Chains policy and rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I use a PC with 3 NICs. 
Their configurations are:
eth0: 152.201.3.179 mask 255.255.0.0
eth1: 152.20.3.181 mask 255.255.0.0
eth2: 192.168.1.181 mask 255.255.255.0

I use two group commands. 
1.
#!/bin/sh
echo "Starting iptables rules..."
#Refresh all chains
/sbin/iptables -F
/sbin/iptables -A INPUT -p tcp -d 192.168.1.165 --dport 80 -i eth2 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 192.168.1.165 --dport 22 -i eth2 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 152.201.3.179 --dport ! 80 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 152.201.3.179 --dport ! 22 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 152.201.3.177 --dport ! 80 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 152.201.3.177 --dport ! 22   -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 152.20.3.181 --dport ! 80 -i eth1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 152.20.3.181 --dport ! 22 -i eth1 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -j DROP
/sbin/iptables -A INPUT -i eth1 -j DROP
/sbin/iptables -A INPUT -i eth2 -j DROP

2.
/sbin/iptables -F
/sbin/iptables -A INPUT -p tcp -d 192.168.1.165 --dport 80 -i eth2 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 192.168.1.165 --dport 22 -i eth2 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 152.201.3.179 --dport ! 80 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 152.201.3.179 --dport ! 22 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 152.201.3.177 --dport ! 80 -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 152.201.3.177 --dport ! 22   -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 152.20.3.181 --dport ! 80 -i eth1 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -d 152.20.3.181 --dport ! 22 -i eth1 -j ACCEPT
/sbin/iptables -P INPUT DROP

    I think both of them shoud do the same things. Yes it does work. But when I use the second group, the connection to 192.168.1.165:80 become very slow. The same thing happend on ssh connection to 192.168.1.165. If I use the first group command, everything is normal! Who can tell me why this happend? What's the difference between droping packets on the chain and droping packets on every ethernet card?
    Thanks a million to you who answer this question.

 :)
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux