Re: iptable coding style

To: debian-firewall@lists.debian.org
Subject: Re: iptable coding style
From: Florian Reitmeir <squat@riot.org>
Date: Sun, 4 Dec 2005 19:05:47 +0100
Message-id: <[🔎] 20051204180547.GV14301@squat.noreply.org>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 20051204114259.5b4f7354@woody>
References: <[🔎] 20051204114259.5b4f7354@woody>

Hi,


> The matching iptables on my PC are,
> 
> -A INPUT -p tcp -m mac --mac-source 00:13:49:05:FE:27 -m tcp --dport
> 25 -j LOG --log-prefix "__MAIL__" --log-level 7
> 
> -A INPUT -p tcp -m mac --mac-source 00:13:49:05:FE:27 -m tcp --dport
> 25 -j ACCEPT
> 
> and i'd like thje kernel to leave the processing chain here, since
> else the same stuff gets logged as general 'hit' a second time. 
> How can i do that ?

what you clealy want is connection tracking, and not logging each packet, but
this is wonderfully desribed in the net netfilter howto.

http://www.netfilter.org/documentation/index.html#documentation-howto

and the basic idea to get nice firewall logs is 

- chain which allows everything which was allowed before
- chain which allows something
- chain which allows something
.
.
.
- chain which logs 
- chain which rejects


for home an office use you can also try to do it by interface..

- chain which allows everything which was allowed before
- interface external
- - chain which allows something
- - chain which allows something
- - ...
- - log/reject everything from that interface

- interface internal
- - chain which allows something
- - chain which allows something
- - ...
- - log/reject everything from that interface


-- 
Florian Reitmeir

Reply to:

References:
- iptable coding style
  - From: Micha <codejodler@gmx.ch>

Prev by Date: Re: iptable coding style
Next by Date: Re: Error-Guard Support Request
Previous by thread: Re: iptable coding style
Next by thread: [no subject]
Index(es):
- Date
- Thread