> I meant, there can't be no such processing ? > > 1/ > -> ... > -> match for the source address 192.168.10.14 > |-> match for destination port 80 -> ACCEPT > |-> match for the destination port 443 -> ACCEPT -> ... Yes, this is possible using a user defined chain. $ipt -N WEBCHECK $ipt -A WEBCHECK -p tcp --dport 80 -j ACCEPT $ipt -A WEBCHECK -p tcp --dport 443 -j ACCEPT $ipt -A INPUT -s 192.168.10.14 [-p tcp] -j WEBCHECK First you create a user defined chain (-N), for example, called WEBCHECK. You populate the chain with rules that only match port 80 or port 443 and ACCEPT when matched. You add a rule to the default INPUT chain matching source IP 192.168.10.14 and redirect the packet to the WEBCHECK. If no rule in WEBCHECK matched, the packet will continue traversing the INPUT chain until a match or do what the chain policy says should happen (ACCEPT or DROP). The "-p tcp" in the INPUT rule is optional, but since you're only checking tcp packets in the WEBCHECK chain, it might make sense to only send tcp packets to that chain. This would IMHO only be of real use if you have lots of rules and you want to narrow down the number of rules to be matched. In this case you won't notice the difference. Grts, Rob
