* When do the rule apply?
@ 2005-06-15 20:01 Alexander Salmin
2005-06-15 20:09 ` Taylor, Grant
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Alexander Salmin @ 2005-06-15 20:01 UTC (permalink / raw)
To: netfilter
Hi, I guess this question is just a silly one for experts, but I can't
find the answer anywhere so I'm asking you guys.
In what order do the assigned rules apply in this script?
# Example1
iptables -A INPUT -j DROP # rule #1
iptables -A INPUT --dport 80 -j ACCEPT # rule #2
#Example2
iptables -A INPUT --dport 80 -j ACCEPT # rule1
iptables -A INPUT -j DROP # rule2
Will the both examples produce the same result?
Or will rule2 in example 2 make rule1 in example2 vanish because it's
telling the system to drop all?
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: When do the rule apply?
2005-06-15 20:01 When do the rule apply? Alexander Salmin
@ 2005-06-15 20:09 ` Taylor, Grant
2005-06-15 20:10 ` Andy Smith
2005-06-15 20:11 ` Damon Gray
2 siblings, 0 replies; 6+ messages in thread
From: Taylor, Grant @ 2005-06-15 20:09 UTC (permalink / raw)
To: netfilter
Alexander Salmin wrote:
> Hi, I guess this question is just a silly one for experts, but I can't
> find the answer anywhere so I'm asking you guys.
>
> In what order do the assigned rules apply in this script?
>
> # Example1
> iptables -A INPUT -j DROP # rule #1
> iptables -A INPUT --dport 80 -j ACCEPT # rule #2
>
> #Example2
> iptables -A INPUT --dport 80 -j ACCEPT # rule1
> iptables -A INPUT -j DROP # rule2
>
> Will the both examples produce the same result?
> Or will rule2 in example 2 make rule1 in example2 vanish because it's
> telling the system to drop all?
I'm not quite sure that I'm reading your question correctly. Something to keep in mind id that the INPUT chain is traversed until the first (completely) matching rule is found and then packet traversal of the chain stops and jumps to the target of the matching rule. With this in mind your two examples would behave like this:
# Example 1
iptables -A INPUT -j DROP
# The above rule will match everything and DROP the traffic as there are no conditions on the rule and everything will match.
iptables -A INPUT --dport 80 -j ACCEPT
# The above rule will never match any thing as no packet will ever make it to the rule as it would have matched the prior rule.
# Example 2
iptables -A INPUT --dport 80 -j ACCEPT
# The above rule is broken in such that you can not specify --dport with out specifying either -p udp or -p tcp.
# The above rule (protocol issue aside) will match any traffic that is destined to port 80 and will jump to the ACCEPT target.
iptables -A INPUT -j DROP
# The above rule will match any traffic that comes to it (was not matched by prior rule(s)) and DROP the traffic as there are no conditions on the rule and everything will match.
I hope this helps you. If you have any other questions...
Grant. . . .
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: When do the rule apply?
2005-06-15 20:01 When do the rule apply? Alexander Salmin
2005-06-15 20:09 ` Taylor, Grant
@ 2005-06-15 20:10 ` Andy Smith
2005-06-15 22:26 ` Rakotomandimby (R12y) Mihamina
2005-06-16 19:48 ` R. DuFresne
2005-06-15 20:11 ` Damon Gray
2 siblings, 2 replies; 6+ messages in thread
From: Andy Smith @ 2005-06-15 20:10 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1062 bytes --]
On Wed, Jun 15, 2005 at 10:01:54PM +0200, Alexander Salmin wrote:
> Hi, I guess this question is just a silly one for experts, but I can't
> find the answer anywhere so I'm asking you guys.
>
> In what order do the assigned rules apply in this script?
>
> # Example1
> iptables -A INPUT -j DROP # rule #1
> iptables -A INPUT --dport 80 -j ACCEPT # rule #2
>
> #Example2
> iptables -A INPUT --dport 80 -j ACCEPT # rule1
> iptables -A INPUT -j DROP # rule2
They apply in the order you've issued them since they are operating
on INPUT and they are appending.
> Will the both examples produce the same result?
No; example1 drops everything to INPUT with rule 2 never being
reached, but example2 would ACCEPT packets to port 80.. although
wouldn't that be a syntax error without at least -p tcp or -p udp to
tell it that it is something that has ports?
> Or will rule2 in example 2 make rule1 in example2 vanish because it's
> telling the system to drop all?
No, rules don't affect other rules. They may not be reached however.
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: When do the rule apply?
2005-06-15 20:01 When do the rule apply? Alexander Salmin
2005-06-15 20:09 ` Taylor, Grant
2005-06-15 20:10 ` Andy Smith
@ 2005-06-15 20:11 ` Damon Gray
2 siblings, 0 replies; 6+ messages in thread
From: Damon Gray @ 2005-06-15 20:11 UTC (permalink / raw)
To: Alexander Salmin; +Cc: netfilter
In Example1, rule #2 will never be hit. So Example2 is probably what you
want if you want to except only port 80 to this machine and deny all
others.
-Damon-
On Wed, 15 Jun 2005, Alexander Salmin wrote:
> Hi, I guess this question is just a silly one for experts, but I can't
> find the answer anywhere so I'm asking you guys.
>
> In what order do the assigned rules apply in this script?
>
> # Example1
> iptables -A INPUT -j DROP # rule #1
> iptables -A INPUT --dport 80 -j ACCEPT # rule #2
>
> #Example2
> iptables -A INPUT --dport 80 -j ACCEPT # rule1
> iptables -A INPUT -j DROP # rule2
>
> Will the both examples produce the same result?
> Or will rule2 in example 2 make rule1 in example2 vanish because it's
> telling the system to drop all?
>
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: When do the rule apply?
2005-06-15 20:10 ` Andy Smith
@ 2005-06-15 22:26 ` Rakotomandimby (R12y) Mihamina
2005-06-16 19:48 ` R. DuFresne
1 sibling, 0 replies; 6+ messages in thread
From: Rakotomandimby (R12y) Mihamina @ 2005-06-15 22:26 UTC (permalink / raw)
To: netfilter
Andy Smith <andy@strugglers.net> :
> They apply in the order you've issued them since they are operating on
> INPUT and they are appending.
I would add that the original poster can use the -P first, that will match
any paquet that does not match the listed rules.
--
Miroir de logiciels libres http://www.etud-orleans.fr
Développement de logiciels libres http://aspo.rktmb.org/activites/developpement
Infogerance de serveur dédié http://aspo.rktmb.org/activites/infogerance
(En louant les services de l'ASPO vous luttez contre la fracture numerique)
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: When do the rule apply?
2005-06-15 20:10 ` Andy Smith
2005-06-15 22:26 ` Rakotomandimby (R12y) Mihamina
@ 2005-06-16 19:48 ` R. DuFresne
1 sibling, 0 replies; 6+ messages in thread
From: R. DuFresne @ 2005-06-16 19:48 UTC (permalink / raw)
To: Andy Smith; +Cc: netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 15 Jun 2005, Andy Smith wrote:
> On Wed, Jun 15, 2005 at 10:01:54PM +0200, Alexander Salmin wrote:
>> Hi, I guess this question is just a silly one for experts, but I can't
>> find the answer anywhere so I'm asking you guys.
>>
>> In what order do the assigned rules apply in this script?
>>
>> # Example1
>> iptables -A INPUT -j DROP # rule #1
>> iptables -A INPUT --dport 80 -j ACCEPT # rule #2
>>
>> #Example2
>> iptables -A INPUT --dport 80 -j ACCEPT # rule1
>> iptables -A INPUT -j DROP # rule2
>
> They apply in the order you've issued them since they are operating
> on INPUT and they are appending.
>
>> Will the both examples produce the same result?
>
> No; example1 drops everything to INPUT with rule 2 never being
> reached, but example2 would ACCEPT packets to port 80.. although
> wouldn't that be a syntax error without at least -p tcp or -p udp to
> tell it that it is something that has ports?
>
>> Or will rule2 in example 2 make rule1 in example2 vanish because it's
>> telling the system to drop all?
>
> No, rules don't affect other rules. They may not be reached however.
>
The first rule in #1 is also redundant, provided the policy is set to DROP
in the first place, which in most cases is the place to set the
fallthrough default.
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCsdeGst+vzJSwZikRAoCRAJ4qj6PTTtlbKjjCjCn+f/Rgwi0ElACfa23a
LgptbS/njB0N8HdPoGrTxr4=
=MD2G
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2005-06-16 19:48 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-06-15 20:01 When do the rule apply? Alexander Salmin
2005-06-15 20:09 ` Taylor, Grant
2005-06-15 20:10 ` Andy Smith
2005-06-15 22:26 ` Rakotomandimby (R12y) Mihamina
2005-06-16 19:48 ` R. DuFresne
2005-06-15 20:11 ` Damon Gray
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.