Share your knowledge at the LQ Wiki.
Go Back > Blogs > Skaperen
User Name


Rate this Entry

How I would like to enhance iptables

Posted 12-04-2012 at 05:44 PM by Skaperen

There are cases where I want to change the iptables rapdily and reliably. But these cases don't really change any rule order. They only change just the IP addresses of a rule (or gang of rules).

Here's my idea. Designate some IP addresses for this special purpose, such as 0.1.X.Y where X.Y represents 65536 possible address objects. The address objects are stored in the kernel with a means for root or designated users to access them. There would be a /proc entry for this, with subdirectory X and file Y. Root can create the X/Y file like any file is created (touch it, open it for writing) or destroy it with rm (remove, unlink). Root can change its ownership to allow another user to do other operations.

This object is a collection of IP addresses and subnets. Write a line beginning with "+" and an IP address/subnet, and that address/subnet is added to the object. Use "-" to remove an address/subnet from the object (it only removes subnets as added ... it does not carve into existing ones).

So we have a one to many address mapping.

For iptable rules that have as their IP address one of these 0.1.X.Y addresses, when comparing some packet address to the rule address, in this case the comparison will check to see if any address/subnet matches/contains the address being compared. So if "+8/8" is written to the object, address "" would match, as would "".

The idea here is it is a fast means to add/delete IP addresses or subnets without actually changing or rebuilding any iptable rules. A similar means should be provided for IPv6 for some designated IPv6 address block.
Posted in Uncategorized
Views 4650 Comments 1
« Prev     Main     Next »
Total Comments 1


  1. Old Comment
    Netfilter modules like recent and hashlimit provide you with a /proc interface to manage the sets of IP addresses you load into these buckets but in terms of versatility and management they are crude compared to what ipset ( offers.
    *As far as I'm concerned the whole root vs unprivileged is a non-issue (Sudo).
    Posted 12-07-2012 at 10:41 AM by unSpawn unSpawn is offline


All times are GMT -5. The time now is 09:12 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration