On Friday 05 March 2004 8:04 pm, Technical wrote:
> Ok I got that but i am confused about how true iptables' sequential
> execution of rules is.
>
> Say for example that my I ping this machine from a host other than
> cnnp1.com and cnnp2.com. The packet should be logged by >> > iptables -A
> mychain -j LOG --log-prefix "IPTABLES: "
>
> My question is should not the execution of the rest of the rules in
> RH-Firewall-1-INPUT not happen
Once a packet RETURNs from a user-defined chain, or gets to the end of a
user-defined chain (as it will if it matches the LOG target - this target
does not terminate processing), it continues to be processed through the rest
of the rules in the built-in chain which called it.
The two rules which you posted in your question only LOGged the packets - did
not ACCEPT or DROP them, therefore the version I suggested to you in my
answer did exactly the same - LOG without ACCEPTing or DROPping.
If you want to ACCEPT or DROP the packets and thereby avoid further processing
in the INPUT chain, do so at the end of the user-defined "mychain".
Antony.
--
If you can't find an Open Source solution for it, then it isn't a real
problem.
Please reply to the list;
please don't CC me.
