Quote:
Originally Posted by wolfsden3
I don't quite get iptables and have read a ton about them.
|
I don't think that you do quite get iptables; otoh, I'm not sure I can help you with some of the ipset stuff, but, if we do get your head around the basics of iptables, maybe you'll be able to do the rest yourself.
As a reference on iptables, what you need is a document on
frozentux. if you want to look through some worked examples, try
this.
Quote:
Originally Posted by wolfsden3
All that last syntax seems to do is put it into the INPUT chain and make it "jump" (-j) to my "custom.zone" chain. I'd like it to be an INDEPENDANT chain though and work just like INPUT, OUTPUT, FORWARD, etc work so in addition to INPUT, OUTPUT, etc I'd also now have "custom.zone".
1 - What's up with the existing chain of INPUT, OUTPUT, FORWARD and where did they come from?
2 - Can't I just create a new chain called WHATEVER and have it do something like reject, drop, etc packets? Why would I need to add it (-A) to the INPUT chain that already exists?
|
No.Your custom chain doesn't go 'in' anywhere. It just sits there on its own, waiting for... well, waiting for some data to be sent to it. This data, could in theory, come from anywhere, it wouldn't matter.
The question about the existing chains is a bit like 'and, before the big bang, what was there, then?' In the beginning, there have to be some chains existing chains for data to go down, if there is any data passing around (which there might be, particularly on the 'lo' interface).
So, INPUT, OUTPUT and FORWARD, are just a fact of life, like death and taxes and are there at the beginning of time, as far as your ruleset is concerned. What you do need to do, for your custom chains to be of any practical use, is to include some instruction in the existing chains that sends, under some conditions, some data packets to your custom chain. without this, your custom chain(s) will just sit there idle; that won't break anything, it just won't help in any way.
If your WHATEVER chain has, err, whatever rules you want, it can't do anything unless the data passes their way.
Now, more or less anything that you could do in your custom chain, you could do in one of the inherent chains, but it just might be rather messy, with repeats of the same tests, lots of traffic passing through useless tests, and generally be a bit inefficient.
As to your objectives, I don't understand them, and they sound more like methods or tactics than objectives to me. Can't help.
Edit:
And, if you do chose to include any code in a reply, please put it in code tags, for readability.