Discussion:
iptables wildcard for IP Addresses?
Markus Feilner
2005-05-11 08:06:07 UTC
Permalink
Hello List,
I want to enable several (ten) hosts to access my VPN. I am using SuSEfirewall
and I have custom iptables rules in SuSEfirewall2-custom.
Now i want to add one rule for all these hosts. I know that "!" is the
wildcard for "any host but the following".
How can I add an iptables rule affecting Source IPs from e.g. 1.1.1.10 to
1.1.1.20?
I've been looking, but i didn't ind something.
Can I use bash-constructs like for.. in SuSEfirewall2-custom?
Is there any docs around about this specific file?
thanks!
--
---------------------------
Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank.
---------------------------
Feilner IT Linux & GIS
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Beraiterweg 4 93047 Regensburg
fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092
mail ***@feilner-it.net web http://www.feilner-it.net
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-***@suse.com
Security-related bug reports go to ***@suse.de, not here
Arthur
2005-05-11 11:46:10 UTC
Permalink
Markus,

You could try something using your subnetmasker.
For example, if you use this prefix: 1.1.1.17/28 (subnetmask
255.255.255.240)
you are giving access to hosts 1.1.1.17 through 1.1.1.30

A subnetmask 'calculator' is very handy with these things.
I use a freeware package from Boson, I believe it's called ipsubnetter.
(Try to google it or something :) )

Good luck :)

Regards,

Arthur Kok

----- Original Message -----
From: "Markus Feilner" <***@feilner-it.net>
To: <suse-***@suse.com>
Sent: Wednesday, May 11, 2005 10:06 AM
Subject: [suse-security] iptables wildcard for IP Addresses?
Post by Markus Feilner
Hello List,
I want to enable several (ten) hosts to access my VPN. I am using SuSEfirewall
and I have custom iptables rules in SuSEfirewall2-custom.
Now i want to add one rule for all these hosts. I know that "!" is the
wildcard for "any host but the following".
How can I add an iptables rule affecting Source IPs from e.g. 1.1.1.10 to
1.1.1.20?
I've been looking, but i didn't ind something.
Can I use bash-constructs like for.. in SuSEfirewall2-custom?
Is there any docs around about this specific file?
thanks!
--
---------------------------
Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank.
---------------------------
Feilner IT Linux & GIS
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Beraiterweg 4 93047 Regensburg
fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092
--
Check the headers for your unsubscription address
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-***@suse.com
Security-related bug reports go to ***@suse.de, not here
Carl A. Schreiber
2005-05-11 12:04:35 UTC
Permalink
Hmm,

acc. to google there are only windows-version or - when you search for 'Linux
ipsubnetter' - chinese-versions.

It looks as if I can't use any of them - :-(
Carl
Post by Arthur
Markus,
You could try something using your subnetmasker.
For example, if you use this prefix: 1.1.1.17/28 (subnetmask
255.255.255.240)
you are giving access to hosts 1.1.1.17 through 1.1.1.30
A subnetmask 'calculator' is very handy with these things.
I use a freeware package from Boson, I believe it's called ipsubnetter.
(Try to google it or something :) )
Good luck :)
Regards,
Arthur Kok
----- Original Message -----
Sent: Wednesday, May 11, 2005 10:06 AM
Subject: [suse-security] iptables wildcard for IP Addresses?
Post by Markus Feilner
Hello List,
I want to enable several (ten) hosts to access my VPN. I am using
SuSEfirewall
Post by Markus Feilner
and I have custom iptables rules in SuSEfirewall2-custom.
Now i want to add one rule for all these hosts. I know that "!" is the
wildcard for "any host but the following".
How can I add an iptables rule affecting Source IPs from e.g. 1.1.1.10 to
1.1.1.20?
I've been looking, but i didn't ind something.
Can I use bash-constructs like for.. in SuSEfirewall2-custom?
Is there any docs around about this specific file?
thanks!
--
---------------------------
Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank.
---------------------------
Feilner IT Linux & GIS
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Beraiterweg 4 93047 Regensburg
fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092
--
Check the headers for your unsubscription address
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-***@suse.com
Security-related bug reports go to ***@suse.de, not here
Markus Feilner
2005-05-11 12:12:26 UTC
Permalink
Post by Arthur
Markus,
You could try something using your subnetmasker.
For example, if you use this prefix: 1.1.1.17/28 (subnetmask
255.255.255.240)
you are giving access to hosts 1.1.1.17 through 1.1.1.30
A subnetmask 'calculator' is very handy with these things.
I use a freeware package from Boson, I believe it's called ipsubnetter.
(Try to google it or something :) )
Thanks!
I found out, that in SuSEfirewall2-custom, I can use Shell skrips and
variables.
That does it!
Post by Arthur
Good luck :)
Regards,
Arthur Kok
----- Original Message -----
Sent: Wednesday, May 11, 2005 10:06 AM
Subject: [suse-security] iptables wildcard for IP Addresses?
Post by Markus Feilner
Hello List,
I want to enable several (ten) hosts to access my VPN. I am using
SuSEfirewall
Post by Markus Feilner
and I have custom iptables rules in SuSEfirewall2-custom.
Now i want to add one rule for all these hosts. I know that "!" is the
wildcard for "any host but the following".
How can I add an iptables rule affecting Source IPs from e.g. 1.1.1.10 to
1.1.1.20?
I've been looking, but i didn't ind something.
Can I use bash-constructs like for.. in SuSEfirewall2-custom?
Is there any docs around about this specific file?
thanks!
--
---------------------------
Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank.
---------------------------
Feilner IT Linux & GIS
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Beraiterweg 4 93047 Regensburg
fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092
--
Check the headers for your unsubscription address
--
Mit freundlichen Grüßen
Markus Feilner

--------------------------
Feilner IT Linux & GIS
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Beraiterweg 4 93047 Regensburg
fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092
skype ID: mfeilner mail: ***@feilner-it.net
--
---------------------------
Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank.
---------------------------
Feilner IT Linux & GIS
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Beraiterweg 4 93047 Regensburg
fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092
mail ***@feilner-it.net web http://www.feilner-it.net
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-***@suse.com
Security-related bug reports go to ***@suse.de, not here
Martin Köhling
2005-05-11 12:14:12 UTC
Permalink
Hi!
Post by Markus Feilner
I want to enable several (ten) hosts to access my VPN. I am using SuSEfirewall
and I have custom iptables rules in SuSEfirewall2-custom.
Now i want to add one rule for all these hosts. I know that "!" is the
wildcard for "any host but the following".
How can I add an iptables rule affecting Source IPs from e.g. 1.1.1.10 to
1.1.1.20?
I've been looking, but i didn't ind something.
You might try the "iprange" packet matching module (-m iprange); it's not
domcumented in the man page, but "iptables -m iprange --help" prints the
following (at the end):

iprange match v1.2.9 options:
[!] --src-range ip-ip Match source IP in the specified range
[!] --dst-range ip-ip Match destination IP in the specified range

So you should be able to use something like:

iptables -A INPUT -m iprange --src-range 1.1.1.10-1.1.1.20 -j ACCEPT

This is present in SuSE 9.1, but apparently not in earlier versions.

Martin
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-***@suse.com
Security-related bug reports go to ***@suse.de, not here
Markus Feilner
2005-05-11 13:44:15 UTC
Permalink
Post by Martin Köhling
Hi!
Post by Markus Feilner
I want to enable several (ten) hosts to access my VPN. I am using
SuSEfirewall and I have custom iptables rules in SuSEfirewall2-custom.
Now i want to add one rule for all these hosts. I know that "!" is the
wildcard for "any host but the following".
How can I add an iptables rule affecting Source IPs from e.g. 1.1.1.10 to
1.1.1.20?
I've been looking, but i didn't ind something.
You might try the "iprange" packet matching module (-m iprange); it's not
domcumented in the man page, but "iptables -m iprange --help" prints the
[!] --src-range ip-ip Match source IP in the specified range
[!] --dst-range ip-ip Match destination IP in the specified range
iptables -A INPUT -m iprange --src-range 1.1.1.10-1.1.1.20 -j ACCEPT
This is present in SuSE 9.1, but apparently not in earlier versions.
Martin
Cool.
This is exactly what i was looking for. And it works.
--
mit freundlichen Grüssen,
Markus Feilner
--
Feilner IT Linux & GIS
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Beraiterweg 4 93047 Regensburg
fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092
mail ***@feilner-it.net web http://www.feilner-it.net
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-***@suse.com
Security-related bug reports go to ***@suse.de, not here
Dave Lists
2005-05-11 14:55:02 UTC
Permalink
While on the topic of iptables changes through releases. Does 9.3 have
the tartpit and the string modules for iptables?

Dave.
Post by Martin Köhling
Hi!
Post by Markus Feilner
I want to enable several (ten) hosts to access my VPN. I am using SuSEfirewall
and I have custom iptables rules in SuSEfirewall2-custom.
Now i want to add one rule for all these hosts. I know that "!" is the
wildcard for "any host but the following".
How can I add an iptables rule affecting Source IPs from e.g. 1.1.1.10 to
1.1.1.20?
I've been looking, but i didn't ind something.
You might try the "iprange" packet matching module (-m iprange); it's not
domcumented in the man page, but "iptables -m iprange --help" prints the
[!] --src-range ip-ip Match source IP in the specified range
[!] --dst-range ip-ip Match destination IP in the specified range
iptables -A INPUT -m iprange --src-range 1.1.1.10-1.1.1.20 -j ACCEPT
This is present in SuSE 9.1, but apparently not in earlier versions.
Martin
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-***@suse.com
Security-related bug reports go to ***@suse.de, not here
Loading...