i don't know that i agree with this statement. when a packet reaches the end of custom chain "tcp_invalidos" and has not matched any rules in that chain--it should return to the calling chain where it left off; i.e.
iptables -P INPUT DROP
iptables -A INPUT -j badstuff
iptables -A INPUT -j goodstuff
iptables -A INPUT -j LOG
a packet not matching any rule in "badstuff" will return to INPUT, and
then jump to "goodstuff"... if the packet doesn't match any rule in
"goodstuff" it will return to INPUT, get logged, and *then* get dropped,
as it has hit the end of the INPUT chain and not matched any rules. only then does the POLICY of the chain get enforced.
Hm, interesting... I vaugly remember (I might be wrong) testing something similar a while ago, and I got different results. Anyhow, this seems to be undocumented ("man iptables" doesn't say what happens when end of user defined chain is reached). Could it be that it changed from one version to another?
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
