Pascal Hambourg <[email protected]> wrote: >Hello, > >Bill.M a écrit : >> >> In IPTables one can specify multiple addresses, and multiple ports, >but >> is there anyway to specify multiple interfaces. >> >> For example, -m multiport --destination-port 22,25,80 >> >> Or -s 1.2.3.4,1.2.3.5,1.2.3.7 or -s 1.2.3.4:1.2.3.10 > >In addition to David's answer : >Unless recent change I am not aware of, you cannot specify an address >range in -s or -d. You must use the "iprange" match instead (or ipset >if >your kernel supports it). Also, note that specifying multiple >comma-separated addresses or prefixes in -s or -d will result in >multiple rules being actually created, which can have undesirable >side-effects and impact efficiency.
The speed impact of a small rule set is negligible. One ipset vs 20 rules, yes please - it's easier to look at. Also, idk any way to match interface with ipset - ip and port (even src and dst in one line) but not interface. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
