From: Anders Fugmann <afu@fugmann.dhs.org>
To: Matt Parlane <matt@zevi.net>
Cc: netfilter@lists.netfilter.org
Subject: Re: Multiple conditions for logging packets
Date: Mon, 23 Sep 2002 14:33:53 +0200 [thread overview]
Message-ID: <3D8F0A31.9010005@fugmann.dhs.org> (raw)
In-Reply-To: 09d001c262f1$50f418d0$0200a8c0@bart
Matt Parlane wrote:
> Hi list...
>
> I have a simple linux machine acting as a firewall/gateway, and I'm after a
> way to specify multiple conditions for rules. Basically I want to create a
> rule for packets which are either coming from or going to the internet - not
> packets which are both sourced and destined for the local network. The
Create a new chain for this: e.g.
iptables -N INTERNET_LOG
iptables -A INTERNET_LOG -i eth0 -j ULOG
iptables -A INTERNET_LOG -o eth0 -j ULOG
#Forward to the logging:
iptables -A INPUT -j INTERNET_LOG
iptables -A OUTPUT -j INTERNET_LOG
iptables -A FORWARD -j INTERNET_LOG
Remember that all boolean operations can be created in netfilter:
(a and b are packet conditions and C is either a chain or target)
if a then C -> iptables (a) -J C
if !a then C -> iptables (!a) -J C
if a && b then C -> new chain: iptables (!a) -J return,
iptables (!b) -J return,
iptables -J C
if a || b then C -> iptables (a) -J C, iptables (b) -J C
And that all conditions in a rule are logical AND e.g.:
iptables -A input -p tcp --dport 25, means that the packet must be a tcp
protocol type _and_ must have destination port 25. It is not possible to
create logical OR in a single rule. (Well in some rare cases it is, but
I leave that out for now.)
The problem is usually to create the AND operator. This is easily done
by creating a new chaing, and returning from this if any of the
conditions are false.
In your case, you need the OR operator, which is somewhat simple to create.
Hope it helps
Anders Fugmann
--
Neo: 'Can you fly that thing?'
Trinity: 'Not yet'.
$ apt-get install pilot-prg-v212helicopter.
prev parent reply other threads:[~2002-09-23 12:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-09-23 11:06 Multiple conditions for logging packets Matt Parlane
2002-09-23 12:15 ` Antony Stone
2002-09-23 12:33 ` Anders Fugmann [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3D8F0A31.9010005@fugmann.dhs.org \
--to=afu@fugmann.dhs.org \
--cc=matt@zevi.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox