Re: iptables question: no chain/target/match by that name...

To: debian-user@lists.debian.org
Subject: Re: iptables question: no chain/target/match by that name...
From: David <dbree@duo-county.com>
Date: Tue, 6 Apr 2004 17:08:00 -0500
Message-id: <[🔎] 20040406220800.GA15143@localhost.localdomain>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] c4s3sc$o8g$1@sea.gmane.org>
References: <[🔎] c4s3sc$o8g$1@sea.gmane.org>

On Mon, Apr 05, 2004 at 12:09:31PM -0500, hugo vanwoerkom wrote:

> + iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
      [ ... ]
> + iptables -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j 
> REJECT
> 
> Now I know nothing of iptables, but why can he do destination port 80 
> and not 0:1023? If you delete the --dport 80 rule and put 0:1023 in its 
> place, he says the same thing.

No, it's different.  Iptables processes rules in the order that they're
entered.  Any target except LOG will cause iptables to quit the
particular chain it's in. LOG just logs and then continues in the same
chain it's processing.

In the example above, a tcp packet will go through the "--dport 80"
rule.  If it's destined for port 80, then it's accepted and and IPTABLES
is done with it.  That packet will never go through any further rules.

If the packet is NOT destined for port 80, then it will continue being
processed, and if it gets to the "--dport 0:1023" rule, that is, of no
rules in between cause it to be ACCEPTED or REJECTED, it will be
REJECTED here.

Reply to:

References:
- iptables question: no chain/target/match by that name...
  - From: hugo vanwoerkom <hvw59601@care2.com>

Prev by Date: Re: ALSA problems sarge 2.4.25
Next by Date: Re: ./configure options
Previous by thread: Re: iptables question: no chain/target/match by that name...
Next by thread: Mail Filters
Index(es):
- Date
- Thread