Luc MAIGNAN wrote:
So i Wrote :
(1) : iptables -I INPUT -p tcp -s 192.168.0.0/24 --dport ssh -j ACCEPT
(2) : iptables -I INPUT -p tcp -s ! x.x.x.x --dport ssh -j DROP
Double negatives are bad in english, and they're bad in software, too.
You probably wanted to build your rules like this:
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport ssh -j ACCEPT
iptables -A INPUT -p tcp -s ! x.x.x.x --dport ssh -j DROP
But, even if that was your intention, a packet from x.x.x.x won't
necessarily be accepted by those rules. The first rule doesn't match,
so the packet continues through the chain. The second rule doesn't
match, either, so the packet continues through the chain. The packet
may, then, match a later rule that drops it, or it may hit the policy,
which you've stated is DENY.
When your policy is DENY, you probably want to accept related packets
first, then accept any new packets for sources or destinations that you
want to allow, and allow the policy to catch everything else.
