On Thursday, March 19, 2015 01:51:44 AM dE wrote: > Hi! > > I'm using the drop policy for iptables using the following -- > > iptables -P INPUT DROP > iptables -P OUTPUT DROP > iptables -P FORWARD DROP > iptables -A INPUT -p tcp -j ACCEPT > iptables -A INPUT -p udp -j ACCEPT > iptables -A INPUT -p tcp ! -i lo -m multiport --dports 0:79,81:65535 -m > state --state NEW -j DROP > > Unfortunately, in this configuration, none of the ports get blocks. > > This implies that after an ACCEPT, further rules are not matched. Is > this a bug or intended by design? > > If this is by design, how am I supposed to use modules like connlimit > with DROP policy. By design. Once a packet is accepted, no more rules are processed. To do otherwise would be akin to continuing to execute a program after an exit() statement. In a mathmetical sense, netfilter rules are not commutative. Nor are they sorted into a most-specific to most-general order. Rules are processed in the order in which they are added. Because you added a rule that ACCEPTS all TCP packets before the rule that REJECTs certain TCP packets, the prior rule always fires on TCP packets and the latter rule never fires. If you want to affect specific packets, you must add such rules before you add the broader-reaching rules. Or you must insert such rules ahead of the broader rules. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
