Yes I see that. But what I am concerned with is the two snmp rules that follow those. If I put the snmp rules ahead, they don't match. If I put them after, then they do match. I pasted the rules again to make it easier to see. #Deny All Traffic to Interface except SSH and ICMP $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j ACCEPT #CMTS Link $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j DROP #CMTS Link $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport ! 22 -j DROP #CMTS Link ##Allow SNMP Calls Via MRTG To This Interface Only $IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --dport 161 -j ACCEPT $IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --dport 162 -j ACCEPT Walt Wyndroski ----- Original Message ----- From: "Robert Kurjata" <rkurjata@xxxxxxxxxxxxx> To: "Walter D. Wyndroski" <wdwrn@xxxxxxxxxxxxxxxx> Sent: Thursday, October 23, 2003 3:25 AM Subject: Re: iptables question > Witaj Walter, > > W Twoim liście datowanym 23 października 2003 (05:45:01) można przeczytać: > > WDW> First off, I know this is the LARTC list, but I've > WDW> been living on this list for over a year now. :) Now with that said, I'm > WDW> probably going to get flamed for my question. :) > > No flames, but direct answer :) > > WDW> > > WDW> I've read that iptables is a first match wins > WDW> system. My recent experience is showing that it is a last match wins. I > WDW> understand that if a packet is matched in prerouting chain, it may be matched > WDW> again in a subsequent chain unless the jump target was drop. > > I think you should consider it like First Matched Wins :) so It's > working fine. I don't see why you're saying that first example is last > match wins. It just depends on packet: > > (lets see the example where only first three lines are in the script) > > icmp - first matched and accepted > not tcp - (udp) - matched and droped > tcp dst port other than 22 - matched and dropped > > tcp dst port 22 matched by default chain policy (dropped or accepted) > > > > > WDW> > WDW> NOTE: I am not using iptables as a true firewall, > WDW> much as most people on this list do not. I'm primarily using iptables to mark > WDW> packets and drop them for securing my network and to deny all traffic to my > WDW> router except for a few exclusive port.s > WDW> The following is an excerpt from my router script > WDW> on how I'm handling certain traffic to my router and this works: (This example > WDW> is a last match wins) > WDW> #Deny All Traffic to Interface except SSH and ICMP > WDW> $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j > WDW> ACCEPT > WDW> #CMTS Link > WDW> $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp -j > WDW> DROP > WDW> #CMTS Link > WDW> $IPTABLES -A FORWARD -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport ! 22 > WDW> -j DROP #CMTS Link > WDW> ##Allow SNMP Calls Via MRTG To This Interface Only > WDW> $IPTABLES -A FORWARD > WDW> -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --dport 161 -j > WDW> ACCEPT > WDW> $IPTABLES -A FORWARD -i eth3 -t mangle --src 66.28.168.226 --dst > WDW> 172.20.0.5 -p udp --dport 162 -j ACCEPT > WDW> This is how I was doing it and it worked: (This example is a first > WDW> match wins) > WDW> (note: I was routing the fwmark 1 to blackhole) > WDW> ##Allow SNMP Calls Via MRTG To This Interface Only > WDW> $IPTABLES -A > WDW> PREROUTING -i eth3 -t mangle --src 66.28.168.226 --dst 172.20.0.5 -p udp --dport > WDW> 161 -j ACCEPT > WDW> $IPTABLES -A PREROUTING -i eth3 -t mangle --src 66.28.168.226 > WDW> --dst 172.20.0.5 -p udp --dport 162 -j ACCEPT > WDW> #Deny All Traffic to Interface except SSH and ICMP > WDW> $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p icmp -j > WDW> ACCEPT > WDW> #CMTS Link > WDW> $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p ! tcp > WDW> -j MARK --set-mark > WDW> 1 > WDW> #CMTS Link > WDW> $IPTABLES -A PREROUTING -i eth+ -t mangle --dst 172.20.0.5 -p tcp --dport ! > WDW> 22 -j MARK --set-mark 1 #CMTS Link > > WDW> > > WDW> I just need someone to tell me when is iptables using first match wins > WDW> versus last match wins. I think I am missing something but I am not sure. I stay > WDW> so busy with other tasks that I cannot devote the time that I need and would > WDW> like to this. Anyway, many thanks in advance. > > WDW> > > WDW> > > WDW> Walt Wyndroski > > > > > > > > WDW> This message has been scanned by CityNET's email > WDW> scanner for viruses and dangerous content > WDW> and is believed to be clean. CityNET is proud to use > WDW> MailScanner. For more information > WDW> concerning MailScanner, visit http://www.mailscanner.info > > > > > > -- > Pozdrowienia, > Robert mailto:rkurjata@xxxxxxxxxxxxx > > > **************************************************************************** ****************** > * This message has been scanned by CityNET's email scanner for viruses and dangerous content * > * and is believed to be clean. CityNET is proud to use MailScanner. For more information * > * concerning MailScanner, visit http://www.mailscanner.info * > **************************************************************************** ****************** > > ********************************************************************************************** * This message has been scanned by CityNET's email scanner for viruses and dangerous content * * and is believed to be clean. CityNET is proud to use MailScanner. For more information * * concerning MailScanner, visit http://www.mailscanner.info * ********************************************************************************************** _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
