On Sun Aug 25 2002 at 17:41, Michael Tiernan wrote:
> Is there a way for ipchains to know what the dynamic ip on an
> interface (such as ppp) is when it's running?
No, it needs to be told.
> If one wanted to have a rule that says "don't allow those on net b to spoof
> net a (the ppp) line, how would you do it other than using the interface?
Filter your traffic via interface.
For example, in the ipchains input chain have a rule that says that
all traffic originating from the ppp interface (ppp+ means any ppp
interface) gets sent to another chain, like this:
ipchains -N inppp
ipchains -I input -i ppp+ -j inppp
ipchains -A inppp ..... whatever ....
ipchains -A inppp -j ACCEPT
Then do your filtering in the inppp chain where the packet is
accepted or whatever.
Splitting the traffic into per-interface user chains at the top
chain levels has some nice design advantages in sorting out the
traffic into nice sensible "hunks". Of course, take care with how
you order your rules so that you get the result you want.
> (I'm assuming it's something like saying "if not ppp AND not
> RFC1918 drop it")
Divert all the "not" traffic into other chains (where they terminate
with -j ACCEPT or reject or whatever, and not re-enter the parent
chain), and then do your rfc1918 testing on what is left.
> Thanks for everyone's time.
> We'll skip the 'chains vs tables' discussion for the moment.
:) (?? both work, they are just a little different).
Cheers
Tony
_______________________________________________
Redhat-devel-list mailing list
Redhat-devel-list@redhat.com
https://listman.redhat.com/mailman/listinfo/redhat-devel-list
