2
I am attempting to write a 22MB iptables
rule-set file, the very kind that is generated with the iptables-save
command, except endlessly long. Understandably, this takes a prohibitive amount of time. Take this miniature example.
*filter
:INPUT ACCEPT [64:4692]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [72:28512]
-A INPUT -p tcp -m tcp --sport 9000:9004 -m iprange --src-range 127.0.0.1-127.0.0.1 -j DROP
COMMIT
Following (INPUT|OUTPUT|FORWARD) ACCEPT
, there appear value ranges.
:< chain-name > < chain-policy > [< packet-counter >:< byte-counter >]
These seem dependent on something already stored within iptables
on the use of iptables-save
, but, since loading the rules into iptables
is the problem in the first place, I am unsure how to acquire these values, that I may enter them by hand (by vim, rather), into the final rule-set file.
How might one go about calculating these values? Is it possible without running another iptables
command?
If you are trying to block large amounts of IP ranges, look into
nfblock
which will make your life a lot easier. – LawrenceC – 2014-02-11T02:03:37.720