> > On Friday 05 March 2004 6:27 pm, Technical wrote: > > > >> -A RH-Firewall-1-INPUT ! -s cnnp1.com -j LOG --log-prefix > "IPTABLES: " > >> -A RH-Firewall-1-INPUT ! -s cnnp2.com -j LOG --log-prefix > "IPTABLES: " > > > > iptables -N mychain > > iptables -A mychain -s cnnp1.com -j RETURN > > iptables -A mychain -s cnnp2.com -j RETURN > > iptables -A mychain -j LOG --log-prefix "IPTABLES: " > > iptables -A RH-Firewall-1-INPUT -j mychain > > What is -j Return doing Your match is reversed. You matched everything that does not cnnp1.com and LOGged it. After that you matched everything that does not match cnnp2.com and LOGged it. So, you logged everything that matched cnnp1.com or cnnp2.com once, else twice. Antony's solution redirects a packet to the "mychain" user chain. If a packet matches either cnnp1.com or cnnp2.com, it RETURNs to the "RH-Firewall-1-INPUT" chain. If a packet didn't match, it gets logged and the "mychain" chain ends, thus the packet returns to the chain that called it ; the "RH-Firewall-1-INPUT" chain. Gr, Rob
