> Have you considered using RETURN instead of ACCEPT ?
> Something like:
>
> # Traffic coming from the zones.
> -A FORWARD -i eth0 ZONE_MRKT_OUT
> -A FORWARD -i eth1 ZONE_SRV_OUT
>
> # Traffic to the zones.
> -A FORWARD -o eth0 ZONE_MRKT_IN
> -A FORWARD -o eth1 ZONE_SRV_IN
>
> -A FORWARD -j ACCEPT
>
> # Let's look at marketing.
> -A ZONE_MKRT_OUT -j RETURN
> -A ZONE_MKRT_OUT -j DROP # catch-all, useless here
>
> # Servers
> -A ZONE_SRV_IN -s mar.ket.ing.net/mask -p tcp --dport 22 -j DROP
> -A ZONE_SRV_IN -j DROP # catch-all
>
Indeed using RETURN here can do the trick.
--
Jimmy
No comments:
Post a Comment