On 12/30/2012 10:21 PM, Walter Dnes wrote: > [0:0] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6 > [0:0] -A FECESBOOK -j DROP > [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT > [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT > [0:0] -A INPUT -i lo -j ACCEPT > [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED
In fact, since you're blocking all outgoing packets to facebook, the only state that a packet from facebook can have here is INVALID or NEW. So traffic from facebook will be sent to the UNSOLICITED chain and DROPped. > [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK > [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK > [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK > [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK > [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK > [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK ...making these pointless =) > [0:0] -A INPUT -s 10.0.0.0/8 -j PRIVATE_LOG > [0:0] -A INPUT -s 127.0.0.0/8 -j PRIVATE_LOG > [0:0] -A INPUT -s 172.16.0.0/12 -j PRIVATE_LOG > [0:0] -A INPUT -s 192.168.0.0/16 -j PRIVATE_LOG I believe the same applies here, since you already accepted your legitimate LAN traffic above. For this to catch anything, you'd first have to send a packet to one of those subnets and something would have to respond to it. > [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT So it makes even more sense to move this above the rest. If you still want to log facebook and other private traffic, the INVALID,NEW rule should come after those, otherwise the facebook/private stuff will just be dropped as UNSOLICITED.