Travis Veazey wrote:
> Hey all,
>
> This should be a quick answer to a quick question: Mostly out of
> curiosity, I want to add an accounting rule to count all packets that
> get Dropped by my Shorewall configuration. Unfortunately, the obvious
>
> COUNT Drop
>
> rule added to the accounting file doesn't work: I get the following error:
>
> iptables: Chain already exists
> ERROR: Command "/sbin/iptables -N Drop" Failed
>
>
> It seems that by adding that accounting rule, Shorewall is now trying to
> create the Drop chain? Why isn't it just adding the necessary accounting
> rules to the Drop chain, as it already exists by default? What am I
> doing wrong here?
The Shorewall accounting file does not provide a way to add rules to
arbitrary chains. And, as you've discovered, Shorewall-shell (or
possibly an ancient version of Shorewall) isn't particularly friendly
about reminding you of the fact.
If you want to add a dummy counting rule to the front of the Drop chain,
add this to your /etc/shorewall/start file:
run_iptables -I Drop
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
