, a mask of 24 is equivalent to
              255.255.255.0.   A  "!"  argument  before  the
              address specification inverts the sense of the
              address. The flag --src is an alias for this option.

If both TCP and UDP are both to be blocked it may be inferred that
no other protocol is desired to connect either, so simply not
specifying any protocol will block all protocols including both TCP
and UDP.  If both are allowed then again there seems little purpose
in blocking any others and again by not specifying any protocol you
will obtain the desired result.  If instead you do want to allow
ICMP but nothing else then !icmp will match all protocols other than
icmp.

If IP1 and IP2 belong to a CIDR group and no intervening addresses
are permitted access as well then a suitable netblock mask will
archive the desired results.  If not then each IP must be separately
specified.

So, something like this should work as a block for all protocols to
either address:

iptables -A OUTPUT -d $IP1 -j DROP
iptables -A OUTPUT -d $IP2 -j DROP

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3