quick syntax query

quick syntax query

[Knight, Steve]

Hi there

Can one use syntax other than CIDR notation when defining things like
networks?

i.e. it's common to see

LAN_RANGE="192.168.0.0/24"

in rule bases, but I would like to use

DODGY_RANGE="192.168.0.1-5"
GOOD_RANGE="192.168.0.6-30"
BAD_BAD_RANGE="192.168.31-40"


a la `nmap` syntax.

Is this something netfilter can handle?

Thanks in advance


Steve




-----------------------------------------------------------------------
Information in this email may be privileged, confidential and is 
intended exclusively for the addressee.  The views expressed may
not be official policy, but the personal views of the originator.
If you have received it in error, please notify the sender by return
e-mail and delete it from your system.  You should not reproduce, 
distribute, store, retransmit, use or disclose its contents to anyone.
 
Please note we reserve the right to monitor all e-mail
communication through our internal and external networks.
-----------------------------------------------------------------------

Re: quick syntax query

[Raileanu Grigore]

On Mon, 7 Jun 2004 11:53:10 +0100
"Knight, Steve" <Steve.Knight@bskyb.com> wrote:

> Hi there
> 
> Can one use syntax other than CIDR notation when defining things like
> networks?
> 
> i.e. it's common to see
> 
> LAN_RANGE="192.168.0.0/24"
> 
> in rule bases, but I would like to use
> 
> DODGY_RANGE="192.168.0.1-5"
> GOOD_RANGE="192.168.0.6-30"
> BAD_BAD_RANGE="192.168.31-40"
> 
> 
> a la `nmap` syntax.
> 
> Is this something netfilter can handle?
> 
> Thanks in advance
> 
> 
> Steve
> 

patch-o-matic iprange patch have this feature:

The base/iprange patch:
   Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
   Status: Works

   This patch makes possible to match source/destination IP
   addresses against inclusive IP address ranges.

   Examples.

   iptables -A FORWARD -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT
   iptables -A FORWARD -m iprange --dst-range 10.0.0.0-10.5.255.255.255 -j ACCEPT

-- 
Best regards,
Raileanu Grigore
mail: grisha at unixro dot net
phone: +40 742759147

Re: quick syntax query

[John A. Sullivan III]

On Mon, 2004-06-07 at 06:53, Knight, Steve wrote:
> Hi there
> 
> Can one use syntax other than CIDR notation when defining things like
> networks?
> 
> i.e. it's common to see
> 
> LAN_RANGE="192.168.0.0/24"
> 
> in rule bases, but I would like to use
> 
> DODGY_RANGE="192.168.0.1-5"
> GOOD_RANGE="192.168.0.6-30"
> BAD_BAD_RANGE="192.168.31-40"
> 
> 
> a la `nmap` syntax.
> 
> Is this something netfilter can handle?
> 
<snip>
Yes, besides using CIDR and Dotted Decimal notation, one can apply the
IPRange patch-o-matic patch and use a rule such as

iptables -A FORWARD -m iprange --src-range 192.168.1.10-192.168.1.20 -j
ACCEPT

We use it all the time in the ISCS project.

If you do not want to patch, you can use SubnetCreator
(http:subnetcreator.sourceforge.net) to turn a range into a list of
subnets and then make rules for each of the subnets.  If you are using
Qt, it also provides a series of routines to do this programatically.

-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net