On Mon, 2005-01-31 at 20:52 -0500, Robert L Cochran wrote: > --------------------------------------------------------------------------------------------------------------------- > Here is a list of all the iptables chains: > > [root@bobcp4 ~]# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- anywhere anywhere > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > RH-Firewall-1-INPUT all -- anywhere anywhere > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain RH-Firewall-1-INPUT (2 references) > target prot opt source destination > ACCEPT all -- anywhere anywhere > ACCEPT icmp -- anywhere anywhere icmp any > ACCEPT ipv6-crypt-- anywhere anywhere > ACCEPT ipv6-auth-- anywhere anywhere > ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353 > ACCEPT udp -- anywhere anywhere udp dpt:ipp > ACCEPT all -- anywhere anywhere state > RELATED,ESTABLISHED > ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:http > ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:https > ACCEPT tcp -- anywhere anywhere state NEW > tcp dpt:ssh > REJECT all -- anywhere anywhere reject-with > icmp-host-prohibited > > ------------------------------------------------------------------------------------------------------------------------- > > now suppose I independently add a rule like this: > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 > -s 192.168.1.0/24 -j ACCEPT > > the rule will be added to the bottom of the RH-Firewall -1-INPUT chain, > right after that REJECT. So a datagram for port 3306 will traverse the > chain, hit the REJECT, and get blown away without ever being inspected > by the new rule appearing after the REJECT. > > Am I on the right track here? ---- why don't you try it? and then service iptables save service iptables restart iptables -L and see what happens then? Craig