first time post to ServerFault so I'll try and get it right :)
I have multiple environments (e.g. prod, dev, test, etc) and I'm trying to write the IPTables file for my RHEL 6.6 servers which allows specific groups of machines to talk between those environments on defined ports.
Initially, having the rules for each different destination or source subnet defined on its own line worked - however the resultant iptables file is quite large. In an attempt to simplify/cleanup the ruleset I attempted to combine rules for multiple source or destination IPs utilising the same ports.
I've found a relevant ServerFault article on the subject IPTables Multiple Source IPs but the most highly rated example doesn't seem to be working for me.
For example, attempting to combine the following two rules:
-A INPUT -i $INTERFACE -m conntrack --ctstate NEW,ESTABLISHED,RELATED -s $CV1 -p tcp --dport 8400:8403 -j ACCEPT -m comment --comment "Source 1"
-A INPUT -i $INTERFACE -m conntrack --ctstate NEW,ESTABLISHED,RELATED -s $CV2 -p tcp --dport 8400:8403 -j ACCEPT -m comment --comment "Source 2"
Into this:
-A INPUT -i $INTERFACE -m conntrack --ctstate NEW,ESTABLISHED,RELATED -s $CV1,$CV2 -p tcp --dport 8400:8403 -j ACCEPT -m comment --comment "Not Working!"
I also have rules which mix both multiple source and multiple destination IPs (similarly without success):
-A INPUT -i $INTERFACE -s $FOO1,$FOO2 -d $FOO1,$FOO2 -p tcp --dport 8400:8403 -j ACCEPT
-A OUTPUT -o $INTERFACE -s $FOO1,$FOO2 -d $FOO1,$FOO2 -p tcp --dport 8400:8403 -j ACCEPT
Note: The /etc/sysconfig/iptables file is written by my custom config script (hence the $ variables), with the IPs being defined like this:
CV1=10.1.1.0/27
CV2=10.25.128.128/29
FOO1=10.1.30.140/30
FOO2=10.2.30.140/30
The traffic failures are picked up by the reject/log rules at the bottom of the IPTables file:
-A INPUT -i $INTERFACE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "Packet Rejected. "
-A FORWARD -i $INTERFACE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "Packet Forward Rejected. "
-A OUTPUT -o $INTERFACE -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "Packet Dropped. "
-A INPUT -i $INTERFACE -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -i $INTERFACE -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o $INTERFACE -j REJECT --reject-with icmp-host-prohibited
Referring to the IPTables man page entry, it looks like it should work:
[!] -s, --source address[/mask][,...]
Source specification. Address can be either a network name, a hostname, a network IP address (with /mask), or a plain IP address. Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea. The mask can be either a network mask or a plain number, specifying the number of 1âs at the left side of the net- work mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. The flag --src is an alias for this option.
Multiple addresses can be specified, but this will expand to multiple rules (when adding with -A), or will cause multiple rules to be deleted (with -D).[!] -d, --destination address[/mask][,...]
Destination specification. See the description of the -s (source) flag for a detailed description of the syntax. The flag --dst is an alias for this option.
Is anyone able to enlighten me as to what I'm doing wrong here?