On Sat, Mar 27, 2004 at 01:51:32PM +0000, Antony Stone wrote: > On Saturday 27 March 2004 1:38 pm, Richard Hector wrote: > > > This means that early on, I have something like: > > > > iptables -A INPUT -j protocol > > iptables -A FORWARD -j protocol > > > > iptables -A protocol -p tcp --dport 22 -j ssh > > > > But then I get a bit stuck. I need to then do different things depending > > on the source and destination - which includes whether this packet is > > arriving locally or being forwarded. Therefore it would be useful to > > know whether this packet started out in the INPUT or FORWARD chain - but > > that info seems to have been lost with the jump. > > > > Is there any way to regain that? > > Surely the destination address is all you need for this? I suppose so. It's just that the INPUT chain is a handy way to group all the local interfaces and addresses. Without it, I multiply the number of rules by the number of possible local addresses that could be used. > Are you sure that combining INPUT and FORWARD rules like this is really what > you want to do? No :-) However, that's why I'm experimenting; I'll see what version looks simplest and most intuitive of the likely possibilities I can think of. > I would have thought the two were sufficiently different (what traffic you > allow in to your firewall, compared to what traffic you allow through it to > elsewhere) that it would be worth writing separate rulesets for the two. That may well be true - especially if the firewall is sufficiently dedicated to its firewalling. Mine is also a bounce point for SSH, a DHCP server and an NTP server; not quite as clean as it could/should be. Many thanks, Richard
