From: "Taylor, Grant" <gtaylor@riverviewtech.net>
To: netfilter@lists.netfilter.org
Subject: Re: When do the rule apply?
Date: Wed, 15 Jun 2005 15:09:17 -0500 [thread overview]
Message-ID: <42B08AED.30708@riverviewtech.net> (raw)
In-Reply-To: <393114f905061513012ac2216a@mail.gmail.com>
Alexander Salmin wrote:
> Hi, I guess this question is just a silly one for experts, but I can't
> find the answer anywhere so I'm asking you guys.
>
> In what order do the assigned rules apply in this script?
>
> # Example1
> iptables -A INPUT -j DROP # rule #1
> iptables -A INPUT --dport 80 -j ACCEPT # rule #2
>
> #Example2
> iptables -A INPUT --dport 80 -j ACCEPT # rule1
> iptables -A INPUT -j DROP # rule2
>
> Will the both examples produce the same result?
> Or will rule2 in example 2 make rule1 in example2 vanish because it's
> telling the system to drop all?
I'm not quite sure that I'm reading your question correctly. Something to keep in mind id that the INPUT chain is traversed until the first (completely) matching rule is found and then packet traversal of the chain stops and jumps to the target of the matching rule. With this in mind your two examples would behave like this:
# Example 1
iptables -A INPUT -j DROP
# The above rule will match everything and DROP the traffic as there are no conditions on the rule and everything will match.
iptables -A INPUT --dport 80 -j ACCEPT
# The above rule will never match any thing as no packet will ever make it to the rule as it would have matched the prior rule.
# Example 2
iptables -A INPUT --dport 80 -j ACCEPT
# The above rule is broken in such that you can not specify --dport with out specifying either -p udp or -p tcp.
# The above rule (protocol issue aside) will match any traffic that is destined to port 80 and will jump to the ACCEPT target.
iptables -A INPUT -j DROP
# The above rule will match any traffic that comes to it (was not matched by prior rule(s)) and DROP the traffic as there are no conditions on the rule and everything will match.
I hope this helps you. If you have any other questions...
Grant. . . .
next prev parent reply other threads:[~2005-06-15 20:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-15 20:01 When do the rule apply? Alexander Salmin
2005-06-15 20:09 ` Taylor, Grant [this message]
2005-06-15 20:10 ` Andy Smith
2005-06-15 22:26 ` Rakotomandimby (R12y) Mihamina
2005-06-16 19:48 ` R. DuFresne
2005-06-15 20:11 ` Damon Gray
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42B08AED.30708@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.