...or using
ipset and asserting the raw table PREROUTING chain has a DROP policy (which is not the default):
Code:
ipset -N SSH_WHITELIST hash:net family inet
ipset add SSH_WHITELIST 5.5.0.0/23
ipset add SSH_WHITELIST 182.72.142.46/24
iptables -t raw -A PREROUTING -i eth1 -m tcp -dport 22 -m set --match-set SSH_WHITELIST src -m state --state NEW -j ACCEPT
ipset means easier rule management
* so you can add
Code:
ipset add SSH_WHITELIST 8.1.0.0/23
or delete
Code:
ipset del SSH_WHITELIST 182.72.142.46/24
addresses and ranges
without changing any iptables rule.