Dear Ryan.
>>> iptables -A OUTPUT -p UDP -d $IP1-j DROP
>>> iptables -A OUTPUT -p TCP -d $IP1 -j DROP
>>> iptables -A OUTPUT -p UDP -d $IP2 -j DROP
>>> iptables -A OUTPUT -p TCP -d $IP2 -j DROP
>>
>> That's what I am doing atm. Thanks for the update.
>
> BTW, if you have some complex chain of action logic (more than just a
> simple -j DROP), you could simplify your rules by creating a custom
> chain and having the rules on the builtin chain (OUTPUT, or whatever)
> jump to your custom chain instead of DROP.
>
> For example, If I wanted to use the same four rules from above, but I
> wanted to both log AND drop the incoming packets, a "naive"
> implementation might be something like this:
>
> iptables -A OUTPUT -p UDP -d $IP1 -j LOG --log-prefix 'MYDROP: '
> --log-level notice
> iptables -A OUTPUT -p UDP -d $IP1 -j DROP
> iptables -A OUTPUT -p TCP -d $IP1 -j LOG --log-prefix 'MYDROP: '
> --log-level notice
> iptables -A OUTPUT -p TCP -d $IP1 -j DROP
> iptables -A OUTPUT -p UDP -d $IP2 -j LOG --log-prefix 'MYDROP: '
> --log-level notice
> iptables -A OUTPUT -p UDP -d $IP2 -j DROP
> iptables -A OUTPUT -p TCP -d $IP2 -j LOG --log-prefix 'MYDROP: '
> --log-level notice
> iptables -A OUTPUT -p TCP -d $IP2 -j DROP
>
> You could do the same thing in a much more compact fashion by creating
> a custom chain called MYDROP:
>
> iptables -N MYDROP
> iptables -A MYDROP -j LOG --log-prefix 'MYDROP: ' --log-level notice
> iptables -A MYDROP -j DROP
> iptables -A OUTPUT -p UDP -d $IP1 -j MYDROP
> iptables -A OUTPUT -p TCP -d $IP1 -j MYDROP
> iptables -A OUTPUT -p UDP -d $IP2 -j MYDROP
> iptables -A OUTPUT -p TCP -d $IP2 -j MYDROP
That's what I am doing, too. Just wondered if there is a way to
combile parameters with a logical OR.
Thanks
Marcus
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
