Filtering Query?

Filtering Query?

[amna bilal]

Hi,

Looking for some insight here. What I would like to do
is:

I have four main tables
INTERNET_IN
INTERNET_OUT
LAN_IN
LAN_OUT

I have a few filters I want I named them
ALLOW_UDP
ALLOW_TCP
DENY_ACCESS

Is it possible to set up iptables to filter down a
list some thing like this:

iptables -A INTERNET_IN -j ALLOW_UDP
iptables -A INTERNET_IN -j ALLOW_TCP
iptables -A INTERNET_IN -j DENY_ACCESS

What I want to accomplish is that if it doesn't meet a
filter in ALLOW_UDP it continues to ALLOW_TCP, then to
DENY_ACCESS, the it goes into the system.

Thanks.
Amna Bilal.




       
____________________________________________________________________________________
Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games.
http://sims.yahoo.com/  

Re: Filtering Query?

[Martijn Lievaart]

amna bilal wrote:
> Hi,
>
> Looking for some insight here. What I would like to do
> is:
>
> I have four main tables
> INTERNET_IN
> INTERNET_OUT
> LAN_IN
> LAN_OUT
>
> I have a few filters I want I named them
> ALLOW_UDP
> ALLOW_TCP
> DENY_ACCESS
>
> Is it possible to set up iptables to filter down a
> list some thing like this:
>
> iptables -A INTERNET_IN -j ALLOW_UDP
> iptables -A INTERNET_IN -j ALLOW_TCP
> iptables -A INTERNET_IN -j DENY_ACCESS
>
> What I want to accomplish is that if it doesn't meet a
> filter in ALLOW_UDP it continues to ALLOW_TCP, then to
> DENY_ACCESS, the it goes into the system.
>   

Yes, absolutely. And with these very clear chain names, it is easy to 
follow the logic as well.

OTOH, You could also opt for:

-A INTERNET_IN -p udp -j UDP_IN
-A INTERNET_IN -p tcp -j TCP_IN

-A INTERNET_IN -j DENY_ACCESS

And end both UDP_IN and TCP_IN with a -j DENY_ACCESS.


Both work, the second is a bit more efficient.

HTH,
M4