On Wed, Jul 30, 2003 at 01:20:47PM +0100, Mark C wrote: > i.e I use ftp.www.mirror.ac.uk > > running nslookup on this gives me multiple ip addresses, I could create > a variable for each IP, i.e > > APT_MIRROR_AC_UK_1="194.83.57.3" > APT_MIRROR_AC_UK_2="194.83.57.7" > > and so forth, then create rules that allow outbound connections to each > of theses sites, is it possible to combine them all into one variable, > like > > APT_MIRROR_AC_UK="194.83.57.3, 194.83.57.7"
iptables only allows a single netblock per rule (where a netblock can be as small as a single host when it's specified as /32). You have two choices. You could specify ftp.www.mirror.ac.uk as 194.83.57/29, which actually open up all hosts in the range of 194.873.57.0 to 194.83.57.7. Or you could change your iptables scripts so that they treat each host variable as a list, and loop over the list: APT_MIRROR_AC_UK="194.83.57.3 194.83.57.7" for host in $APT_MIRROR_AC_UK; do iptables -A block ... -s $host -j ACCEPT done This still would work correctly even if at a later date you changed APT_MIRROR_AC_UK to only be a single host. -- Dave Carrigan Seattle, WA, USA [EMAIL PROTECTED] | http://www.rudedog.org/ | ICQ:161669680 UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-C++-DNS-PalmOS-PostgreSQL-MySQL -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
