Void's Forums

[cdhgold]

Can you use variables inside iptables?

example:

Code: Select all

WEB_HEAD="10.178.198.133 10.178.198.136 10.178.198.138"
-A INPUT -i eth1 -m state --state NEW -m tcp -s WEB_HEAD -p tcp --dport 2049 -j ACCEPT

I have multiple rules that I want to use to accept traffic only from certain IPs and I know I can use

Code: Select all

-A INPUT -i eth1 -m state --state NEW -m tcp -s 10.178.198.133/32,10.178.198.136/32,10.178.198.138/32 -p tcp --dport 2049 -j ACCEPT

and i twill expand to 3 separate rules but that to me is messy and ugly + if I ever need to update the ips I would have to do it on every rule . I want o be able to declare WEB_HEAD at start of iptables and re-use it throughout

[Basher52]

Yes you can and that's cos iptables is cool. It sure makes the rules easier to read.
I have a few and here's and example (taken from: http://www.tweako.com/iptables_explaine ... _own_rules)

Code: Select all

#/bin/sh
#variables first!

ipt="/sbin/iptables"
std_ports="22,80,443"
lan="10.0.0.0/24,192.168.0.0/24"
any="0.0.0.0/0" 

$ipt -F
$ipt -Z
$ipt -X 

$ipt -P INPUT -j DROP
$ipt -P FORWARD -j DROP
$ipt -P OUTPUT -J DROP 

$ipt -N states

$ipt -A states -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A states -m state --state NEW -s $lan ! -d 192.168.0.250/32 -j ACCEPT
$ipt -A states -j DROP


[cdhgold]

thanks!!! I'll share mine as further example once I get them implemented w this!!

[cdhgold]

this is wrapping iptables in a script i wanted to use the variables inside iptables itself

[Basher52]

Well that I, hehe, don't even know what is
I've learned to use this since I started with RedHat 9 and have used that since.
This makes it easy to transport it to other machines too

But do please tell me what "inside" means

[cdhgold]

I want to declare it and use the variable inside /etc/sysconfig/iptables file itself

[Basher52]

What OS are you using?
I just checked my Fedora 14 system and I have no file called that in /etc/sysconfig/
Haven't check F15 or F16 though

[cdhgold]

cent os 6

[Basher52]

well that should look a lot like Fedora/RedHat
is that iptables file a binary, script or what?

[cdhgold]

the file is a config file used by the service

Code: Select all

# ll /etc/sysconfig/ip*
-rw-------. 1 root root  678 Mar 11 07:35 /etc/sysconfig/ip6tables
-rw-------  1 root root 1753 Feb 24 23:26 /etc/sysconfig/ip6tables-config
-rw-------. 1 root root  613 Feb 28 02:01 /etc/sysconfig/ip6tables.old
-rw-------  1 root root  727 Mar 21 00:00 /etc/sysconfig/iptables
-rw-------  1 root root 1740 Feb 24 23:26 /etc/sysconfig/iptables-config
-rw-------. 1 root root  608 Feb 28 02:01 /etc/sysconfig/iptables.old]

[Basher52]

oh... I only got the config files for that, no files just named iptables/ip6tables
and these just has a few lines in them.

[cdhgold]

UPDATE: what I was originally thinking can't be done - however I can use a custom iptables chain to achieve the same result - now I just need to take time ti figure out the syntax

[cdhgold]

This is my end solution

Code: Select all

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A WEBHEADS -i eth1 -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT
-A WEBHEADS -i eth1 -m state --state NEW -m tcp -p tcp --dport 8081 -j ACCEPT
-A WEBHEADS -i eth1 -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A INPUT -s 10.178.198.133 -j WEBHEADS
-A INPUT -s 10.178.198.136 -j WEBHEADS
-A INPUT -s 10.178.198.138 -j WEBHEADS
-A INPUT -i eth0 -j DROP
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT