[wplug] iptables
James O'Kane
jo2y at midnightlinux.com
Mon Dec 8 17:04:10 EST 2003
On Mon, 8 Dec 2003, Jason Dunn wrote:
> Hey everyone, I was wondering if anyone could help me out with a
> question? - No that wasn't the question. Does anyone know what the
> purpose of a user-defined chain is in iptables? I've only seen a
> handful of comments about them on the net, but none of them say what
> it's really for. Can you give me an example as to what it would be
> useful for?
I think of them as similar to function calls in programming languages.
They allow you to consolidate similar rules. In a single machine setup,
I'm not sure they are as useful, but I can think of several in the case
where the machine running iptables is a filewall between a group of
machines and the world.
To use an example from work, I have a group of 80 machines that I want to
add a rule to periodically, in this case, I want to add a -j MARK so
they'll match later rules I have, but sometimes I want to add other rules
to the group. What I did was add a user-defined table which I'll call
group1, then in the PREROUTING of the mangle table, I add a -j group1 for
each IP of those 80 machines.
In the group1 table, I can add and remove a single -j MARK rule and it
affects all 80 machines instead.
Eventually I plan to clean up this example and add it to my IPTables talk,
but I haven't had time yet.
Another use might be if you wanted to block incoming port 25 to a group of
machines that are known spammers, instead of adding explicit rules that
match each mail server to each spammer, you could arrange for each
mailserver's traffic to follow a userdefined chain that lists all of the
spammer's IP addresses. (Note: This should probably only be done in an
extreme case, as it could block other legitimate access.)
-james
More information about the wplug
mailing list