Join Log in
Score:0
RootPhoenix avatar Server

iptable rule for an IP address with "any" subnet mask

cn flag
RootPhoenix

I have a requirement to add an iptable rule for lets say src IP 10.10.10.20/any dest IP any.

iptables -t filter -A FORWARD_0_IN -p all --ipv4 --source 10.10.10.1/any --destination 10.10.10.2/any  -j DROP

Above command fails with error: iptables v1.8.6 (legacy): invalid mask `any' specified

This /any implies all possible subnet masks /0 to /32. I want to avoid adding individual 33 rules for each subnet mask. What is a better way to achieve this ?

Till then let me get it clarified from requirements team, what is expectation with /any.

70
2 + 3
jp flag
AlexD
Why would you want to add all masks? The mask `/0` means any address so it covers all other masks.
0
Reply
RootPhoenix avatar
cn flag
RootPhoenix
Yes, even I thought so, /0 would mean any IP. Let me get the requirement clear from my Team.
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
Just simple **ommiting** `--source b.l.a.h` would mean "any IP", e.g. the same thing as /0 mask.
0
Reply
Score:2
HBruijn avatar Server
in flag
HBruijn

I want to avoid adding individual 33 rules for each subnet mask.

It is very unlikely that you would ever need to that. And I think you don't quite understand what a subnet mask means or effects.

A very long Q&A is this one: How does IPv4 Subnetting Work?

But very simplified:

When you add an IPv4 IP-address without any subnet subnet mask or with an /32 subnet mask that means "this particular IP-address".

When you use an IPv4 IP-address with any other subnet mask than /32 that means: "the CIDR subnet range that includes this IP-address".

In other words 10.10.10.1/24 means: "the /24 subnet range that includes 10.10.10.1"
i.e. the subnet ranging from 10.10.10.0 to 10.10.10.255 which is more commonly specified as 10.10.10.0/24

Subsequently 10.10.10.1/8 means: "the /8 range that includes 10.10.10.1"
i.e. the subnet ranging from 10.0.0.0 to 10.255.255.255 ; which is normally specified as 10.0.0.0/8 but 10.10.10.1/8 is equivalent.

Note that such a range includes 10.10.10.1/9 , 10.10.10.1/10 , 10.10.10.1/11 .... and all subnets until 10.10.10.1/32

And 10.10.10.1/0 means: "the /0 range that includes 10.10.10.1" - that is the range from 0.0.0.0 to 255.255.255.255 or in other words any IPv4 address.

+ 3
RootPhoenix avatar
cn flag
RootPhoenix
Yes, I know about subnet masks, and I too am confused with /any requirement. Let me get it clarified from my requirements team. I thought /any is some standard term used in the industry and has some special meaning.
0
Reply
RootPhoenix avatar
cn flag
RootPhoenix
I got it clarified, they meant /any = /32.
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
This is very strange "clarification", because /32 in context of a firewall means "to match a single host". I can't imagine any circumstances of how "all" might appear there in this meaning, other than blatant incompetence.
1
Reply
Score:0
Nikita Kipriyanov avatar Server
za flag
Nikita Kipriyanov

IP address doesn't have a property of a "subnet mask". (It had, in the distant past of classful addressing, but these times are long long gone — more than 30 years ago, with the inception of a CIDR. You should forget about that and pretend this never was the case. Also, the rest of the answer is still valid even in case of classful addressing).

So, IP address is just 32 bits number and by seeing just an IP address you can't tell what mask it was configured with on the system where it is assigned. The mask has some meaning to that system only — it is meant to tell that system which addresses are reachable "immediately" and which ones it needs to access through the gateway. Netmask is a routing feature; the only effect it has is to define certain "connected"-type route.

It is meaningless requirement to "allow certain IP with any mask".

Probably this notation in your requirement was meant to be not a mask, but a port number? Then it needs a L4 protocol to be specified (TCP, UDP, etc.) which has a concept of port numbers. Or, this could have been a protocol itself, meaning "any" IP protocol number from that host should be permitted.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.