Iptables :: priority of rules

Gordon Messmer yinyang at eburg.com
Fri Feb 23 23:00:37 UTC 2007


Luc MAIGNAN wrote:
> 
> So i Wrote :
> 
> (1) : iptables -I INPUT -p tcp -s 192.168.0.0/24 --dport ssh -j ACCEPT
> (2) : iptables -I INPUT -p tcp -s ! x.x.x.x --dport ssh -j DROP

Double negatives are bad in english, and they're bad in software, too.

You probably wanted to build your rules like this:

iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport ssh -j ACCEPT
iptables -A INPUT -p tcp -s ! x.x.x.x --dport ssh -j DROP

But, even if that was your intention, a packet from x.x.x.x won't 
necessarily be accepted by those rules.  The first rule doesn't match, 
so the packet continues through the chain.  The second rule doesn't 
match, either, so the packet continues through the chain.  The packet 
may, then, match a later rule that drops it, or it may hit the policy, 
which you've stated is DENY.

When your policy is DENY, you probably want to accept related packets 
first, then accept any new packets for sources or destinations that you 
want to allow, and allow the policy to catch everything else.




More information about the users mailing list