On Fri, May 04, 2007 at 11:57:39AM +0200, Pierguido wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Pierguido wrote: > [...] > > difficult...is there a tool to show in realtime the status of the counter? > > Sorry...here the output of iptables-save > # Generated by iptables-save v1.3.6 on Fri May 4 11:56:26 2007 > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] [big snip] > -A INPUT -i lo -j ACCEPT > -A INPUT -d 192.168.30.103 -i eth0 -j in_lan > -A INPUT -d 192.168.100.2 -i eth0:0 -j in_public_lan_124 > -A INPUT -d 192.168.100.5 -i eth0:1 -j in_public_lan_125 This doesn't look right. As far as I know, you cannot distinguish between ip-aliased interfaces in iptables. iptables deals with the names of the physical interfaces (except for bridging, but that doesn't seem relevant for you). But it does accept very simple patterns: eth+ will match both eth0 and eth1... > -A INPUT -m state --state RELATED -j ACCEPT > -A INPUT -m limit --limit 1/sec -j ULOG --ulog-prefix "'IN-unknown:'" > -A INPUT -j DROP > -A FORWARD -m state --state RELATED -j ACCEPT > -A FORWARD -m limit --limit 1/sec -j ULOG --ulog-prefix "'PASS-unknown:'" > -A FORWARD -j DROP > -A OUTPUT -o lo -j ACCEPT > -A OUTPUT -s 192.168.30.103 -o eth0 -j out_lan > -A OUTPUT -s 192.168.100.2 -o eth0:0 -j out_public_lan_124 > -A OUTPUT -s 192.168.100.5 -o eth0:1 -j out_public_lan_125 Ditto here. I suspect that if you change eth0:0 and eth0:1 to eth0 (they physical interface), things might just work! > -A OUTPUT -m state --state RELATED -j ACCEPT > -A OUTPUT -m limit --limit 1/sec -j ULOG --ulog-prefix "'OUT-unknown:'" > -A OUTPUT -j DROP -- Karl E. Jorgensen karl@jorgensen.org.uk http://www.jorgensen.org.uk/ karl@jorgensen.com http://karl.jorgensen.com ==== Today's fortune: "To take a significant step forward, you must make a series of finite improvements." -- Donald J. Atwood, General Motors
Attachment:
signature.asc
Description: Digital signature