Netfilter list: There are two sets of bonded NIC interfaces in our system, bond0 (public interface) and bond1 (private interface). bond0 needs to process the rules in the 'filter' table. Bond1 does not, should accept all packets, and not participate in the connection tracking (in other words, jump to NOTRACK in the raw table) in order to be as efficient as possible. What we have is currently below, but we need some help in getting the raw table fleshed out so that what we desire in the previous paragraph is accommodated. # Generated by iptables-save v1.3.5 on Tue Dec 27 08:52:02 2011 *raw :PREROUTING ACCEPT [1327:114702] :OUTPUT ACCEPT [2012:272100] -A PREROUTING -i bond1 -j NOTRACK -A OUTPUT -o bond1 -j NOTRACK COMMIT # Completed on Tue Dec 27 08:52:02 2011 # Generated by iptables-save v1.3.5 on Tue Dec 27 08:52:02 2011 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -i bond1 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -m state --state NEW -j ACCEPT -A RH-Firewall-1-INPUT -m state --state INVALID -j DROP -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT Thanks in advance for your help. Tim -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
