Re: Fw: [fw-wiz] Is the order of the rules entered in iptables important?

From: rob.roberson@verizon.com
Date: 08/01/02


From: rob.roberson@verizon.com
To: "Kenny G. Dubuisson, Jr." <kdubuisson@kcmria.com>
Date: Thu Aug  1 10:22:01 2002

Kenny -

The INPUT, OUTPUT, and FORWARD chains are all different in IPTables.

Input is for Packets destined for the local box.
Output is only for localy generated packets.
Forward is for packets to be routed.

You might want different rules or the same rules for each type of packet!

~Rob Roberson
Systems/Network Engineer
Blue Dragon Studio
rob@bluedragonstudio.com

|---------+----------------------------------------->
| | "Kenny G. Dubuisson, Jr." |
| | <kdubuisson@kcmria.com> |
| | Sent by: |
| | firewall-wizards-admin@honor.i|
| | csalabs.com |
| | |
| | |
| | 08/01/2002 09:27 AM |
| | |
|---------+----------------------------------------->
>-------------------------------------------------------------------------------------------------------------------------------|
  | |
  | To: <firewall-wizards@honor.icsalabs.com> |
  | cc: |
  | Subject: Fw: [fw-wiz] Is the order of the rules entered in iptables important? |
>-------------------------------------------------------------------------------------------------------------------------------|

----- Original Message -----
From: "Kenny G. Dubuisson, Jr." <kdubuisson@kcmria.com>
To: <firewall-wizards@honor.icslabs.com>
Sent: Thursday, August 01, 2002 8:23 AM
Subject: Fw: [fw-wiz] Is the order of the rules entered in iptables
important?

> Thanks for the responses. Now another question: Do I have to duplicate
my
> rules on the INPUT chain on the OUTPUT and FORWARD chains? The examples
> that I've been using to study what we want to do shows rules duplicated
from
> the INPUT chain to the OUTPUT and FORWARD chains. But my understanding
is
> that if a rule is hit in the INPUT chain and the target is ACCEPT, it
skips
> the other chains. Anything that you could provide to help clear this up
> would be very appreciated.
>
> Thanks again,
> Kenny
>
> ----- Original Message -----
> From: <rob.roberson@verizon.com>
> To: "Kenny G. Dubuisson, Jr." <kdubuisson@kcmria.com>
> Cc: <firewall-wizards@honor.icslabs.com>
> Sent: Thursday, August 01, 2002 7:35 AM
> Subject: Re: [fw-wiz] Is the order of the rules entered in iptables
> important?
>
>
> >
> > Kenny -
> >
> > The order is definately important. The first rule that matches the
packet
> > is the one that takes effect. IPTables rules can be inserted between
other
> > rules by number.
> > The exact syntax is in the man pages. Good luck!
> >
> >
> > ~Rob Roberson
> > Systems/Network Engineer
> > Blue Dragon Studio
> > rob@bluedragonstudio.com
> >
> >
> > |---------+----------------------------------------->
> > | | "Kenny G. Dubuisson, Jr." |
> > | | <kdubuisson@kcmria.com> |
> > | | Sent by: |
> > | | firewall-wizards-admin@honor.i|
> > | | csalabs.com |
> > | | |
> > | | |
> > | | 08/01/2002 08:17 AM |
> > | | |
> > |---------+----------------------------------------->
> >
>
>
---------------------------------------------------------------------------
> ----------------------------------------------------|
> > |
> |
> > | To: <firewall-wizards@honor.icsalabs.com>
> |
> > | cc:
> |
> > | Subject: [fw-wiz] Is the order of the rules entered in
iptables
> important? |
> >
>
>
---------------------------------------------------------------------------
> ----------------------------------------------------|
> >
> >
> >
> >
> > Hello all. I'm new to the list. I have a quick question: does the
order
> > in
> > which rules are added for an iptables table matter? I have a firewall
> that
> > has a pre-built iptables script that runs on boot. Once the system
boots,
> > I'm trying to add additional rules to the default chains but my rules
are
> > not working. I was wondering if that is because the boot script has,
as
> > it's last rule, a DENY target and since it was "entered" before my new
> > rules, the DENY is always hit first.
> >
> > Thanks in advance,
> > Kenny
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@honor.icsalabs.com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> >
> >
> >
>

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Question. on iptables concept
    ... > one from the outside world to access any resource to the local LAN. ... as routed packets _do not_ go through INPUT nor OUTPUT chains. ... Built-in chains behaviour for filtering implies that whatever packet you ...
    (comp.os.linux.security)
  • Re: Right Interface - Wrong IP
    ... I've setted up a similar configuration, with exactly the same rules, the same iptables' chains, and all works fine. ... My filling is that, when generating packets, the interaction between netfilter and iproute2 looks like this: ... Netfilter OUTPUT hooks are traversed ... POSTROUTING hooks are traversed ...
    (comp.os.linux.networking)
  • Re: HTB/CBQ and iptables MARK problem
    ... > I wanted to make a traffic shaping setup and in order to test it i made ... > some simple chains first. ... > I did that in order to test it with http packets which are easy to test. ... > then i download the kernel with 2kbytes/sec. ...
    (comp.os.linux.networking)
  • Fw: [fw-wiz] Is the order of the rules entered in iptables important?
    ... > rules on the INPUT chain on the OUTPUT and FORWARD chains? ... IPTables rules can be inserted between ... I was wondering if that is because the boot script has, ...
    (Firewall-Wizards)
  • iptables + PAT
    ... (etho -> local lan) ... and explain how the packets run really through my ... nor more chains if the packet matches to the rule above ?, ...
    (comp.os.linux.security)