Sluggers,
I'm learning iptables by trial and terror and fail to understand iptables
behaviour when matching rules. I thought that once a rule was matched
the chain was exited but it appears that iptables continues down the
chain attempting to match all rules. Is this true and if so what the hell
for? This would appear to me to make iptables about next to useless.
For example, I flush all the input rules with
# iptables -F INPUT
I then add a couple of simple rules with
# iptables -A INPUT -p TCP --dport 80 -j LOG --log-prefix "HTTP: "
# iptables -A INPUT -p TCP -j LOG --log-prefix "OTHER: "
But when I list /var/log/messages I get both the HTTP and OTHER
labels!!!????
Mar 21 21:25:26 ganymede kernel: HTTP: IN=lo OUT= [snip]
Mar 21 21:25:26 ganymede kernel: OTHER: IN=lo OUT= [snip]
So what's the story? I want to impliment a DENY or DROP policy so that
packets
that I don't have a rule for get dumped but as soon as I change the
INPUT policy
to DENY or DROP nothing can talk to the box, even though I have a matching
input rule. I don't want to have to impliment a chain by putting in
matching rules for
all the ports that I don't want I just want to put in a list of allows
and then a DROP
at the end.
Anyone have any ideas? Is their a flag or switch on iptables that
changes the
traverse policy to "exit on match". Clues sticks?
TIA's
Pete
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
