Fedora Users — Re: Iptables :: priority of rules

Re: Iptables :: priority of rules

Date Prev

Date Next

Thread Prev

Thread Next

Date Index

Thread Index

To: For users of Fedora <fedora-list@xxxxxxxxxx>

Subject: Re: Iptables :: priority of rules

From: Gordon Messmer <yinyang@xxxxxxxxx>

Date: Fri, 23 Feb 2007 15:00:37 -0800

In-reply-to: <45DEC164.4010308@xxxxxxxxxxxx>

References: <45DEC164.4010308@xxxxxxxxxxxx>

Reply-to: For users of Fedora <fedora-list@xxxxxxxxxx>

User-agent: Thunderbird 1.5.0.9 (X11/20070102)

Luc MAIGNAN wrote:


So i Wrote :

(1) : iptables -I INPUT -p tcp -s 192.168.0.0/24 --dport ssh -j ACCEPT
(2) : iptables -I INPUT -p tcp -s ! x.x.x.x --dport ssh -j DROP


Double negatives are bad in english, and they're bad in software, too.

You probably wanted to build your rules like this:

iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport ssh -j ACCEPT
iptables -A INPUT -p tcp -s ! x.x.x.x --dport ssh -j DROP

But, even if that was your intention, a packet from x.x.x.x won'tnecessarily be accepted by those rules. The first rule doesn't match,so the packet continues through the chain. The second rule doesn'tmatch, either, so the packet continues through the chain. The packetmay, then, match a later rule that drops it, or it may hit the policy,which you've stated is DENY.

When your policy is DENY, you probably want to accept related packetsfirst, then accept any new packets for sources or destinations that youwant to allow, and allow the policy to catch everything else.