IN SSH(ACCEPT) -i net0 -source 10.0.0.1,10.0.0.2,10.0.0.3 #accept ssh for 10.0.0.1 or 10.0.0.2 or 10.0.0.3
IN SSH(ACCEPT) -i net0 -source +mynetgroup #accept ssh for ipset mynetgroup
IN SSH(ACCEPT) -i net0 -source myserveralias #accept ssh for alias myserveralias
+IN SSH(ACCEPT) -i net0 -source FE80:0000:0000:0000:0202:B3FF:FE1E:8329
+IN ACCEPT -i net0 -p icmpv6
|IN SSH(ACCEPT) -i net0 # disabled rule
myserveralias 10.0.0.111
mynetworkalias 10.0.0.0/24
+myserveraliasipv6 2001:db8:0:85a3:0:0:ac1f:8001
+myserveraliasipv6short 2001:db8:0:85a3::ac1f:8001
+
[RULES]
IN ACCEPT -source 10.0.0.1,10.0.0.2,10.0.0.3
IN ACCEPT -source +mynetgroup
IN ACCEPT -source myserveralias
-
+IN ACCEPT -source myserveraliasipv6
+IN ACCEPT -source 2001:db8:0:85a3:0:0:ac1f:8001
[ipset myipset]
192.168.0.0/24
! 10.0.0.0/8 #nomatch - needs kernel 3.7 or newer
mynetworkalias
+2001:db8:0:85a3::ac1f:8001
+2001:db8:0:85a3:0:0:ac1f:8002
#global ipset blacklist
[ipset blacklist]
10.0.0.8
192.168.0.0/24
+2001:db8:0:85a3:0:0:ac1f:8001