Firewall Wizards mailing list archives
Re: Is the order of the rules entered in iptables important?
From: Christopher Hicks <chicks () chicks net>
Date: Thu, 1 Aug 2002 08:53:10 -0400 (EDT)
On Thu, 1 Aug 2002, Kenny G. Dubuisson, Jr. wrote:
does the order in which rules are added for an iptables table matter?
Yes. I'm not aware of many firewall ruleset system where the order doesn't matter.
Once the system boots, I'm trying to add additional rules to the default chains but my rules are not working. I was wondering if that is because the boot script has, as it's last rule, a DENY target and since it was "entered" before my new rules, the DENY is always hit first.
Yes. So my guess would be that you're following one of the recipes out there and adding your rules with -A: -A, --append Append one or more rules to the end of the selected chain. When the source and/or destination names resolve to more than one address, a rule will be added for each possible address combination. While what you need to be doing is an insert: -I, --insert Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule num- ber is specified. If I'm going to be working on a set of rules by hand on a regular basis it makes life easier to add a new chain someplace appropriate, like the top of INPUT, and do my "playing" there. I've even managed to get iptables to let me setup chains that I then have cron jobs that automatically add and remove rules from. I prevent the use of AIM during business hours at one place and cut-off the Internet access for my kids after they're supposed to be asleep. I would have had a much harder time doing these things without making my own chain. I can add and delete rules from the "play chain" and be confidant that the order doesn't matter because I don't add anything to the play chain where the order matters. So my crontab entries just add and delete individual rules. The rules that are added and deleted this way are often simply jumps to other chains so that I can, for instance, have my AIM blocking script block 3 distinct AOL subnets which entails 3 rules on a chain named "killaim". Fun. -- </chris> "The first rule of Perl club is you do not talk about Perl club." -- Chip Salzenberg _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Is the order of the rules entered in iptables important? Kenny G. Dubuisson, Jr. (Aug 01)
- Re: Is the order of the rules entered in iptables important? Christopher Hicks (Aug 01)
- Re: Is the order of the rules entered in iptables important? David Lang (Aug 05)
- Re: Is the order of the rules entered in iptables important? Anton J Aylward, CISSP (Aug 05)
- Re: Is the order of the rules entered in iptables important? David Lang (Aug 05)
- Re: Is the order of the rules entered in iptables important? David Lang (Aug 05)
- Re: Is the order of the rules entered in iptables important? Christopher Hicks (Aug 01)
- <Possible follow-ups>
- Fw: Is the order of the rules entered in iptables important? Kenny G. Dubuisson, Jr. (Aug 01)
- Re: Fw: Is the order of the rules entered in iptables important? rob . roberson (Aug 01)