[Cialug] IPTables

kristau kristau at gmail.com
Thu Sep 7 23:35:31 CDT 2006 

Tony is right.  This behaviour of iptables is by design, to protect
you from yourself.  That said, you could do an end-run around it by
writing a script which queries the output from 'iptables -L', indexes
which lines have the wildcard in them, then loop through (from highest
to lowest, of course) with a command like 'iptables -D INPUT
$line_number'.

A much safer approach would be to keep track of each add in a look up
table so you can delete it later.  I'm not too familiar with openvpn
and learn-address, though, so this might not be easy to do.

On 9/6/06, tony geerts <thegreatland at yahoo.com> wrote:
> Your -D (delete) does not match a particular rule. You
> must be specific. Iptables will not do wildcard
> matching. That would be "dangerous."
>
>
> -A, --append chain rule-specification
> Append one or more rules to the end of the selected
> chain.  When the source and/or destination names
> resolve to more than one address, a rule will be added
> for each possible address combination.
>
> -D, --delete chain rule-specification
> -D, --delete chain rulenum
> Delete one or more rules from the selected chain.
> There are two versions of this command: the rule can
> be specified as a number in the chain (starting at 1
> for the first rule) or a rule to match.
>
> --
> tony geerts
>
> --- jcbailey at code0.net wrote:
>
> > Working on a firewall script for iptables and
> > openvpn. I'm using a script
> > with learn-address to add/delete rules as needed.
> > The only issue is that I
> > can't seem to delete a rule via wildcard (as in all
> > input rules from the
> > source of 10.8.0.6). Any way to do this with
> > iptables, or is that a lost
> > cause? Here's what the script is running for the
> > add/delete (what I'd
> > like..)
> >
> > Add:
> > iptables -A INPUT -s 10.8.0.6 -d 192.168.192.9 -p
> > udp --dport 53 -j ACCEPT
> > iptables -A INPUT -s 10.8.0.6 -d 192.168.192.9 -p
> > tcp --dport 53 -j ACCEPT
> > iptables -A INPUT -s 10.8.0.6 -d 10.121.9.121 -p tcp
> > --dport 5900 -j ACCEPT
> > iptables -A INPUT -s 10.8.0.6 -j REJECT
> >
> > Delete:
> > iptables -D INPUT -s 10.8.0.6
> >
> >
> > Jon
> >
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>


-- 
Tired programmer
Coding late into the night
The core dump follows

My GNUPG public key is available at http://www.kristau.net/public_key.asc

More information about the Cialug mailing list