> To streamline the firewall I am writing, can I be safe to > assume that: > > CLASS_A="10.0.0.0/8" > IF1="eth0" > IF2="eth1" > > (For example, I will drop anything claiming to be from a Class A > Private Network on either interface) > iptables -A INPUT -i $IF1 -s $CLASS_A -j DROP > iptables -A INPUT -i $IF2 -s $CLASS_A -j DROP > > can be written in one line as: > iptables -A INPUT -s $CLASS_A -j DROP Yes. You'd only specify the incoming interface if you were to expect $CLASS_A on one interface, but not on the other interface. If you don't specify -i, iptables won't match the incoming interface, so it would only look at the source address. Rob
