On May 5, 2010, at 9:54 AM, Boniforti Flavio wrote:
>> Don't know if this is going to work, but if it does, rules
>> similar to these may solve your problem. With no proxy whinage.
>
> This *is* going to work
Thanks for that. Now I know that if it doesn't, it's my implementation, not the design...
> I did such setups too, some years ago. The fact
> is, that similar solutions require some more intervention, because (as
> you might know) every day a new software/tool/internet application needs
> to be used (and it is FOR SURE that it HAS to be used, for working
> purposes, not for joke)... This would mean, adding rules from time to
> time...
It would indeed. One of the delights (IMHO) of iptables is local chains. My packet filter will have special chains for stuff. So when a new rule LAN to NET rule is needed,
"iptables -A LANtNET -p <...> --dport <...> -j ALLOW"
is all that's needed. Actually, that'd go into the shell script that builds the filter.
> Good luck, but still I confess that I *may be* switching to this your
> suggestion too! ;-)
Use default deny and break up the logic into chains (within reason). Makes things a lot easier to maintain. Did for me, anyway.
-- Glenn English ghe_at_slsware.comReceived on Wed May 05 2010 - 16:34:57 MDT
This archive was generated by hypermail 2.2.0 : Thu May 06 2010 - 12:00:08 MDT