|
Derek Glidden wrote:
> If I understand the question, this would be the easiest way to go about
> it. You'd start with something like this (INPUT or whatever default
> table you're modifying):
>
> iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
> iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
> iptables -A INPUT -p tcp --dport 443 -s 192.168.1.0/24 -j ACCEPT
> iptables -A INPUT -j SERVICES
> iptables -A INPUT -j DROP
> then change/modify the SERVICES chain to your heart's content to
> add/remove new rules.
.
.
> iptables -A SERVICES -p tcp --dport 25 -s 192.168.1.0/24 -j ACCEPT
so the commands won't be traversed in the order I add them. If I start
with an empty chain SERVICES as above (which is followed by the DROP rule),
then I can later add/delete to the SERVICES chain and the packets
will have to traverse all the SERVICES rules before they return
to the default (here DROP) rule.
> By doing it that way, you can just "-A"ppend new rules to the SERVICES
> chain without having to fiddle with where to "-I"nsert, and then
> "-D"elete a rule using the same parameters you used to insert and again
> don't have to know what rule # that rule was.
thanks
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|
