LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Blogs > Skaperen
User Name
Password

Notices

Rate this Entry

How I would like to enhance iptables

Posted 12-04-2012 at 04:44 PM by Skaperen

There are cases where I want to change the iptables rapdily and reliably. But these cases don't really change any rule order. They only change just the IP addresses of a rule (or gang of rules).

Here's my idea. Designate some IP addresses for this special purpose, such as 0.1.X.Y where X.Y represents 65536 possible address objects. The address objects are stored in the kernel with a means for root or designated users to access them. There would be a /proc entry for this, with subdirectory X and file Y. Root can create the X/Y file like any file is created (touch it, open it for writing) or destroy it with rm (remove, unlink). Root can change its ownership to allow another user to do other operations.

This object is a collection of IP addresses and subnets. Write a line beginning with "+" and an IP address/subnet, and that address/subnet is added to the object. Use "-" to remove an address/subnet from the object (it only removes subnets as added ... it does not carve into existing ones).

So we have a one to many address mapping.

For iptable rules that have as their IP address one of these 0.1.X.Y addresses, when comparing some packet address to the rule address, in this case the comparison will check to see if any address/subnet matches/contains the address being compared. So if "+8/8" is written to the object, address "8.8.8.8" would match, as would "8.8.4.4".

The idea here is it is a fast means to add/delete IP addresses or subnets without actually changing or rebuilding any iptable rules. A similar means should be provided for IPv6 for some designated IPv6 address block.
Posted in Uncategorized
Views 2308 Comments 1
« Prev     Main     Next »
Total Comments 1

Comments

  1. Old Comment
    Netfilter modules like recent and hashlimit provide you with a /proc interface to manage the sets of IP addresses you load into these buckets but in terms of versatility and management they are crude compared to what ipset (http://ipset.netfilter.org) offers.
    *As far as I'm concerned the whole root vs unprivileged is a non-issue (Sudo).
    Posted 12-07-2012 at 09:41 AM by unSpawn unSpawn is offline
 

  



All times are GMT -5. The time now is 07:58 AM.

Main Menu
Advertisement

My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration