Re: Iptables :: priority of rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tim:
>>> You can have a default drop rule on all input traffic, then add a couple
>>> of specific rules to allow it from your local network, and another to
>>> allow it from a specific address.

Luc MAIGNAN:

>> In fact, isn't what I wrote ?


Res:
> No, I believe Tim meant a default drop "policy" then the rules you add are 
> accepts.
> 
> eg:
> iptables -P INPUT DROP
> iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
> iptables -A INPUT -s special.ip.allowed -j ACCEPT

Res is right, that's what I meant, and I think I see the problem in your
original rules:

>>>> (1) : iptables -I INPUT -p tcp -s 192.168.0.0/24 --dport ssh -j ACCEPT

If address is this (above), allow.  So far so good.  It'll do what you
expect.

>>>> (2) : iptables -I INPUT -p tcp -s ! x.x.x.x --dport ssh -j DROP

If address is not that (above), don't allow.  The 192.168. address
*also* is not that address, and I think this rule will be processed on
top of the prior one.

Change the to being one where if it *is* the specific address that you
want, to accept it.  Then you'll have two accept rules that don't
conflict.

Alternatively, you could try putting this rule before the other.

Your later message about having a default drop policy means that the
specific drop rule, above, is redundant, anyway.  It's ages since I
wrote any complex iptables rules, and always tried to avoid negative
logic, especially in combination than other things.  If you have
different interfaces (e.g. internet on ppp0 and LAN on eth0), it gets
easier to treat one differently than the other, but when you have
everything through the same interface you have to do it using the
addresses.

-- 
(This PC runs FC4, my others FC5 & FC6, in case that's important
 to the thread)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux