> Have you considered using RETURN instead of ACCEPT ? > Something like: > > # Traffic coming from the zones. > -A FORWARD -i eth0 ZONE_MRKT_OUT > -A FORWARD -i eth1 ZONE_SRV_OUT > > # Traffic to the zones. > -A FORWARD -o eth0 ZONE_MRKT_IN > -A FORWARD -o eth1 ZONE_SRV_IN > > -A FORWARD -j ACCEPT > > # Let's look at marketing. > -A ZONE_MKRT_OUT -j RETURN > -A ZONE_MKRT_OUT -j DROP # catch-all, useless here > > # Servers > -A ZONE_SRV_IN -s mar.ket.ing.net/mask -p tcp --dport 22 -j DROP > -A ZONE_SRV_IN -j DROP # catch-all > Indeed using RETURN here can do the trick. -- Jimmy
Attachment:
signature.asc
Description: This is a digitally signed message part