Re: iptables rules : two in one
Pascal Hambourg wrote:
> franck a écrit :
> [merge rules]
>> It is not that important, I just wondered whether it was possible or
>> not. My file would have been easier to read, that is it.
>
> If you want a file easier to read, my advice is that you group rules
> which have common matches into user-defined chains. For instance :
>
> iptables -N pop3_out_request
> iptables -A OUTPUT -o eth0 -p tcp --dport 110 --sport $UNPRIVPORTS \
> -m state --state NEW,ESTABLISHED -j pop3_out_request
> iptables -A pop3_out_request -d pop.mail.yahoo.co.uk -j ACCEPT
> iptables -A pop3_out_request -d pop.1and1.fr -j ACCEPT
>
> iptables -N pop3_in_reply
> iptables -A INPUT -i eth0 -p tcp --sport 110 --dport $UNPRIVPORTS \
> -m state --state ESTABLISHED -j pop3_in_reply
> iptables -A pop3_in_reply -s pop.mail.yahoo.co.uk -j ACCEPT
> iptables -A pop3_in_reply -s pop.1and1.fr -j ACCEPT
>
> It does not make less rules, but simpler rules.
>
>
Great. I have already seen this before, but I should say, I have never
used it. Now, I know how useful it can be.
--
Franck Joncourt
http://www.debian.org
http://smhteam.info/wiki/
GPG server : pgpkeys.mit.edu
Fingerprint : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0 89FE
___________________________________________________________
All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine
http://uk.docs.yahoo.com/nowyoucan.html
Reply to: