[iptables] Effect of negating multiple source or dest IPs (-s or -d)

[iptables] Effect of negating multiple source or dest IPs (-s or -d)

[U.Mutlu]

What's the effect of this rule on a multihomed box
(the IPs below are just some examples, not real):

   iptables -A INPUT ! -d 1.2.3.4,2.3.4.5 -p all -j DROP

Will it drop all packets not destined to both these IPs?
Or will it drop all packets but for the first IP?

Ie. when negating a rule on multiple elements, is then
the result an AND or an OR combination?
Ie. is it then !ip1 AND !ip2, or is it !ip1 OR !ip2 ?  :-)

Man page says this:
   [!] -s, --source address[/mask][,...]
   [!] -d, --destination address[/mask][,...]
     A "!" argument before the address specification inverts the sense of the address. [...]
     Multiple addresses can be specified, but this will expand to multiple rules (when adding with -A),
     or will cause multiple rules to be deleted (with -D).

Re: [iptables] Effect of negating multiple source or dest IPs (-s or -d)

[sim]

> What's the effect of this rule on a multihomed box
> (the IPs below are just some examples, not real):
>
>    iptables -A INPUT ! -d 1.2.3.4,2.3.4.5 -p all -j DROP
>

the newest version of iptables says:

iptables v1.4.12.1: ! not allowed with multiple source or destination IP
addresses

As it will be transformed in to two rules anyway, I'd recommend to
directly write n rules for that.

Simon

Re: [iptables] Effect of negating multiple source or dest IPs (-s or -d)

[U.Mutlu]

sim@netmess.org wrote, On 2011-11-08 17:16:
>> What's the effect of this rule on a multihomed box
>> (the IPs below are just some examples, not real):
>>
>>     iptables -A INPUT ! -d 1.2.3.4,2.3.4.5 -p all -j DROP
>>
>
> the newest version of iptables says:
>
> iptables v1.4.12.1: ! not allowed with multiple source or destination IP
> addresses

Oh, one wonders why they did so...

> As it will be transformed in to two rules anyway, I'd recommend to
> directly write n rules for that.

But in my above case then this can't work, or can it?

Re: [iptables] Effect of negating multiple source or dest IPs (-s or -d)

[Jan Engelhardt]

On Tuesday 2011-11-08 17:19, U.Mutlu wrote:

> sim@netmess.org wrote, On 2011-11-08 17:16:
>>> What's the effect of this rule on a multihomed box
>>> (the IPs below are just some examples, not real):
>>>
>>>    iptables -A INPUT ! -d 1.2.3.4,2.3.4.5 -p all -j DROP
>>>
>>
>> the newest version of iptables says:
>>
>> iptables v1.4.12.1: ! not allowed with multiple source or destination IP
>> addresses
>
> Oh, one wonders why they did so...

Because it leads to a confusing result.

	! -d a,b,c

could be reasonably interpreted as

	! -d a && ! -d b && ! -d c

but because using "," in -s/-d means a simple rule expansion, it 
actually generates an equivalent of

	! -d a || ! -d b || ! -d c

Re: [iptables] Effect of negating multiple source or dest IPs (-s or -d)

[U.Mutlu]

Jan Engelhardt wrote, On 2011-11-08 17:44:
> On Tuesday 2011-11-08 17:19, U.Mutlu wrote:
>
>> sim@netmess.org wrote, On 2011-11-08 17:16:
>>>> What's the effect of this rule on a multihomed box
>>>> (the IPs below are just some examples, not real):
>>>>
>>>>     iptables -A INPUT ! -d 1.2.3.4,2.3.4.5 -p all -j DROP
>>>>
>>>
>>> the newest version of iptables says:
>>>
>>> iptables v1.4.12.1: ! not allowed with multiple source or destination IP
>>> addresses
>>
>> Oh, one wonders why they did so...
>
> Because it leads to a confusing result.
>
> 	! -d a,b,c
>
> could be reasonably interpreted as
>
> 	! -d a&&  ! -d b&&  ! -d c
>
> but because using "," in -s/-d means a simple rule expansion, it
> actually generates an equivalent of
>
> 	! -d a || ! -d b || ! -d c

But OR'ing them IMHO doesn't make much sense, just think about it.
I would suggest to AND them.
Look, a normal rule like this one
   iptables -A INPUT -m state --state NEW -p tcp --dport  80 -j ACCEPT
matches only if every single part of it matches (ie. AND).
Then in our negation case above it should behave similar,
and not switch to OR.

Re: [iptables] Effect of negating multiple source or dest IPs (-s or -d)

[Jan Engelhardt]

>On Tuesday 2011-11-08 18:11, U.Mutlu wrote:
>> actually generates an equivalent of
>>
>> 	! -d a || ! -d b || ! -d c
>
> But OR'ing them IMHO doesn't make much sense, just think about it.
> I would suggest to AND them.

Rules exhibit an OR-like relationship to one another. There is nothing
that can be changed about it.

Re: [iptables] Effect of negating multiple source or dest IPs (-s or -d)

[Jozsef Kadlecsik]

On Tue, 8 Nov 2011, U.Mutlu wrote:

> Jan Engelhardt wrote, On 2011-11-08 17:44:
> > On Tuesday 2011-11-08 17:19, U.Mutlu wrote:
> > 
> > > sim@netmess.org wrote, On 2011-11-08 17:16:
> > > > > What's the effect of this rule on a multihomed box
> > > > > (the IPs below are just some examples, not real):
> > > > > 
> > > > >     iptables -A INPUT ! -d 1.2.3.4,2.3.4.5 -p all -j DROP
> > > > > 
> > > > 
> > > > the newest version of iptables says:
> > > > 
> > > > iptables v1.4.12.1: ! not allowed with multiple source or destination IP
> > > > addresses
> > > 
> > > Oh, one wonders why they did so...
> > 
> > Because it leads to a confusing result.
> > 
> > 	! -d a,b,c
> > 
> > could be reasonably interpreted as
> > 
> > 	! -d a&&  ! -d b&&  ! -d c
> > 
> > but because using "," in -s/-d means a simple rule expansion, it
> > actually generates an equivalent of
> > 
> > 	! -d a || ! -d b || ! -d c
> 
> But OR'ing them IMHO doesn't make much sense, just think about it.
> I would suggest to AND them.
> Look, a normal rule like this one
>   iptables -A INPUT -m state --state NEW -p tcp --dport  80 -j ACCEPT
> matches only if every single part of it matches (ie. AND).
> Then in our negation case above it should behave similar,
> and not switch to OR.

The matches are AND-ed. However the individual matches may generate OR 
conditions, like multiport.

What you suggest means that while

	-d a,b

is interpreted as "a" OR "b", then

	! -d a,b

should be interpeted as NOT "a" AND NOT "b".

I think that'd be pretty confusing.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: [iptables] Effect of negating multiple source or dest IPs (-s or -d)

[U.Mutlu]

Jozsef Kadlecsik wrote, On 2011-11-08 21:22:
> On Tue, 8 Nov 2011, U.Mutlu wrote:
>
>> Jan Engelhardt wrote, On 2011-11-08 17:44:
>>> On Tuesday 2011-11-08 17:19, U.Mutlu wrote:
>>>
>>>> sim@netmess.org wrote, On 2011-11-08 17:16:
>>>>>> What's the effect of this rule on a multihomed box
>>>>>> (the IPs below are just some examples, not real):
>>>>>>
>>>>>>      iptables -A INPUT ! -d 1.2.3.4,2.3.4.5 -p all -j DROP
>>>>>>
>>>>>
>>>>> the newest version of iptables says:
>>>>>
>>>>> iptables v1.4.12.1: ! not allowed with multiple source or destination IP
>>>>> addresses
>>>>
>>>> Oh, one wonders why they did so...
>>>
>>> Because it leads to a confusing result.
>>>
>>> 	! -d a,b,c
>>>
>>> could be reasonably interpreted as
>>>
>>> 	! -d a&&   ! -d b&&   ! -d c
>>>
>>> but because using "," in -s/-d means a simple rule expansion, it
>>> actually generates an equivalent of
>>>
>>> 	! -d a || ! -d b || ! -d c
>>
>> But OR'ing them IMHO doesn't make much sense, just think about it.
>> I would suggest to AND them.
>> Look, a normal rule like this one
>>    iptables -A INPUT -m state --state NEW -p tcp --dport  80 -j ACCEPT
>> matches only if every single part of it matches (ie. AND).
>> Then in our negation case above it should behave similar,
>> and not switch to OR.
>
> The matches are AND-ed. However the individual matches may generate OR
> conditions, like multiport.
>
> What you suggest means that while
>
> 	-d a,b
>
> is interpreted as "a" OR "b", then
>
> 	! -d a,b
>
> should be interpeted as NOT "a" AND NOT "b".
>
> I think that'd be pretty confusing.

My problem was this: my eth0 has to accept packets for 2 IPs,
but then I saw that there comes in also much other unwanted
garbage like broadcast and multicast, so I wanted right in the
beginning of my script DROP all packets not destined to the 2 IP.

Ok, I think as an alternative I can realize this with an
own chain and with 'convential' methods.
Too bad, I just wanted avoid that extra work of restructuring my script... :-)

Re: [iptables] Effect of negating multiple source or dest IPs (-s or -d)

[Amos Jeffries]

 On Tue, 08 Nov 2011 22:59:37 +0100, U.Mutlu wrote:
> Jozsef Kadlecsik wrote, On 2011-11-08 21:22:
>> On Tue, 8 Nov 2011, U.Mutlu wrote:
>>
>>> Jan Engelhardt wrote, On 2011-11-08 17:44:
>>>> On Tuesday 2011-11-08 17:19, U.Mutlu wrote:
>>>>
>>>>> sim@netmess.org wrote, On 2011-11-08 17:16:
>>>>>>> What's the effect of this rule on a multihomed box
>>>>>>> (the IPs below are just some examples, not real):
>>>>>>>
>>>>>>>      iptables -A INPUT ! -d 1.2.3.4,2.3.4.5 -p all -j DROP
>>>>>>>
>>>>>>
>>>>>> the newest version of iptables says:
>>>>>>
>>>>>> iptables v1.4.12.1: ! not allowed with multiple source or 
>>>>>> destination IP
>>>>>> addresses
>>>>>
>>>>> Oh, one wonders why they did so...
>>>>
>>>> Because it leads to a confusing result.
>>>>
>>>> 	! -d a,b,c
>>>>
>>>> could be reasonably interpreted as
>>>>
>>>> 	! -d a&&   ! -d b&&   ! -d c
>>>>
>>>> but because using "," in -s/-d means a simple rule expansion, it
>>>> actually generates an equivalent of
>>>>
>>>> 	! -d a || ! -d b || ! -d c
>>>
>>> But OR'ing them IMHO doesn't make much sense, just think about it.
>>> I would suggest to AND them.
>>> Look, a normal rule like this one
>>>    iptables -A INPUT -m state --state NEW -p tcp --dport  80 -j 
>>> ACCEPT
>>> matches only if every single part of it matches (ie. AND).
>>> Then in our negation case above it should behave similar,
>>> and not switch to OR.
>>
>> The matches are AND-ed. However the individual matches may generate 
>> OR
>> conditions, like multiport.
>>
>> What you suggest means that while
>>
>> 	-d a,b
>>
>> is interpreted as "a" OR "b", then
>>
>> 	! -d a,b
>>
>> should be interpeted as NOT "a" AND NOT "b".
>>
>> I think that'd be pretty confusing.

 As opposed to interpreting both as "any of this set":

  (a OR b)
 versus
   NOT (a OR b)

 Which can be stated in the docs.

 Confusion and clarity is just a matter of having the right description. 
 A technical reason should be the only blocker here.

 AYJ

Re: [iptables] Effect of negating multiple source or dest IPs (-s or -d)

[Jozsef Kadlecsik]

On Wed, 9 Nov 2011, Amos Jeffries wrote:

> On Tue, 08 Nov 2011 22:59:37 +0100, U.Mutlu wrote:
> > Jozsef Kadlecsik wrote, On 2011-11-08 21:22:
> > > On Tue, 8 Nov 2011, U.Mutlu wrote:
> > > 
> > > > Jan Engelhardt wrote, On 2011-11-08 17:44:
> > > > > On Tuesday 2011-11-08 17:19, U.Mutlu wrote:
> > > > > 
> > > > > > sim@netmess.org wrote, On 2011-11-08 17:16:
> > > > > > > > What's the effect of this rule on a multihomed box
> > > > > > > > (the IPs below are just some examples, not real):
> > > > > > > > 
> > > > > > > >      iptables -A INPUT ! -d 1.2.3.4,2.3.4.5 -p all -j DROP
> > > > > > > > 
> > > > > > > 
> > > > > > > the newest version of iptables says:
> > > > > > > 
> > > > > > > iptables v1.4.12.1: ! not allowed with multiple source or
> > > > > > > destination IP
> > > > > > > addresses
> > > > > > 
> > > > > > Oh, one wonders why they did so...
> > > > > 
> > > > > Because it leads to a confusing result.
> > > > > 
> > > > > 	! -d a,b,c
> > > > > 
> > > > > could be reasonably interpreted as
> > > > > 
> > > > > 	! -d a&&   ! -d b&&   ! -d c
> > > > > 
> > > > > but because using "," in -s/-d means a simple rule expansion, it
> > > > > actually generates an equivalent of
> > > > > 
> > > > > 	! -d a || ! -d b || ! -d c
> > > > 
> > > > But OR'ing them IMHO doesn't make much sense, just think about it.
> > > > I would suggest to AND them.
> > > > Look, a normal rule like this one
> > > >    iptables -A INPUT -m state --state NEW -p tcp --dport  80 -j ACCEPT
> > > > matches only if every single part of it matches (ie. AND).
> > > > Then in our negation case above it should behave similar,
> > > > and not switch to OR.
> > > 
> > > The matches are AND-ed. However the individual matches may generate OR
> > > conditions, like multiport.
> > > 
> > > What you suggest means that while
> > > 
> > > 	-d a,b
> > > 
> > > is interpreted as "a" OR "b", then
> > > 
> > > 	! -d a,b
> > > 
> > > should be interpeted as NOT "a" AND NOT "b".
> > > 
> > > I think that'd be pretty confusing.
> 
> As opposed to interpreting both as "any of this set":
> 
>  (a OR b)
> versus
>   NOT (a OR b)
> 
> Which can be stated in the docs.

But the latter is not possible due to the implementation: the matches in a 
rule form AND conditions while rules do OR conditions. The list of IP 
addresses in "-d" and "-s" is just a shorthand notation and is exploded 
into that many elementary rules.

So the condition "-d a,b" is equivalent to "-d a OR -d b" which is exactly 
the two rules generated from the single one. However if "! -d a,b" is to 
be interpreted as "NOT (-d a OR -d b)", that is actually "(NOT -d a) AND 
(NOT -d b)" which just cannot be exploded into two rules.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary