On 21 April 2010 19:27, Narendra Choyal <narendrachoyal@xxxxxxxxx> wrote: > NOTE : > -i also not work when we have two virtual IPs like eth0 and eth0:1 . > In this case first rule will be applied whatever the interface is > written i.e eth0 or eth0:1 . Might be totally off base but have vague memories that the virtual interface can't be filtered using -i / -o. I've got a fairly complex rule setup using both in and out filters using wildcards such that alot of rules are of the following kind (these are for example only, exact port numbers and match criteria vary) -A INPUT -i eth+ -p udp -j ACCEPT -A OUTPUT ! -o sl+ -p tcp -j DROP (We don't want tcp traffic going over very low bandwidth slip links!) -A OUTPUT -o eth+ -p icmp -j ACCEPT -A OUTPUT -o sl+ -p icmp <<hash limit match>> -j ACCEPT Not encountered a problem where the io interface flag isn't working as expected, but with the exception of one or two rules all the rules using io flags are using wildcard matches. -- Richard Horton Users are like a virus: Each causing a thousand tiny crises until the host finally dies. http://www.pbase.com/arimus - My online photogallery http://www.topcashback.co.uk/ref/rhorton -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
