-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/16/03 7:08 PM -0500, igueths at comcast.net wrote: > Hi all. I think this iis possible according to my interpretation of the > iptables manpage, however I am not sure. Is it possible to write one rule > for the input chain to let's say, log all icmp-echo-reply packets, and then > another rule for the input chain that drops the icmp-echo-reply packets? I > think this is possible, since as far as I know every packet travels through > the desired chain (s) until a rule or set of rules is encountered for the > packet (s)? Yes this is possible though I don't see why you want to stop echo replies instead of echo requests. Here are some example rules. iptables -A INPUT -p icmp --icmp-type echo-reply -j LOG iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP The chain will be traversed until it is accepted, rejected, or dropped and if none of these happens the policy for the chain will apply. Many of the example rulesets use a logdrop user defined chain to log then drop packets. As always YMMV. - -- Clarke's Corollary: Any technology distinguishable from magic is insufficiently advanced. Thomas Stivers e-mail: stivers_t at tomass.dyndns.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/36kj5JK61UXLur0RAnl+AJ9AU7EF1mFqc8oKQIpBckvBNzWk4gCcCnxh JbtTBjWykukvNN0XyhFgujw= =p0r2 -----END PGP SIGNATURE-----
