Re: Confirming an iptables rule
Lucas Barbuto <lucas@qk.com.au> writes:
> Hi Guys,
>
> On Mon, Aug 19, 2002 at 08:23:08AM +0200, Frederik Schueler wrote:
> > I'm surprised -i accepted an IP address.
>
> You were both right about that, '-i' doesn't accept an IP address.
>
> I have tried both these methods and I'm still able to connect to a
> remote host on port 27374 (using netcat). I'm currently using this
>
> iptables -A FORWARD -p TCP -i ${INSIDE_INTERFACE} --dport 27374 -j DROP
> iptables -A FORWARD -p UDP -i ${INSIDE_INTERFACE} --dport 27374 -j DROP
>
> Unfortunately it is still allowing these packets through. I'm concerned
> that these rules
>
> iptables -A FORWARD -m state --state NEW -i ${INSIDE_DEVICE} -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -m state --state NEW,INVALID -i ${OUTSIDE_DEVICE} -j DROP
>
> ... are overriding the dropping rules, can anyone confirm or deny this?
Depends in which order you apply them. If they appear in the chain before
the DROP rules, packages will be going through.
Ciao
Racke
--
Prolific Interchange Consulting (Excellent German Quality !).
Take a look at Materialboerse (http://www.materialboerse.de/), WITT
(http://www.witt-weiden.de/), Boxmover (http://shop.boxmover.ch/) or
Passionshop (http://www.passionshop.com/racke). Need a shop ? Contact us.
Reply to: