Thread: iptables help
View Single Post

  #2 (permalink)  
Old 09-04-2007, 03:42 AM
dancave dancave is offline
Junior Member
User
  
Join Date: Aug 2007
My distro: fedora
Posts: 8
Rep Power: 0
dancave is on a distinguished road
Default
with iptables, the first rule matches, so you might want to make the first rule of your chain a default deny all, then allow all others after that..

berkley packet filter is the same, but much easier to understand

vis.(for example)

block all on interface eth0 #lan interface
block all on interface eth1 #dmz interface

pass in on eth0 from 192.168.0.0/24 to dmz-network on port 22 keep state
pass in on eth1 from any to 192.168.1/26 on port 22 keep state

So the first rule which matches, catches the packet and the bpf0 interface stops filtering.
Reply With Quote