On Thu, 27 Dec 2001 09:22:08 +1100 (EST), James Morris wrote: >> My reading of the man pages, etc says that the following line in the >> /etc/sysconfig/iptables file (using RH 7.2 - the same line is in the /proc >> files) on router.invlogic.com: >> >> [0:0] -A INPUT -d 198.182.196.9 -p tcp -m tcp --dport 25 -j REJECT \ >> --reject-with icmp-port-unreachable >> >> should have blocked the above session. > >The input chain is for packets with a local destination. You probably >want that rule in the forward chain on the router. James, Thanks for the clarification. That seems to be different from the way all the previous firewall code operated, I wonder why the change was made. Previously (ipfwadm, ipchains) the input chain processed all packets entering the tcp networking code, regardless of their source -- external interfaces, local programs, etc. The forward chain only dealt with packets that had to be passed on to another system (which it appears is still the case). Needless to say I'll change the rules to use FORWARD but it seems we've lost some functionality with this implementation. Michael ======================================================================= Michael McLagan 59 E. River St, #2 V:(315)393-1202 General Manager, Ogdensburg, NY 13669 F:(315)393-1154 Linux Online, Inc. The first stop for Linux info on the Net - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
