Re: two negatived parameters

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Alistair Tonner <Alistair@nerdnet.ca>
To: netfilter@lists.netfilter.org
Subject: Re: two negatived parameters
Date: Mon, 6 Sep 2004 04:49:01 -0400	[thread overview]
Message-ID: <200409060449.02415.Alistair@nerdnet.ca> (raw)
In-Reply-To: <7421.1094459312@www2.gmx.net>

On September 6, 2004 04:28 am, Akolinare@gmx.net wrote:
> Hi,
>
> I have a little question with two negatived parameters in one rule.
>
> I create a rule, which should only match if source and destination are not
> the given. I think that it is easy and try the following rule:
>
> iptables -A FORWARD -s ! host1 -d ! host2 -j ACCEPT
>
> But with this rule pakets from host1 to host3 (or from host2 to host3) were
> not affected. It seems like the logical combination is OR and not AND
> unlike the not negatived rule.
> I think that the rule is logical right. Is it a little bug or have I
> misunderstood something?
>
> I used the version 1.2.11 with kernel 2.4.26.
>
>   Markus

	I take it to mean that packets from host2 to host 3 were NOT accepted by this 
rule? ... What do the counters for the rule say? ( iptables -L -n -v -x  ).

	What other rules exist that might affect said packets? -- I note the above is  
an ADD.  Could rules farther up the FORWARD chain have already 
accepted/denied the said packets?

	FYI -- I just tested this by inserting a double negative rule in my firewall 

	iptables -I tcp_packets -p tcp -s ! {internal_lan} -d ! {internal lan ip} 
--dport 25 -j allowed 

	and sending myself an email from outside.  The packet counter incremented 
appropriately.

	2.6.7 linux iptables 1.2.11

	and now that rule is gone.

	Alistair

next prev parent reply	other threads:[~2004-09-06  8:49 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-09-06  8:28 two negatived parameters Akolinare
2004-09-06  8:49 ` Alistair Tonner [this message]
2004-09-06  9:00 ` Cedric Blancher
2004-09-06 20:16 ` Jason Opperisano
2004-09-07 15:43 ` Aleksandar Milivojevic
2004-09-07 16:36 ` Jason Opperisano
  -- strict thread matches above, loose matches on Subject: below --
2004-09-06 11:48 Akolinare
2004-09-07 16:10 ` Aleksandar Milivojevic

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200409060449.02415.Alistair@nerdnet.ca \
    --to=alistair@nerdnet.ca \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox