Is it possible to bitwise match in iptables?

Mike asked:

I’m looking at a multi-site deployment where each of the remote locations has an IPSec VPN back into the data centre. I’m trying to find an easy way for support staff to provide access to the remote locations, yet do so securely.

Broadly speaking: staff from group A should only have access to group A’s equipment, and staff from group B should only have access to group B’s equipment. It’s possible for both groups to have their equipment in a single location (think group A manages servers, group B manages IP CCTV systems). Each group has their own dedicated subnet that they will be connecting from, e.g. Group A might have 10.0.0.0/24 and Group B 10.0.1.0/24.

Creating explicit rules for hundreds of machines feels overly tedious. There’s got to be a better way than listing each individual machine a user can connect into. My thought was this: Within each location, dedicate a portion of it to a given group. So 10.x.x.1-15 could be Group A’s equipment, and 10.x.x.x.16-31 could be Group B’s, etc…

Now the iptables question part: Is it possible to have just 2 rules on the data centre side to match this, irrespective of the number of remote locations? One that matches e.g. 10.x.x.1-15 and one that matches 16-31?

If not, is there another approach that I should be looking into?

Edit: I suppose I could use ipsets, which will reduce the number of rules even though I still have the overhead of managing the sets.

My answer:


It seems like you are missing the obvious:

 iptables -A INPUT .... -s 10.0.0.16/28 -j ...

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.