Hi
I'm not sure I understand you correctly, but how about this:
## 0 == LOG
## 1 == DROP
## 2 == LOG & DROP
LOGTCP=2;
if [ $LOGTCP -eq 0 ]; then
#Log forbidden TCP datagrams
iptables -A TCP --protocol tcp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '
elif [ $LOGTCP -eq 1 ]; then
# Disallow NEW and INVALID incoming from the external interface
iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j DROP
# Drop all TCP
iptables -A TCP -j DROP
elif [ $LOGTCP -eq 2 ]; then
#Log forbidden TCP datagrams
iptables -A TCP --protocol tcp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix 'Denied TCP: '
iptables -A TCP --protocol tcp -m -j DROP
fi
- James
if the question is the above then IMHO is better to use the "case" statement
case "$LOGTCP" in
0) #Log forbidden TCP datagrams
iptables -A TCP --protocol tcp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix
'Denied TCP: ';
;;
1) # Disallow NEW and INVALID incoming from the external interface
iptables -A TCP -i $EXTIFACE -m state --state NEW,INVALID -j
DROP;
# Drop all TCP
iptables -A TCP -j DROP;
;;
2) #Log forbidden TCP datagrams
iptables -A TCP --protocol tcp -m limit --limit 1/minute \
--limit-burst 4 -j LOG --log-level DEBUG --log-prefix
'Denied TCP: ';
iptables -A TCP --protocol tcp -m -j DROP;
;;
esac
---
;---+---;
bye |
bye |hor