Re: combining multiple ip's into one variable on iptables script?
On Wed, 30 Jul 2003, Mark C wrote: > I'm running a firewall using iptables on each server, these are just > standalone firewalls they then have to go through my main firewall after > woulds to go to their final destinations (just do not ask why ;)). > > As each pc will have to use apt-get get get new packages and security > updates, if there a way I can stipulate multiple ip's to one variable? Why not save some bandwidth for yourself and the other web sites, and simplify your firewall problems by using apt-proxy on one of the local machines? Then all you need to do is: 1) set up the main firewall to let the apt-proxy machine connect to the debian security sites 2) set up the other firewalls to let connections go to the proxy machine. Btw, a note: Hardcoding the ip address does not seem to be the way to go, if you want any maintainability. If the ip address of randomhost.debupdatesite.org changes, it will break security updates, which is usually a bad thing. :( If you're extremely paranoid, set up a seperate apt-proxy machine, only allow the proxy connections in, and only allow the apt method for updating out (only destination port 80 for http, only destination port 21 and 20 for ftp, etc). ~ Jesse Meyer -- icq: 34583382 / msn: [EMAIL PROTECTED] / yim: tsunad "We are what we pretend to be, so we must be careful about what we pretend to be." - Kurt Vonnegut Jr : Mother Night pgp0.pgp Description: PGP signature
Re: combining multiple ip's into one variable on iptables script?
On Wed, Jul 30, 2003 at 01:20:47PM +0100, Mark C wrote: > i.e I use ftp.www.mirror.ac.uk > > running nslookup on this gives me multiple ip addresses, I could create > a variable for each IP, i.e > > APT_MIRROR_AC_UK_1="194.83.57.3" > APT_MIRROR_AC_UK_2="194.83.57.7" > > and so forth, then create rules that allow outbound connections to each > of theses sites, is it possible to combine them all into one variable, > like > > APT_MIRROR_AC_UK="194.83.57.3, 194.83.57.7" iptables only allows a single netblock per rule (where a netblock can be as small as a single host when it's specified as /32). You have two choices. You could specify ftp.www.mirror.ac.uk as 194.83.57/29, which actually open up all hosts in the range of 194.873.57.0 to 194.83.57.7. Or you could change your iptables scripts so that they treat each host variable as a list, and loop over the list: APT_MIRROR_AC_UK="194.83.57.3 194.83.57.7" for host in $APT_MIRROR_AC_UK; do iptables -A block ... -s $host -j ACCEPT done This still would work correctly even if at a later date you changed APT_MIRROR_AC_UK to only be a single host. -- Dave Carrigan Seattle, WA, USA [EMAIL PROTECTED] | http://www.rudedog.org/ | ICQ:161669680 UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-C++-DNS-PalmOS-PostgreSQL-MySQL -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
combining multiple ip's into one variable on iptables script?
Hi, I'm running a firewall using iptables on each server, these are just standalone firewalls they then have to go through my main firewall after woulds to go to their final destinations (just do not ask why ;)). As each pc will have to use apt-get get get new packages and security updates, if there a way I can stipulate multiple ip's to one variable? i.e I use ftp.www.mirror.ac.uk running nslookup on this gives me multiple ip addresses, I could create a variable for each IP, i.e APT_MIRROR_AC_UK_1="194.83.57.3" APT_MIRROR_AC_UK_2="194.83.57.7" and so forth, then create rules that allow outbound connections to each of theses sites, is it possible to combine them all into one variable, like APT_MIRROR_AC_UK="194.83.57.3, 194.83.57.7" Thanks Mark -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]