Am Mo, den 10.01.2005 schrieb Vinicius um 18:16: > > I would like to have a rule to reject an out-of-range IP's to access a > > specified port on my system, so I did the following rule: > > "iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp > > --dport 22 -m iprange ! --src-range 200.252.X.X-200.252.X.Y -j REJECT > > --reject-with icmp-host-prohibited", where X and Y are appropiate numbers. > If the above rule number is 4 and the following rule number is 3, then > is the rulenum 4 useless, please? > rule number 3: "iptables -A RH-Firewall-1-INPUT -m state --state NEW -m > tcp -p tcp --dport 22 -j ACCEPT" > Vinicius. Yes, the rules are gone through from first to last until a rule matches. Your rule number 3 catches all packets to port 22 which have connection tracking state NEW, either from which IP originating. Alexander -- Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp Serendipity 18:21:13 up 18 days, 20:05, load average: 1.62, 0.76, 0.49
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil