IPTables is just that: A table. A packet is said to traverse the table, ie it starts at the first rule and checks for a match. If the rule's conditions do not match the packet, then that rule is ignored and the packet is compared against the second rule, so on and so forth until it finds a match. If it doesn't find a match, that is where the default rule comes in the play. In your case, whichever rule is first is the rule that will pick the packet. So in what you have provided, the very top rule will be used and the other two ignored. HTH Anthony Sadler Far Edge Technology w: (02) 8425 1400 -----Original Message----- From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Padraig Houlahan Sent: Wednesday, 24 May 2006 09:59 To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: precedence and redundancy questions re ACCEPT vs NEW Greetings: If my firewall receives a packet from 1.2.3.4, which rule accepts it? -A INPUT -s 1.2.3.4 -j ACCEPT -A INPUT -s 1.2.3.4 -m state --state NEW -j ACCEPT -A INPUT -s 1.2.3.4 -p TCP --syn -j ACCEPT Does it matter if the packet is the first of a new connection? Are these lines redundant in the sense they will all allow a first connection packet through? Are rules #2 and #3 the same? Regards, PH ++++++++++++ Padraig Houlahan IT Manager Lowell Observatory Flagstaff, AZ 928-774-3358 x 214
