On Tue, 12 Aug 2003 15:23:14 +0200, Michael Schwendt wrote > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Tue, 12 Aug 2003 03:16:22 -0700, jdow wrote: > > > Rules are executed "top down". So packets logged in an early rule and > > then rejected in a later rule get both logged and rejected. And I did > > somewhat misread the list. It looks like you want to both log and reject > > the 0:1023 material so you could -j REJECT -j LOG in a single rule, I > > believe. Please excuse my error. > > No, that was possible with ipchains where logging was not a target, but > an option. Iptables does not allow multiple targets, i.e. it does not > allow multiple -j flags. Hence two separate rules is how it must be > done. > > You can also match only once and then jump to a user-defined chain, > which does a simple catch-all LOG/REJECT, e.g. > > -N logreject > -A logreject -j LOG > -A logreject -j REJECT > > -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j logreject That is neat. However, sometimes I like to insert other information with the rejected log messages. I.e., iptables -I INPUT -s 202.0.0.0/8 -j DROP # Asia iptables -I INPUT -s 202.0.0.0/8 -j LOG --log-prefix "Asia2 " --log-level DEBUG # Asia 2 (The debug is because I have set up my logs so that packet log messages are sent to /var/log/packets.) So, I would need a method to pass my --log-prefix data to the catch all. -- Shrike-list mailing list Shrike-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/shrike-list
