iptables: удобная запись набора ip-адресов

> Либо придется для каждого ip отдельное правило писать?

Фигасе! Вам чего, сложно пару правил добавить? Ужас!!

#!/bin/sh
for i in 80.249.153.56 80.249.153.60 80.90.112.6 80.90.112.7 85.112.112.35 80.112.112.36 85.112.112.38
do
/sbin/iptables -A FORWARD -s $i -j ACCEPT
done
exit 0

Надеюсь, осилишь подставить своё правило iptables.

http://ipset.netfilter.org/

set (patch)

IP sets are a high performance way of matching based on IP addresses. You could, for example, define an ipset of the bogon addresses, and then match them with a single iptables rule:

ipset --create bogons nethash
ipset --add bogons 10.0.0.0/8
ipset --add bogons 192.168.0.0/16
ipset --add bogons 0.0.0.0/8
ipset --add bogons 169.254.0.0/16
ipset --add bogons 172.16.0.0/12
ipset --add bogons 192.0.2.0/24
ipset --add bogons 192.42.172.0/24
iptables -A FORWARD -m set --set bogons src -j DROP
iptables -A FORWARD -m set --set bogons dst -j DROP
iptables -A INPUT -m set --set bogons src -j DROP
iptables -A INPUT -m set --set bogons dst -j DROP

Note that the ipset utility is required to use these. There are also many different types of ipsets, including iphash, nethash (for network addresses, as used above), port hashes, and an "iptree" type which can also optionally store a timeout. The latter has huge implications for setting up something to blackhole IPs which touch your SSH port using a command like "ipset --create blackhole iptree --timeout 3600" and adding the IP with "ipset --add blackhole 192.168.1.1".

Note that the above rules end up being a pretty simple way to block packets coming through your firewall from or to a bogon address, using only 4 rules. This can be done with tables as well, but does require twice as many rules (to match source and destination) and is definitely lower performance.

спасибо, способ ясен, думал что в iptables есть другие способы записи такого набора адресов и обработки адресов, без цикла