CentOS - Oct 2009 - combining iptables parameters

Hi all,

is there a way to combine iptables parameters like: iptables -A OUTPUT
-p UDP & -p TCP -d $IP1 & -d $IP2 ?

Best Regards
Marcus

On Wed, Oct 28, 2009 at 15:32, Marcus Moeller <mail at marcus-moeller.de>
wrote:
> is there a way to combine iptables parameters like: iptables -A OUTPUT
> -p UDP & -p TCP -d $IP1 & -d $IP2 ?
Each of those parameters is called a "match", in IPTables-speak. You
can specify multiple matches in one rule, but all matches are combined
with an implicit logical AND. There is no way to get a logical OR
amongst multiple matches in a single rule. If you want OR logic, you
use multiple rules.

So, your example could not work as single rule, because no single IP
packet can be both TCP and UDP, and no single IP packet can have
multiple destination IP addresses. IPTables tries to prevent you from
creating nonsensical rules like that in most situations.

You would have to specify the required match space across multiple
rules, maybe something like this:

  iptables -A OUTPUT -p UDP -d $IP1-j DROP
  iptables -A OUTPUT -p TCP -d $IP1 -j DROP
  iptables -A OUTPUT -p UDP -d $IP2 -j DROP
  iptables -A OUTPUT -p TCP -d $IP2 -j DROP

-Ryan

-- 
Ryan B. Lynch
ryan.b.lynch at gmail.com

Message-ID:
<fac47fca0910281232x71fbf92cva80095483d210db1 at mail.gmail.com>

On: Wed, 28 Oct 2009 20:32:14 +0100, Marcus Moeller
<mail at marcus-moeller.de> wrote:
> Hi all,
>
> is there a way to combine iptables parameters like: iptables
> -A OUTPUT -p UDP & -p TCP -d $IP1 & -d $IP2 ?

man iptables
...

       -p, --protocol [!] protocol
              The  protocol of the rule or of the packet to check.
              The specified protocol can be one of tcp, udp, icmp,
              or all, or it can be a  numeric  value, representing
              one of these protocols or a different  one.   A
              protocol  name  from  /etc/protocols  is  also
              allowed.   A  "!" argument before the protocol
              inverts the test. The number zero is equivalent to
              all.  Protocol all  will  match with  all  protocols
              and is taken as default when this option is omitted.

       -s, --source [!] address[/mask]
              Source specification.  Address can be either a network
              name,  a hostname  (please  note  that specifying any
              name to be resolved with a remote query such as DNS
              is a really bad idea), a network IP address (with
              /mask), or a plain IP address.  The mask can be
              either a network mask or a plain number, specifying
              the  number of 1?s at the left side of the network
              mask.  Thus, a mask of 24 is equivalent to
              255.255.255.0.   A  "!"  argument  before  the
              address specification inverts the sense of the
              address. The flag --src is an alias for this option.

If both TCP and UDP are both to be blocked it may be inferred that
no other protocol is desired to connect either, so simply not
specifying any protocol will block all protocols including both TCP
and UDP.  If both are allowed then again there seems little purpose
in blocking any others and again by not specifying any protocol you
will obtain the desired result.  If instead you do want to allow
ICMP but nothing else then !icmp will match all protocols other than
icmp.

If IP1 and IP2 belong to a CIDR group and no intervening addresses
are permitted access as well then a suitable netblock mask will
archive the desired results.  If not then each IP must be separately
specified.

So, something like this should work as a block for all protocols to
either address:

iptables -A OUTPUT -d $IP1 -j DROP
iptables -A OUTPUT -d $IP2 -j DROP

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3