[Firehol-devs] user-defined chains
Andrew Schulman
andrex at alumni.utexas.net
Mon Aug 6 09:52:35 BST 2007
> # create the custom action 'mathieu'
> action chain mathieu accept
> # put custom iptables commands for chain 'mathieu'
> iptables -F mathieu # empty the chain
> iptables -A mathieu -m condition --condition mathieu_all_allow -j
> ACCEPT # accept via proc
> iptables -A mathieu -m time --timestart 0700 --timestop 2100 -j
> ACCEPT # accept in working hours
> iptables -A mathieu -j RETURN # do whatever other rules say
>
> interface eth0 lan
> client all mathieu user mathieu
>
> interface eth1 wan
> client all mathieu user mathieu
>
> router internet inface eth1 outface eth0
> client all mathieu src mathieu.pc.hostname
If I understand correctly, to use a custom chain in this way would send
traffic through it that's going in both directions. For example, in
interface eth0 lan
client all mathieu user mathieu
firehol will insert rules in both the in_lan and out_lan chains, directing
traffic for user mathieu into the mathieu chain. What this means is that no
source or destination ports, IP addresses, or interfaces can be used in rules
in that chain, because you don't know whether e.g. a given port will be the
source or destination port-- it will be both at different times for traffic
that passes through that chain. Am I correct?
Unfortunately this matters to me because I want to block traffic on certain
ports, e.g. chat and email when Mathieu should be doing his homework. In the
current setup this isn't possible.
One possible solution would be to have e.g. the "client" statement interpret
any action that's a chain as really two actions: in_${action} for input rules,
and out_${action} for output rules. Then I could set up separate action
chains in_mathieu and out_mathieu. But this might not work or might break
"client" in other ways.
Thanks,
Andrew.
More information about the Firehol-devs
mailing list