How do I invert a protocol or ip address test while writing iptables based shell scripts?
The iptables command comes with ! operator. The most of these rules can be preceded by a ! to invert the sense of the match. A match can be:
- Source or dest ip address
- Interface name
- Protocol name etc
Examples
The following will match all protocol except UDP:
iptables -A INPUT -p ! UDP
The following match allows IP address range matching and it can be inverted using the ! sign:
iptables -A INPUT -d 192.168.0.0/24 -j DROP iptables -A OUTPUT -d ! 202.54.1.2 -J ACCEPT # we trust 202.54.1.5 so skip it iptables -A OUTPUT -s ! 202.54.1.5 -J DROP
The exclamation mark inverts the match so this will result is a match if the IP is anything except one in the given range 192.168.1.0/24:
iptables -A INPUT -s ! 192.168.1.0/24 -p tcp --dport 80 -J DROP
You can skip your own ip from string test:
iptables -A FORWARD -i eth0 -p tcp ! -s 192.168.1.2 --sport 80 -m string --string '|7F|ELF' -j DROP
Accept port 22 traffic on all interfaces except for eth1 which is connected to the Internet:
iptables -A INPUT -i !eth1 -p tcp --dport 22 -j ACCEPTRecommended readings:
man iptables
You should follow me on twitter here or grab rss feed to keep track of new changes.
Featured Articles:
- 30 Handy Bash Shell Aliases For Linux / Unix / Mac OS X
- Top 30 Nmap Command Examples For Sys/Network Admins
- 25 PHP Security Best Practices For Sys Admins
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- Linux: 20 Iptables Examples For New SysAdmins
- Top 20 OpenSSH Server Best Security Practices
- Top 20 Nginx WebServer Best Security Practices
- 20 Examples: Make Sure Unix / Linux Configuration Files Are Free From Syntax Errors
- 15 Greatest Open Source Terminal Applications Of 2012
- My 10 UNIX Command Line Mistakes
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- The Novice Guide To Buying A Linux Laptop
{ 4 comments… read them below or add one }
Recently, iptables changed syntax in favor of prefixing, so:
iptables -A INPUT ! -s 192.168.1.0/24; << correct
iptables -A INPUT -s ! 192.168.1.0/24; << also correct, but iptables warns you this is a deprecated way to do. so it's question for how long is it going to work.
This prefixing applies for everything, not just source IP address.
Zdenek,
You may be right about syntax but most of our systems are running on RHEL 4/5 or CentOS 4/5 and it is not updated by Red Hat. I guess RHEL 6 will come with latest version.
Ok, sorry for the post then.
Wouldn’t you know it? It’s now three years and some days later and now only the prefix ! version of syntax works (squid3). :-P