Re: two negatived parameters

[Akolinare@gmx.net]

> I take it to mean that packets from host2 to host 3 were NOT accepted by
this 
> rule? ... What do the counters for the rule say? ( iptables -L -n -v -x 
).

yes, I already look after the counter. A paket from host2 to host3 dont
increase the counter. 

> What other rules exist that might affect said packets? -- I note the above
is  
> an ADD.  Could rules farther up the FORWARD chain have already 
> accepted/denied the said packets?

this was only a example. I tested also on a other pc, with has normal no
rulesset to be sure.

> FYI -- I just tested this by inserting a double negative rule in my
firewall 
> 
> iptables -I tcp_packets -p tcp -s ! {internal_lan} -d ! {internal lan ip} 
> --dport 25 -j allowed 
> 
> and sending myself an email from outside.  The packet counter incremented 
> appropriately.

Sorry, but why are you able to send with this rule a mail from outside to a
mailserver in your internal network? I suppose, that with the "-d !
{internal lan ip}" it ist not possible to send a paket to your mailserver.

> well... my two cents :-)
>
> iptables -A FORWARD -s host1 -d host2 -j DROP

well sorry it is not that easy as it seems. The rule should forward pakets
to a user-chain only if host1 ist not the source and host2 are is not the
destination.

I also tested with the 2.6.7 kernel and 1.2.11, so I can exclude this.

-- 
Supergünstige DSL-Tarife + WLAN-Router für 0,- EUR*
Jetzt zu GMX wechseln und sparen http://www.gmx.net/de/go/dsl