Re: General question about chains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2008-10-15 at 23:46 -0400, Joey wrote:
> Hello All,
> 
> While I have used iptables for a while, I have found that I needed to gain
> more knowledge to push what I am doing with it to another level.
> 
> I have read through a few things on-line and in the readme stuff, but have
> some confusion that I want to clear up.
> 
> I am thinking that a chain is a group of rules, and I can create multiple
> chains to define rules for different things.
> Lets say FTP-RULES, SPAM-RULES etc.
> 
> If I do this I can hopefully flush just one group or chain without effecting
> the other rules is what I am thinking.
> 
> When I execute a rule I do this:
> iptables -A INPUT -p tcp -s 118.242.0.0/16 -j LOG --log-prefix SPAM-BLOCK-
> CIDR-ASIAN
> iptables -A INPUT -p tcp -s 118.242.0.0/16 --dport 25 -j DROP
> 
> 
> I wanted to change it to add it to a chain like so:
> iptables CIDR-ASIAN -A INPUT -p tcp -s 118.242.0.0/16 -j LOG --log-prefix
> SPAM-BLOCK-CIDR-ASIAN
> iptables CIDR-ASIAN -A INPUT -p tcp -s 118.242.0.0/16 --dport 25 -j DROP
> 
> iptables -N CIDR-ASIAN -A INPUT -p tcp -s 118.242.0.0/16 -j LOG --log-prefix
> SPAM-BLOCK-CIDR-ASIAN
> iptables -N CIDR-ASIAN -A INPUT -p tcp -s 118.242.0.0/16 --dport 25 -j DROP

# create the chain
iptables -N CIDR-ASIAN

# hook the chain into another chain (PREROUTING, INPUT, FORWARD, etc)
iptables -A INPUT -j CIDR-ASIAN

# add rules to the new chain
iptables -A CIDR-ASIAN -p tcp -s 118.242.0.0/16 -j LOG --log-prefix
SPAM-BLOCK-CIDR-ASIAN

iptables -A CIDR-ASIAN -p tcp -s 118.242.0.0/16 --dport 25 -j DROP 

# flush the chain
iptable -F CIDR-ASIAN


> This didn't work for me and I have tried several varients with no luck.
> 
> So my first question is do I understand correcty how to utilize chains?
> 
> Will I be able to load and unload chains rather than flush everything end
> reload everything? ( I have a lot of rules )

I don't quite understand your question.

You 'create' and 'delete' user-defined chains. You can, of course, flush
chains individually as well.

-- 
Matt Zagrabelny - mzagrabe@xxxxxxxxx - (218) 726 8844
University of Minnesota Duluth
Information Technology Systems & Services
PGP key 1024D/84E22DA2 2005-11-07
Fingerprint: 78F9 18B3 EF58 56F5 FC85  C5CA 53E7 887F 84E2 2DA2

He is not a fool who gives up what he cannot keep to gain what he cannot
lose.
-Jim Elliot

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux