* Unicast packets to multiple destinations -only-
@ 2004-11-18 9:48 Luigi Corsello
2004-11-18 13:32 ` Jason Opperisano
2004-11-18 16:22 ` Samuel Jean
0 siblings, 2 replies; 3+ messages in thread
From: Luigi Corsello @ 2004-11-18 9:48 UTC (permalink / raw)
To: Netfilter ML
Hi all,
I got 3 IPs in one interface (ip addr add, not aliasing), and wanted to
only allow unicast packets to any of them (and/or their subnet in one
case, to allow broadcasts for the local net).
Aim: no broadcasts, no multicast, spoofing prevention?.
You can't have multiple -d in rules. My quick solution was 3 tables
(this is a sample):
iptables -N ta
iptables -N tb
iptables -N tc
iptables -A tc -d ! $ip3 -j DROP
iptables -A tb -d ! $ip2 -j tc
iptables -A ta -d ! $ip1 -j tb
iptables -A INPUT -j ta
It works, much junk stays out. All services work.
From the list point of view, is this insane(a) stupid(b) or clever(c)?
and why?
Cheers,
/lc
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Unicast packets to multiple destinations -only-
2004-11-18 9:48 Unicast packets to multiple destinations -only- Luigi Corsello
@ 2004-11-18 13:32 ` Jason Opperisano
2004-11-18 16:22 ` Samuel Jean
1 sibling, 0 replies; 3+ messages in thread
From: Jason Opperisano @ 2004-11-18 13:32 UTC (permalink / raw)
To: netfilter
On Thu, 2004-11-18 at 04:48, Luigi Corsello wrote:
> Hi all,
>
> I got 3 IPs in one interface (ip addr add, not aliasing), and wanted to
> only allow unicast packets to any of them (and/or their subnet in one
> case, to allow broadcasts for the local net).
> Aim: no broadcasts, no multicast, spoofing prevention?.
>
> You can't have multiple -d in rules. My quick solution was 3 tables
> (this is a sample):
>
> iptables -N ta
> iptables -N tb
> iptables -N tc
>
> iptables -A tc -d ! $ip3 -j DROP
> iptables -A tb -d ! $ip2 -j tc
> iptables -A ta -d ! $ip1 -j tb
>
> iptables -A INPUT -j ta
>
> It works, much junk stays out. All services work.
> From the list point of view, is this insane(a) stupid(b) or clever(c)?
> and why?
if it works, then it's neither insane nor stupid. just to add a
viewpoint, if you asked me how to accomplish the same, i would have
probably answered:
iptables -N scrub_interface_0
iptables -A scrub_interface_0 -d ${ip1} -j RETURN
iptables -A scrub_interface_0 -d ${ip2} -j RETURN
iptables -A scrub_interface_0 -d ${ip3} -j RETURN
iptables -A scrub_interface_0 -j DROP
iptables -A INPUT -i ${int0} -j scrub_interface_0
from my perspective--i can figure out what the above is doing much more
quickly than i can looking at your method. but it's really just
that--personal preference.
-j
--
"When will I learn? The answer to life's problems aren't at the bottom
of a bottle, they're on TV!"
--The Simpsons
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: Unicast packets to multiple destinations -only-
2004-11-18 9:48 Unicast packets to multiple destinations -only- Luigi Corsello
2004-11-18 13:32 ` Jason Opperisano
@ 2004-11-18 16:22 ` Samuel Jean
1 sibling, 0 replies; 3+ messages in thread
From: Samuel Jean @ 2004-11-18 16:22 UTC (permalink / raw)
To: Luigi Corsello; +Cc: netfilter
On Thu, November 18, 2004 4:48 am, Luigi Corsello said:
> You can't have multiple -d in rules. My quick solution was 3 tables
Try `iptables -m iprange -h'
> Cheers,
> /lc
>
>
Regards,
Samuel
CookingLinux TM
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2004-11-18 16:22 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-11-18 9:48 Unicast packets to multiple destinations -only- Luigi Corsello
2004-11-18 13:32 ` Jason Opperisano
2004-11-18 16:22 ` Samuel Jean
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.