[wellylug] iptables question

Richard Hector rhector at paradise.net.nz
Sat Mar 27 22:49:44 NZST 2004


On Sat, Mar 27, 2004 at 10:33:20PM +1200, Enkidu wrote:
> On Sat, 27 Mar 2004 20:36:25 +1200, you wrote:
> 
> >Hi all,
> >
> >If I have, for example:
> >
> >iptables -N combined
> >iptables -A INPUT -j combined
> >iptables -A FORWARD -j combined
> >
> >does this
> >
> >iptables -A combined -o !+ -j ACCEPT
> >
> >make sense?
> >
> >I'm trying to match only input stuff, after I've combined the two
> >chains. Obviously, if that was all I had, it would be silly; I have
> >rather more than that above - and more levels of chains.
> >
> >If that won't work, is there any other way to detect whether a packet is
> >to be routed or not, once it's out of the default chains?
> >
> >Any suggestions appreciated.
> >
> How about 
> 
> iptables -A combined -o ! eth+ -j ACCEPT ??
> 
> I've no idea if it would work, though!

As far as I can see, that's pretty much the same thing, but fails in the
case of non-eth interfaces (ppp, tunnels etc).

The packet-filtering HOWTO says:

Packets traversing the INPUT chain don't have an output interface, so
any rule using `-o' in this chain will never match. Similarly, packets
traversing the OUTPUT chain don't have an input interface, so any rule
using `-i' in this chain will never match.

That includes "any rule using `-o' in this chain will never match", but
isn't explicit about negated -o's, or about chains called from INPUT,
unfortunately.

I guess I just have to try it ... but either I have to set up
firewalling on another box, or risk cutting myself off from the one I'm
playing with ...

Thanks,

Richard




More information about the wellylug mailing list