On Wednesday 30 June 2004 2:33 pm, IZEM Farid wrote:
> Hi all,
>
> I'm trying to customize my iptables rules.
> Let us imagine we have three hosts which users have to access:
> HOST1
> HOST2
> HOST3
>
> Is this configuration correct?
> Iptables -N HOST1_RULESETS
> Iptables -N HOST2_RULESETS
> Iptables -N HOST3_RULESETS
>
> In each new chain, I will add rules to accept connections to some services
> like telnet, ssh, IBM Client Access. And after, I will do this thing:
> Iptables -A FORWARD -i eth0 -o eth1 -j HOST1_RULESETS
> Iptables -A FORWARD -i eth0 -o eth1 -j HOST2_RULESETS
> Iptables -A FORWARD -i eth0 -o eth1 -j HOST3_RULESETS
>
> In fact, what I'm looking for is that I can organized my rules by hosts
> instead of adding all rules to all hosts in FORWARD chain ?
>
> With the configuration, I describe, will all rules in the HOSTX_RULESETS
> being check ?
>
> I think, it's correct but I'm not totally sure.
Yes, that looks fine to me - the only thing you need to remember is that the
first rule which matches, with an ACCEPT, DROP or REJECT target, will
determine the fate of the packet.
Organising rules into user-defined chains like this is fine with netfilter, if
it makes it easier for you to work with.
The only thing I would suggest changing about what you've written above is
that if the chain HOST1_RULESETS is supposed to be for packets going only to
HOST1, then your FORWARD rule jumping to that chain should only do so for
packets going to HOST1 (similarly for HOST2, HOST3 etc).
iptables -A FORWARD -i eth0 -o eth1 -d $HOST1 -j HOST1_RULESETS
That ensures that packets for HOST2, which cannot possibly match any of the
rules in HOST1_RULESETS, don't have to traverse all the way through the rules
before then getting a chance at HOST2_RULESETS.
PS: Don't forget a general rule allowing for the reply packets :)
Regards,
Antony.
--
I want to build a machine that will be proud of me.
- Danny Hillis, creator of The Connection Machine
Please reply to the list;
please don't CC me.
