iptables - multiple source ips
 

I know this is an old post, but here it is 2010 and I cant seem to find any answer (that i understand) anywhere on google.

Is there a way to specify multiple src ips? I am filtering the internet for the safety of my kids, but I need to bypass that filter for my computer, my xbox and my server.

This is the current rule that allows my xbox to bypass the filter, but no matter what I have tried, I cant seem to specify more than 1 ip without having to specify an entire subnet.

iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 ! -s 172.21.27.20 -j REDIRECT --to-ports 8080

If anyone has any advice, it would be greatly appreciated.

I've moved your post to a thread of its own. Please don't resurrect dead threads unless it's absolutely necessary. With regards to your question, AFAIK things haven't changed (there isn't a multiple IP match). In other words (assuming I'm right), you're gonna have to use individual rules for your PC, Xbox, and server. It's just a matter of sending packets with those source addresses to ACCEPT, before they can get sent to REDIRECT. For example (using three hypothetical IPs for your non-filtered boxes):EDIT: Just wanted to add that there's also a way to do this with IP ranges (it's still not the same as being able to specify multiple IPs in a single rule, though). This would, of course, require your three IPs to be contiguous. Example:You could even boil it down to a single rule by using an inverse match, like:

iptables filtering
 

win32sux,

Sorry about the resurrection. Thank you very much for such a quick reply. I will check this out and post results.

For some strange reason when I use any of the 3 rules you have supplied, everyone is able to surf the internet but the iprange supplied.

Single Address = Single address surfs freely (80), everyone else surfs filtered (8080). (old rule)
Multiple Addresses = Multiple addresses no longer surf (80), everyone else surfs filtered (8080). (any of 3 new rules)

Its obviously doing something, but almost like its dropping the iprange and continuing to forward everyone else.

Please post the output of:

This output is after your first (4 line) ruleset was applied

172.21.27.4 = My Desktop
172.21.27.6 = Nix Web/SSH Server (Not the system these rules are hosted on)
172.21.27.20 = Xbox



I've obfuscated your real IP address, which was present in your output. --win32sux

I'm not sure what's going on. I mean, it looks to me as if it should work as it is.
These rules make it so that any packet with a source address of 172.21.27.4, 172.21.27.6, or 172.21.27.20 gets sent to ACCEPT right away, so that it can be dealt with in the FORWARD chain. In the FORWARD chain, the first rule which this packet would match is:...which sends the packet to ACCEPT. Then, the packet gets its source address edited in the POSTROUTING chain:
...and it's on its final journey out to the WAN.

If that packet had a source address which didn't match either of those three IPs, and it had a destination port of 80/TCP, then it would match the REDIRECT rule and as such would be intercepted. There must be something I'm missing here, because like I said, I'm not sure why this wouldn't work as it is.

I'd suggest adding some LOG rules to get a better idea of what's happening.

Thanks for the address change. I wasn't concerned. Its dynamic anyway.

I'm glad that I'm not the only one looking at these rules, scratching my head and thinking. they should work. they should. haha

I will continue working this out and if I ever find a work around, Ill be sure to post it. Thanks for all your assistance win32sux.

I put together this script for you. It basically gives you a clean slate, without touching your INPUT or OUTPUT chains. Maybe you can run your tests after running this script and see if anything changes? If not, something should show up in the log file, as all filtered packets get logged in this setup. Here it is:

Thanks a lot win32sux. I really wasnt expecting anyone to put that much effort into it. I havent been ignoring you, just really busy right now. As soon as I get a chance, I will get back on this iptables issue and try out your script.

Thanks again. You have been a great help.

You're very welcome. I look forward to us getting this figured out! :)

Alright win32sux,

I had a few minutes to try your script. It errored out on me, but I dont have time to troubleshoot it right now. I have a work around that is getting me by for now. I have basically created 3 firewall.sh scripts. 1 for each system (ip). When I need a specific system to not go through 8080, i run the specific firewall.sh script for that system. I know its cheesy, but its working for now until I get time to continue troubleshooting it.

The only one that is a must for now is the xbox. It has to bypass filter for live to work. There is no internet surfing on the server and my personal computer, I can deal with until the issue is resolved.

Your script returned the

Bad argument try iptables -h for help error. I will be sure to update you with any findings or an updated script.

ignore last post
 

ignore that last post. I made a mistake when pasting your script. Sorry for the premature post.

iptables
 

I did try your script, but after running it the 3 computers (atleast the one I am on) quit accessing the internet all together.

Everything looks like it should work.

Logs show my src (client) and destination (linux proxy server) port 80, but no drops,etc.

I have some ideas/steps to help troubleshoot. I will post my findings...

Hi, rahmtech! Just wondering if you've made any progress on this.