Large number of repeated rules with only differing -s ipaddrs/cidrs

Large number of repeated rules with only differing -s ipaddrs/cidrs

[Feizhou]

I don't know if such a question has been asked before and the archive 
didn't provide a search button...

I have a whole bunch of ips/cidrs that I want to apply the rule to.

Is there any way to insert one rule where the -s would be able to look 
up a table (btree/hash/cdb whatever) that contains those ips/cidrs 
instead of insert gazillion rules?

Re: Large number of repeated rules with only differing -s ipaddrs/cidrs

[Frank Gruellich]

Hello,

* Feizhou <feizhou@linuxmail.org> 19. Apr 04:
> I have a whole bunch of ips/cidrs that I want to apply the rule to.

First match the general part of the rule and jump into a user defined
chain to match the specific IPs.  Eg.:

# iptables -N http_hosts
# iptables -A FORWARD -j http_hosts -p tcp --sport 1024:65535 --dport 80
# iptables -A http_hosts -j ACCEPT -s $ip1
# iptables -A http_hosts -j ACCEPT -s $ip2
# # [some more here]
# iptables -A http_hosts -j LOG --log-prefix='forbidden http: '
# iptables -A http_hosts -j REJECT

> Is there any way to insert one rule where the -s would be able to look 
> up a table (btree/hash/cdb whatever) that contains those ips/cidrs 
> instead of insert gazillion rules?

AFAIK, not as built in, unfortunately.  You can simulate something like
a btree (well, it's not balanced) with user defined chains, too.  Eg.
you have to match IPs in 192.168.0.0/24 you could 

# iptables -F http_hosts
# iptables -N http_hosts_l
# iptables -N http_hosts_h
# iptables -A http_hosts         -s 192.168.0.0/25   -j http_hosts_l
# iptables -A http_hosts         -s 192.168.0.128/25 -j http_hosts_h
# iptables -A http_hosts -j REJECT
# iptables -N http_hosts_ll
# iptables -N http_hosts_lh
# iptables -A http_hosts_l       -s 192.168.0.0/26   -j http_hosts_ll
# iptables -A http_hosts_l       -s 192.168.0.64/26  -j http_hosts_lh
# iptables -N http_hosts_hl
# iptables -N http_hosts_hh
# iptables -A http_hosts_h       -s 192.168.0.128/26 -j http_hosts_hl
# iptables -A http_hosts_h       -s 192.168.0.192/26 -j http_hosts_hh
# # [and so on]

Somewhen you will reach a rule like

# iptables -A http_hosts_lhlhhlh -s 192.168.0.90/32  -j ACCEPT
# iptables -A http_hosts_lhlhhlh -s 192.168.0.91/32  -j REJECT

(Of course the /32 is quite superfluous.) AFAICS you will surely hit a
ACCEPT or REJECT after (at most) 16 (?) tests for all (256) IPs in the
subnet.  For /16-subnets (65536 IPs) the same scheme would hit after 48
tests.  Of course you can leave out chains like

# iptables -A http_hosts_lhlhhlh -s 192.168.0.90/32  -j REJECT
# iptables -A http_hosts_lhlhhlh -s 192.168.0.91/32  -j REJECT

and reduce them to 

# iptables -A http_hosts_lhlhhl  -s 192.168.0.90/31  -j REJECT

Maybe you (or I) can write a script generating these rules.  Uh, this
looks funny.  Any comments on this?

 Regards, Frank.
-- 
Sigmentation fault

Re: Large number of repeated rules with only differing -s ipaddrs/cidrs

[Feizhou]

Frank Gruellich wrote:
> Hello,
> 
> * Feizhou <feizhou@linuxmail.org> 19. Apr 04:
> 
>>I have a whole bunch of ips/cidrs that I want to apply the rule to.
> 
> 

> 
> Maybe you (or I) can write a script generating these rules.  Uh, this
> looks funny.  Any comments on this?

:) Like you said, it looks funny.

I've thought of something like that...we would just stuff the kernel 
with the rules...

Being able to do a -s or -d against a file lookup is much cleaner.

Re: Large number of repeated rules with only differing -s ipaddrs/cidrs

[Jozsef Kadlecsik]

On Mon, 19 Apr 2004, Feizhou wrote:

> I don't know if such a question has been asked before and the archive
> didn't provide a search button...
>
> I have a whole bunch of ips/cidrs that I want to apply the rule to.
>
> Is there any way to insert one rule where the -s would be able to look
> up a table (btree/hash/cdb whatever) that contains those ips/cidrs
> instead of insert gazillion rules?

Yes, you can use either the ippool or the ipset extensions. ippool is
capable to store up to the number of IP addresses of a full B class network.
ippool can store network addresses as well and supports random
adressess/networks too.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: Large number of repeated rules with only differing -s ipaddrs/cidrs

[Feizhou]

>>I have a whole bunch of ips/cidrs that I want to apply the rule to.
>>
>>Is there any way to insert one rule where the -s would be able to look
>>up a table (btree/hash/cdb whatever) that contains those ips/cidrs
>>instead of insert gazillion rules?
> 
> 
> Yes, you can use either the ippool or the ipset extensions. ippool is
> capable to store up to the number of IP addresses of a full B class network.
> ippool can store network addresses as well and supports random
> adressess/networks too.
> 

lovely.

when will ipset be available in 2.6?

I presume ippool is going to become obsolete?

Re: Large number of repeated rules with only differing -s ipaddrs/cidrs

[Jozsef Kadlecsik]

On Mon, 19 Apr 2004, Feizhou wrote:

> when will ipset be available in 2.6?

It needs more, exhaustive testing. ippool was tested more widely than
ipset.

> I presume ippool is going to become obsolete?

Originally ipset was planned to be released as a new version of ippool.
Unfortunately backward compatibility could not be preserved, so a new name
had to be found. It extends ippool, yes, but that does not mean ippool is
obsolete.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: Large number of repeated rules with only differing -s ipaddrs/cidrs

[Feizhou]

Jozsef Kadlecsik wrote:
> On Mon, 19 Apr 2004, Feizhou wrote:
> 
> 
>>when will ipset be available in 2.6?
> 
> 
> It needs more, exhaustive testing. ippool was tested more widely than
> ipset.

Oh...those that mean both can actually be compiled in 2.6?
> 
> 
>>I presume ippool is going to become obsolete?
> 
> 
> Originally ipset was planned to be released as a new version of ippool.
> Unfortunately backward compatibility could not be preserved, so a new name
> had to be found. It extends ippool, yes, but that does not mean ippool is
> obsolete.
> 

Lovely. Does ippool/ipset take ips only or will they also take cidrs?

BTW...mail.so-net.com.hk is an ISP smarthost...could you block 
so-net.com.hk not coming from 203.99.142.22 instead of a domain rule 
block on rdns and sender addy?

And maybe all emails from 203.99.142.22 if sender addy not in 
so-net.com.hk...

Re: Large number of repeated rules with only differing -s ipaddrs/cidrs

[Jozsef Kadlecsik]

On Tue, 20 Apr 2004, Feizhou wrote:

> Jozsef Kadlecsik wrote:
> > On Mon, 19 Apr 2004, Feizhou wrote:
> >
> >
> >>when will ipset be available in 2.6?
> >
> >
> > It needs more, exhaustive testing. ippool was tested more widely than
> > ipset.
>
> Oh...those that mean both can actually be compiled in 2.6?

A minor fix is required to "port" both to 2.6.

> Lovely. Does ippool/ipset take ips only or will they also take cidrs?

ippool accepts IP addresses. In ipset, you can store CIDR netblock as
well.

> BTW...mail.so-net.com.hk is an ISP smarthost...could you block
> so-net.com.hk not coming from 203.99.142.22 instead of a domain rule
> block on rdns and sender addy?
>
> And maybe all emails from 203.99.142.22 if sender addy not in
> so-net.com.hk...

netfilter was not designed to filter E-mail.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: Large number of repeated rules with only differing -s ipaddrs/cidrs

[Feizhou]

> A minor fix is required to "port" both to 2.6.
> 
> 
>>Lovely. Does ippool/ipset take ips only or will they also take cidrs?
> 
> 
> ippool accepts IP addresses. In ipset, you can store CIDR netblock as
> well.

I see. Thanks.
> 
> 
>>BTW...mail.so-net.com.hk is an ISP smarthost...could you block
>>so-net.com.hk not coming from 203.99.142.22 instead of a domain rule
>>block on rdns and sender addy?
>>
>>And maybe all emails from 203.99.142.22 if sender addy not in
>>so-net.com.hk...
> 
> 
> netfilter was not designed to filter E-mail.

:) I guess I won't need to send anything private then. The list shall 
suffice.

Re: Large number of repeated rules with only differing -s ipaddrs/cidrs

[Torsten Luettgert]

[-- Attachment #1: Type: text/plain, Size: 997 bytes --]

On Mon, 2004-04-19 at 12:02, Feizhou wrote:
> I don't know if such a question has been asked before and the archive 
> didn't provide a search button...
> 
> I have a whole bunch of ips/cidrs that I want to apply the rule to.
> 
> Is there any way to insert one rule where the -s would be able to look 
> up a table (btree/hash/cdb whatever) that contains those ips/cidrs 
> instead of insert gazillion rules?
> 

There's no built-in match for that. That's exactly why I wrote a match
for this (back when we were hit by code red).

I called it 'manyaddr', and it reads up to 15000 ip addresses (per rule)
from a file. You can then match source or destination address against
the addresses in the file.

If you aren't afraid of patching your kernel and iptables tree,
running patch-o-matic and recompiling everything, this could be
a good solution for you.

Please mail me if you want to give manyaddr a try.

Greetings,
Torsten Lüttgert <t.luettgert at pressestimmen.de>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]