Re: iptable coding style
Hi,
> The matching iptables on my PC are,
>
> -A INPUT -p tcp -m mac --mac-source 00:13:49:05:FE:27 -m tcp --dport
> 25 -j LOG --log-prefix "__MAIL__" --log-level 7
>
> -A INPUT -p tcp -m mac --mac-source 00:13:49:05:FE:27 -m tcp --dport
> 25 -j ACCEPT
>
> and i'd like thje kernel to leave the processing chain here, since
> else the same stuff gets logged as general 'hit' a second time.
> How can i do that ?
what you clealy want is connection tracking, and not logging each packet, but
this is wonderfully desribed in the net netfilter howto.
http://www.netfilter.org/documentation/index.html#documentation-howto
and the basic idea to get nice firewall logs is
- chain which allows everything which was allowed before
- chain which allows something
- chain which allows something
.
.
.
- chain which logs
- chain which rejects
for home an office use you can also try to do it by interface..
- chain which allows everything which was allowed before
- interface external
- - chain which allows something
- - chain which allows something
- - ...
- - log/reject everything from that interface
- interface internal
- - chain which allows something
- - chain which allows something
- - ...
- - log/reject everything from that interface
--
Florian Reitmeir
Reply to: