David,
Iptables are completely linear within a chain, as in
match->action->break. In other words, in the stateless case, if an
incoming packet matches a rule, the action defined in that rule will be
taken. If your match happens to be on network (i.e. CDIR < /32) then
the action will be taken. Does that make sense?
example:
-A RH-Lokkit-0-50-INPUT -p all --source 70.22.171.0/24 --destination 0/0
-j ACCEPT
The address 70.22.171.100 will match this on all protocols, and the
ACCEPT action taken. Any rule on the 70.22.171.0/24 network that
follows this one, will never be reached, so they would be ignored. If
you wanted to have a different action for an address/protocol/port on
this network, you would need to put those rules before this one in the
sequence.
Hope that helps.
Jon
Paul Mackinney wrote:
> David,
>
> Given what you've said, you should be able to express a single address
> in CIDR notation as xxx.xxx.xxx.xxx/32 and treat it like any other
> address range.
>
> This caveat is new to me. Is it strict low-to-high order of ip address?
>
> HTH, PM
>
> David jl Rieger wrote:
>> Hello,
>>
>> When one implements iptables there's a caveat having to deal with
>> CIDR notation (i.e. 192.168.100.0/24) that when one appends a rule
>> that the notation has to be in sequence because there is a logical
>> progression of checking that occurs from each point of entry.
>>
>> My question:
>>
>> What happens when one appends individual IP addresses in the file? Is
>> there a sequential chain of logic that is followed or is each IP
>> address dealt with individually?
>>
>> Many thanks for helping assure our information security.
>>
>> Regards,
>>
>> David
>
--
- _____/ _____/ / - Jonathan Loran - -
- / / / IT Manager -
- _____ / _____ / / Space Sciences Laboratory, UC Berkeley
- / / / (510) 643-5146 jloran_at_ssl.berkeley.edu
- ______/ ______/ ______/ AST:7731^29u18e3
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
To learn more about Micronet, including how to subscribe to
or unsubscribe from its mailing list and how to find out
about upcoming meetings, please visit the Micronet Web site:
http://micronet.berkeley.edu/
Messages you send to this mailing list are public and world-viewable,
and the list's archives can be browsed and searched on the Internet.
This means these messages can be viewed by (among others) your bosses,
prospective employers, and people who have known you in the past.
Received on Wed Jul 25 2007 - 11:47:31 PDT
This archive was generated by hypermail 2.2.0 : Wed Jul 25 2007 - 11:47:31 PDT