From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Joey" Subject: RE: General question about chains Date: Thu, 16 Oct 2008 18:16:54 -0400 Message-ID: <000a01c92fdc$e5776ed0$b0664c70$@net> References: <001501c92f41$d380c0a0$7a8241e0$@net> <1224163165.3999.7.camel@grateful.d.umn.edu> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1224163165.3999.7.camel@grateful.d.umn.edu> Content-Language: en-us Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii" To: IPTables > -----Original Message----- > From: Matt Zagrabelny [mailto:mzagrabe@d.umn.edu] > Sent: Thursday, October 16, 2008 9:19 AM > To: Joey > Cc: netfilter@vger.kernel.org > Subject: Re: General question about chains > > # create the chain > iptables -N CIDR-ASIAN > > # hook the chain into another chain (PREROUTING, INPUT, FORWARD, etc) iptables > -A INPUT -j CIDR-ASIAN > > # add rules to the new chain > iptables -A CIDR-ASIAN -p tcp -s 118.242.0.0/16 -j LOG --log-prefix SPAM- > BLOCK-CIDR-ASIAN > > iptables -A CIDR-ASIAN -p tcp -s 118.242.0.0/16 --dport 25 -j DROP > > # flush the chain > iptable -F CIDR-ASIAN > > > > This didn't work for me and I have tried several varients with no luck. > > > > So my first question is do I understand correcty how to utilize chains? > > > > Will I be able to load and unload chains rather than flush everything > > end reload everything? ( I have a lot of rules ) > > I don't quite understand your question. > > You 'create' and 'delete' user-defined chains. You can, of course, flush > chains individually as well. That's what I was looking for, however I have updated my script to create the entries as shown, but seems like it's not working: Do I have to tell iptables to activate a specific table of entries? Here is a snip from iptables-save and basically NOTHING is being blocked. Thanks! # Generated by iptables-save v1.2.11 on Thu Oct 16 17:08:54 2008 *filter :INPUT ACCEPT [129969:48753771] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [128669:50573226] :CIDR-ASIAN - [0:0] :CIDR-CZECH - [0:0] :CIDR-IISG - [0:0] :CIDR-INDIA-KOREA - [0:0] :CIDR-POLAND - [0:0] :CIDR-RUSSIA - [0:0] :CIDR-TURKEY - [0:0] :CIDR-UK - [0:0] :TEST-JACK - [0:0] :fail2ban-postfix - [0:0] :fail2ban-postfix-log - [0:0] -A CIDR-ASIAN -s 58.14.0.0/255.254.0.0 -p tcp -j LOG --log-prefix "SPAM-BLOCK-CIDR-ASIAN" -A CIDR-ASIAN -s 58.14.0.0/255.254.0.0 -p tcp -m tcp --dport 25 -j DROP -A CIDR-ASIAN -s 58.16.0.0/255.248.0.0 -p tcp -j LOG --log-prefix "SPAM-BLOCK-CIDR-ASIAN" -A CIDR-ASIAN -s 58.16.0.0/255.248.0.0 -p tcp -m tcp --dport 25 -j DROP -A CIDR-ASIAN -s 58.24.0.0/255.254.0.0 -p tcp -j LOG --log-prefix "SPAM-BLOCK-CIDR-ASIAN" -A CIDR-ASIAN -s 58.24.0.0/255.254.0.0 -p tcp -m tcp --dport 25 -j DROP -A CIDR-ASIAN -s 58.29.0.0/255.255.0.0 -p tcp -j LOG --log-prefix "SPAM-BLOCK-CIDR-ASIAN" -A CIDR-ASIAN -s 58.29.0.0/255.255.0.0 -p tcp -m tcp --dport 25 -j DROP