another iptables question
Thomas Stivers
stivers_t at tomass.dyndns.org
Sun Dec 28 14:08:12 EST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/28/03 1:31 AM -0500, igueths at comcast.net wrote:
> Hi all. Supposing I create a chain whose policy is LOG and I use a syntax
> like: iptables -A NAMEOFCHAIN -i eth0 -o eth1 -p icmp --icmp-type
> ECHO_REPLY -j DROP. Would the packet first be logged and then dropped?
The policy is only applied when/if the packet falls off the end of the
chain I.E. isn't matched by any rule.
> Also, does -i eth0 -o eth1 imply that the packet is going in eth0 and out
> eth1? Or does it imply that the packet is going in eth0 and out eth1 at the
> same time, which is impossible anyway? Thanks!
I believe it is impossible to use both, but I may be wrong in the FORWARD chain. To
understand exactly what happens you have to understand what packets
[pass through which chains. The input chain handles all packets coming
into any interface on the box regardless of its destination, the OUTPUT
chain handles all packets generated on the box, but not packets being
forwarded, and the FORWARD chain handles packets from elsewhere going
elsewhere. This is all from memory of a howto I read a few years ago, so
YMMV, but I know www.netfilter.org has information that will help you
understand this stuf. Happy firewalling.
- --
Clarke's Corollary:
Any technology distinguishable from magic is insufficiently advanced.
Thomas Stivers e-mail: stivers_t at tomass.dyndns.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/7yob5JK61UXLur0RAt8jAJ4hVoYtClk5VWTMLyyemk0fXu6CrACfeZUq
j8MXQy/Cszj9sGYgNtXFY2w=
=sjJF
-----END PGP SIGNATURE-----
More information about the Speakup
mailing list