complement of an IP address range rejected by iptables in F14

dave perry skidavem at mindspring.com
Fri Jan 14 00:30:20 UTC 2011


I have several LAN's with fedora routers that I support.  The last line 
in this section of my firewall script causes an error in F14.

POSTROUTING chain rules
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
/sbin/iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -d 192.168.1.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -s ! 192.168.1.0/24 -j DROP

Using intrapositioned negation (`--option ! this`) is deprecated in 
favor of extrapositioned (`! --option this`).

Am I interpreting this change correctly to think that the following line,

/sbin/iptables -A FORWARD ! -s 192.168.1.0/24 -j DROP

will drop all packet not sourced from the LAN with addresses 192.168.1.* 
where * is any number from 1 to 255?



More information about the users mailing list