2

I have rules like this in my IPTABLES:

-A INPUT -s 166.100.102.50/32 -j LOG --log-level 7

and I wrote a script that grabs the output of these rules and outputs the bytes from the IP to my server.

I was hoping to get suggestions on how I could create a rules that tracks ip traffic from dispersant subnets. The ip address aren't fixed and even the subnets aren't fixed. For example:

120.2.33.45 could be the ip address of the device one day and 204.65.3.88 could be the ip address of the same device the next day.

I think that if there was a way to write the rule so that it gave me the ip address of everything except a range of ip address that are fixed, like 166.100.102.50 then I would be ok.

Something like:

-A INPUT -s NOT EQUAL 166.100.102.50/32 -j LOG --log-level 7

Thanks in advance

rahrahruby
  • 587
  • 6
  • 12
  • 21

2 Answers2

6

Did you want (watch the !):

iptables -A INPUT ! -s 166.100.102.50/32 -j LOG --log-level 7

This will match everything with source address NOT 166.100.102.50.

From man iptables

   [!] -s, --source address[/mask][,...]
          Source specification. Address can be either a  network  name,  a
          hostname,  a  network  IP  address  (with  /mask), or a plain IP
          address. Hostnames will be resolved once only, before  the  rule
          is  submitted  to  the  kernel.  Please note that specifying any
          name to be resolved with a remote query such as DNS is a  really
          bad idea.  The mask can be either a network mask or a plain num‐
          ber, specifying the number of 1's at the left side of  the  net‐
          work  mask.   Thus, a mask of 24 is equivalent to 255.255.255.0.

Here starts the relevant part:

          A "!" argument before  the  address  specification  inverts  the
          sense  of  the  address.  The  flag  --src  is an alias for this
          option.  Multiple addresses can  be  specified,  but  this  will
          expand  to  multiple  rules (when adding with -A), or will cause
          multiple rules to be deleted (with -D).
mulaz
  • 10,682
  • 1
  • 31
  • 37
4

You may find that building a chain here will make things a lot easier to work with.

A chain is basically like a sub-table. You send stuff to it, and then you can either return or process things within that chain.

-t INPUT -N LOGME
# return stuff, that we don't want to handle
-A LOGME -s 166.100.102.50/32 -j RETURN
-A LOGME -s 192.168.27.0/24 -j RETURN
# log everything that hasn't been returned
-A LOGME -j LOG --log-level 7

Another option, might be to create and use an ipset, which basically lets you build a set of addresses, which you can then reference in a rule using the --match-set option.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • can I do something like, ipset -N test host 166.100.102.50/32 host 206.1.121.32/32 and then negate the ipset in the rule ? – rahrahruby Jan 09 '13 at 18:28