From: Martin Millnert <millnert@csbnet.se>
To: "Mihamina Rakotomandimby (R12y)" <mihamina@lab.vectoris.fr>
Cc: netfilter@vger.kernel.org
Subject: Re: mask 10 -> 29
Date: Wed, 15 Apr 2009 19:22:30 +0200 [thread overview]
Message-ID: <1239816150.15363.38.camel@localhost.localdomain> (raw)
In-Reply-To: <49E6044F.5070305@lab.vectoris.fr>
[-- Attachment #1: Type: text/plain, Size: 2380 bytes --]
On Wed, 2009-04-15 at 18:59 +0300, Mihamina Rakotomandimby (R12y) wrote:
> Hi,
> I have this kind of shell script in order to set something on a bunch of IP
> addresses:
>
> for ACCEPTED_MACHINE in \
> 192.168.0.10 \
> 192.168.0.11 \
> 192.168.0.12 \
> 192.168.0.13 \
> 192.168.0.14 \
> 192.168.0.15 \
> 192.168.0.16 \
> 192.168.0.17 \
> 192.168.0.18 \
> 192.168.0.19 \
> 192.168.0.20 \
> 192.168.0.21 \
> 192.168.0.22 \
> 192.168.0.23 \
> 192.168.0.24 \
> 192.168.0.25 \
> 192.168.0.26 \
> 192.168.0.27 \
> 192.168.0.28 \
> 192.168.0.29
> do
> $IPTABLES [...]
> done
>
>
> How could I use a mask such as 192.168.0.0/NN to exactly match the list?
> Thank you.
>
Hi Mihamina,
Possible exact solutions include either:
aggregate - { ftp://ftp.isc.org/isc/aggregate/ |
http://packages.debian.org/aggregate } - cidr aggregation
or,
iptables -m iprange - non-cidr consecutive IP-ranges matching
Examples:
aggregate
anticimex@natalie:/tmp$ awk '{print $1 "/32"}' << EOF | aggregate
> 192.168.0.10
> 192.168.0.11
> 192.168.0.12
> 192.168.0.13
> 192.168.0.14
> 192.168.0.15
> 192.168.0.16
> 192.168.0.17
> 192.168.0.18
> 192.168.0.19
> 192.168.0.20
> 192.168.0.21
> 192.168.0.22
> 192.168.0.23
> 192.168.0.24
> 192.168.0.25
> 192.168.0.26
> 192.168.0.27
> 192.168.0.28
> 192.168.0.29
> EOF
aggregate: maximum prefix length permitted will be 32
192.168.0.10/31
192.168.0.12/30
192.168.0.16/29
192.168.0.24/30
192.168.0.28/31
anticimex@natalie:/tmp$
iptables -m iprange
natalie:~# iptables -A INPUT -i eth2 -m iprange --src-range 192.168.0.10-192.168.0.29
natalie:~# iptables -nvL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 all -- eth2 * 0.0.0.0/0 0.0.0.0/0 source IP range 192.168.0.10-192.168.0.29
natalie:~#
anticimex@natalie:/tmp$ /sbin/iptables -m iprange -h
<snip>
iprange match options:
[!] --src-range ip-ip Match source IP in the specified range
[!] --dst-range ip-ip Match destination IP in the specified range
Hope this helps.
Regards,
--
Martin Millnert <millnert@csbnet.se>
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
prev parent reply other threads:[~2009-04-15 17:22 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-15 15:59 mask 10 -> 29 Mihamina Rakotomandimby (R12y)
2009-04-15 16:37 ` Gáspár Lajos
2009-04-15 17:06 ` Nikolay S. Rybaloff
2009-04-15 17:22 ` Martin Millnert [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1239816150.15363.38.camel@localhost.localdomain \
--to=millnert@csbnet.se \
--cc=mihamina@lab.vectoris.fr \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox