iptables multiple -d flags not allowed

For problems of this kind you can define new chains and jumping between them. You might for example add a chain LOGGING and at the beginning of this chain match those packets you don't want to log with an action of RETURN:

$ iptables -N LOGGING
$ iptables -A LOGGING -d 127.0.0.0/8 -j RETURN
$ iptables -A LOGGING -d 239.192.0.0/16 -j RETURN
$ iptables -A LOGGING -j LOG 
$ iptables -A OUTPUT -j LOGGING

This way, all packets coming through the OUTPUT chain would first go through the LOGGING chain and everything not being for 127.0.0.0/8 and 239.192.0.0/16 would be logged, then control would go back to the OUTPUT.

Yes, but it doesn't work the way you want. From the man page:

Multiple addresses can be specified, but this will expand to multiple rules (when adding with -A), or will cause multiple rules to be deleted (with -D).

The way to do this is to add rules earlier in the chain to divert the traffic you don't want to log or modify, e.g.

-A OUTPUT -o lo -j ACCEPT
-A OUTPUT --destination 239.192.0.0 -j ACCEPT
-A OUTPUT  -m state --state NEW -j LOG --log-prefix "new_connection " --log-level 7

iptables multiple -d flags not allowed

Tags:

Iptables

Related

Recent Posts