Re: [iptables] Zone based rules

To: Gian Piero Carrubba <gpiero@rm-rf.it>
Cc: debian-firewall@lists.debian.org
Subject: Re: [iptables] Zone based rules
From: Jimmy Thrasibule <thrasibule.jimmy@gmail.com>
Date: Tue, 09 Apr 2013 23:45:41 +0200
Message-id: <[🔎] 1365543941.14410.3.camel@draco>
In-reply-to: <[🔎] 20130409185435.GA30495@caimano.fdc.rm-rf.it>
References: <[🔎] 1365522099.25705.29.camel@BEWS005.euractiv.com> <[🔎] 20130409185435.GA30495@caimano.fdc.rm-rf.it>

> Have you considered using RETURN instead of ACCEPT ?
> Something like:
> 
>    # Traffic coming from the zones.
>    -A FORWARD -i eth0 ZONE_MRKT_OUT
>    -A FORWARD -i eth1 ZONE_SRV_OUT
> 
>    # Traffic to the zones.
>    -A FORWARD -o eth0 ZONE_MRKT_IN
>    -A FORWARD -o eth1 ZONE_SRV_IN
> 
>    -A FORWARD -j ACCEPT
> 
>    # Let's look at marketing.
>    -A ZONE_MKRT_OUT -j RETURN
>    -A ZONE_MKRT_OUT -j DROP # catch-all, useless here
> 
>    # Servers
>    -A ZONE_SRV_IN -s mar.ket.ing.net/mask -p tcp --dport 22 -j DROP
>    -A ZONE_SRV_IN -j DROP # catch-all
> 
Indeed using RETURN here can do the trick.

--
Jimmy

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- [iptables] Zone based rules
  - From: Jimmy Thrasibule <thrasibule.jimmy@gmail.com>
- Re: [iptables] Zone based rules
  - From: Gian Piero Carrubba <gpiero@rm-rf.it>

Prev by Date: Re: [iptables] Zone based rules
Next by Date: Re: [iptables] Zone based rules
Previous by thread: Re: [iptables] Zone based rules
Next by thread: Re: [iptables] Zone based rules
Index(es):
- Date
- Thread