В Чтв, 16/10/2008 в 18:16 -0400, Joey пишет: > > -----Original Message----- > > From: Matt Zagrabelny [mailto:mzagrabe@xxxxxxxxx] > > Sent: Thursday, October 16, 2008 9:19 AM > > To: Joey > > Cc: netfilter@xxxxxxxxxxxxxxx > > Subject: Re: General question about chains > > > > # create the chain > > iptables -N CIDR-ASIAN > > > > # hook the chain into another chain (PREROUTING, INPUT, FORWARD, etc) > iptables > > -A INPUT -j CIDR-ASIAN > > > > # add rules to the new chain > > iptables -A CIDR-ASIAN -p tcp -s 118.242.0.0/16 -j LOG --log-prefix SPAM- > > BLOCK-CIDR-ASIAN > > > > iptables -A CIDR-ASIAN -p tcp -s 118.242.0.0/16 --dport 25 -j DROP > > > > # flush the chain > > iptable -F CIDR-ASIAN > > > > > > > This didn't work for me and I have tried several varients with no luck. > > > > > > So my first question is do I understand correcty how to utilize chains? > > > > > > Will I be able to load and unload chains rather than flush everything > > > end reload everything? ( I have a lot of rules ) > > > > I don't quite understand your question. > > > > You 'create' and 'delete' user-defined chains. You can, of course, flush > > chains individually as well. > > > That's what I was looking for, however I have updated my script to create > the entries as shown, but seems like it's not working: > Do I have to tell iptables to activate a specific table of entries? > Here is a snip from iptables-save and basically NOTHING is being blocked. > > Thanks! > > # Generated by iptables-save v1.2.11 on Thu Oct 16 17:08:54 2008 > *filter > :INPUT ACCEPT [129969:48753771] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [128669:50573226] > :CIDR-ASIAN - [0:0] > :CIDR-CZECH - [0:0] > :CIDR-IISG - [0:0] > :CIDR-INDIA-KOREA - [0:0] > :CIDR-POLAND - [0:0] > :CIDR-RUSSIA - [0:0] > :CIDR-TURKEY - [0:0] > :CIDR-UK - [0:0] > :TEST-JACK - [0:0] > :fail2ban-postfix - [0:0] > :fail2ban-postfix-log - [0:0] > -A CIDR-ASIAN -s 58.14.0.0/255.254.0.0 -p tcp -j LOG --log-prefix > "SPAM-BLOCK-CIDR-ASIAN" > -A CIDR-ASIAN -s 58.14.0.0/255.254.0.0 -p tcp -m tcp --dport 25 -j DROP > -A CIDR-ASIAN -s 58.16.0.0/255.248.0.0 -p tcp -j LOG --log-prefix > "SPAM-BLOCK-CIDR-ASIAN" > -A CIDR-ASIAN -s 58.16.0.0/255.248.0.0 -p tcp -m tcp --dport 25 -j DROP > -A CIDR-ASIAN -s 58.24.0.0/255.254.0.0 -p tcp -j LOG --log-prefix > "SPAM-BLOCK-CIDR-ASIAN" > -A CIDR-ASIAN -s 58.24.0.0/255.254.0.0 -p tcp -m tcp --dport 25 -j DROP > -A CIDR-ASIAN -s 58.29.0.0/255.255.0.0 -p tcp -j LOG --log-prefix > "SPAM-BLOCK-CIDR-ASIAN" > -A CIDR-ASIAN -s 58.29.0.0/255.255.0.0 -p tcp -m tcp --dport 25 -j DROP Did you forgot COMMIT at the end? Entries are actually being add all-in-one-time on COMMIT. -- Покотиленко Костик <casper@xxxxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
