Re: Confirming an iptables rule

To: Lucas Barbuto <lucas@qk.com.au>
Cc: debian-firewall <debian-firewall@lists.debian.org>
Subject: Re: Confirming an iptables rule
From: Lance Levsen <l.levsen@pwgroup.ca>
Date: Mon, 19 Aug 2002 08:50:29 -0600
Message-id: <[🔎] 20020819145029.42EF6798D@cossette.cmcentre.com>
In-reply-to: Message from Lucas Barbuto <lucas@qk.com.au> of "Mon, 19 Aug 2002 16:58:30 +1000." <[🔎] 20020819065830.GB25626@qk.com.au>
References: <[🔎] 20020819024359.GA24997@qk.com.au> <[🔎] 20020819062308.GA21025@lowpingbastards.de> <[🔎] 20020819064159.GA25626@qk.com.au> <[🔎] 20020819065830.GB25626@qk.com.au>

> Hey Guys,
> 
> Just to clear up, I placed the DROP rules above the state ACCEPT rules
> in my firewall script and now it seems to be working.  This is
> interesting, I think.
> 
> Thanks for your help anyway guys and if you can explain to me why this
> is I'd appreciate it.
> 
> Lucas

This is because Linux takes action on a packet by the first 
fully matched rule.

You want to have all your DROP statements first, instead of -A 
(append) use -I (insert) the default rulenumber for -I is 1.

So any rule that inserts a rule goes to the top of the chain.

Cheers,
-- 
Lance Levsen,
Systems Administrator,
PWGroup - Saskatoon

Reply to:

References:
- Confirming an iptables rule
  - From: Lucas Barbuto <lucas@qk.com.au>
- Re: Confirming an iptables rule
  - From: Frederik Schueler <fs@lowpingbastards.de>
- Re: Confirming an iptables rule
  - From: Lucas Barbuto <lucas@qk.com.au>
- Re: Confirming an iptables rule
  - From: Lucas Barbuto <lucas@qk.com.au>

Prev by Date: Re: Confirming an iptables rule
Next by Date: 2 rather simple iptables questions
Previous by thread: Re: Confirming an iptables rule
Next by thread: Re: Confirming an iptables rule
Index(es):
- Date
- Thread