On Saturday 27 March 2004 2:20 pm, Richard Hector wrote:
> On Sat, Mar 27, 2004 at 01:51:32PM +0000, Antony Stone wrote:
> > On Saturday 27 March 2004 1:38 pm, Richard Hector wrote:
> > > This means that early on, I have something like:
> > >
> > > iptables -A INPUT -j protocol
> > > iptables -A FORWARD -j protocol
> > >
> > > iptables -A protocol -p tcp --dport 22 -j ssh
> > >
> > > But then I get a bit stuck. I need to then do different things
> > > depending on the source and destination - which includes whether this
> > > packet is arriving locally or being forwarded. Therefore it would be
> > > useful to know whether this packet started out in the INPUT or FORWARD
> > > chain - but that info seems to have been lost with the jump.
> > >
> > > Is there any way to regain that?
> >
> > Surely the destination address is all you need for this?
>
> I suppose so. It's just that the INPUT chain is a handy way to group all
> the local interfaces and addresses. Without it, I multiply the number of
> rules by the number of possible local addresses that could be used.
Well, okay then - how about using the MARK target to mark packets with one
value in INPUT and a different value in FORWARD, and then check the marked
value in your user-defined chain to see how the packet got there?
Look up the MARK target and the -m mark match for more info.
Regards,
Antony.
--
Christmas was just an opportunity to upgrade to kernel 2.6 while no-one was
around to notice the downtime.
Please reply to the list;
please don't CC me.
