Re: policy DROP and 1 rule

To: inflo <inflo@web.de>
Cc: debian-firewall@lists.debian.org
Subject: Re: policy DROP and 1 rule
From: Matias Lambert <matiaslambert@itcom.com.ar>
Date: Sun, 17 Nov 2002 16:05:02 -0300
Message-id: <3DD7E85E.D8C86BDB@itcom.com.ar>
References: <20021115205855.0af4c404.inflo@web.de>

Hi,
I think that your problem can be that you have the DROP rule before the ACCEPT rule in your INPUT chain, if you put the command in the same order that you email us, the packet will be droped.
If you take a look to your tables ( iptables -L -n -v ) the first rule that match the packet will be executed.( you can view in the counters what is the rule that use the packet, with -Z the counter will be restarted ).
To put a rule first in a chain you should use the -I option instead of -A.
for example: iptables -I INPUT -s lan-machine -j ACCEPT.
I hope that I help you.
Regards,
Matias Lambert
OSInet Comunicaciones
Datacom & IT support
Argentina
www.osinet.com.ar

inflo wrote:

> hi, when i set the INPUT policy of DROP and then insert a rule -A INPUT -s lan-machine -j ACCEPT ,the lan machine normally must be able to ping the firewalled machine? with this syntax the -p option is default set to "all". so icmp is also under "all" to find ,or i am wrong?thanks for help, and much fun
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: policy DROP and 1 rule
  - From: "Andres Taylor" <andres@rotselleri.com>

References:
- policy DROP and 1 rule
  - From: inflo <inflo@web.de>

Prev by Date: Re: Iptables generic broadcast filter
Next by Date: Re: NetFilter connection tracking
Previous by thread: policy DROP and 1 rule
Next by thread: Re: policy DROP and 1 rule
Index(es):
- Date
- Thread