Firewall Wizards mailing list archives

Re: Is the order of the rules entered in iptables important?

From: Christopher Hicks <chicks () chicks net>
Date: Thu, 1 Aug 2002 08:53:10 -0400 (EDT)

On Thu, 1 Aug 2002, Kenny G. Dubuisson, Jr. wrote:

does the order in which rules are added for an iptables table matter?


Yes.  I'm not aware of many firewall ruleset system where the order
doesn't matter.

Once the system boots, I'm trying to add additional rules to the
default chains but my rules are not working.  I was wondering if that
is because the boot script has, as it's last rule, a DENY target and
since it was "entered" before my new rules, the DENY is always hit
first.


Yes.  So my guess would be that you're following one of the recipes out
there and adding your rules with -A:

       -A, --append
              Append  one  or more rules to the end of
              the selected  chain.   When  the  source
              and/or destination names resolve to more
              than one address, a rule will  be  added
              for each possible address combination.

While what you need to be doing is an insert:

       -I, --insert
              Insert one or more rules in the selected
              chain  as the given rule number.  So, if
              the rule number is 1, the rule or  rules
              are  inserted  at the head of the chain.
              This is also the default if no rule num-
              ber is specified.

If I'm going to be working on a set of rules by hand on a regular basis it
makes life easier to add a new chain someplace appropriate, like the top
of INPUT, and do my "playing" there.

I've even managed to get iptables to let me setup chains that I then have
cron jobs that automatically add and remove rules from.  I prevent the use
of AIM during business hours at one place and cut-off the Internet access
for my kids after they're supposed to be asleep.  I would have had a much
harder time doing these things without making my own chain.  I can add and
delete rules from the "play chain" and be confidant that the order doesn't
matter because I don't add anything to the play chain where the order
matters.  So my crontab entries just add and delete individual rules.
The rules that are added and deleted this way are often simply jumps to
other chains so that I can, for instance, have my AIM blocking script
block 3 distinct AOL subnets which entails 3 rules on a chain named
"killaim".  Fun.

-- 
</chris>

"The first rule of Perl club is you do not talk about Perl club."
-- Chip Salzenberg

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Is the order of the rules entered in iptables important? Kenny G. Dubuisson, Jr. (Aug 01)
- Re: Is the order of the rules entered in iptables important? Christopher Hicks (Aug 01)
  - Re: Is the order of the rules entered in iptables important? David Lang (Aug 05)
    - Re: Is the order of the rules entered in iptables important? Anton J Aylward, CISSP (Aug 05)
    - Re: Is the order of the rules entered in iptables important? David Lang (Aug 05)
- <Possible follow-ups>
- Fw: Is the order of the rules entered in iptables important? Kenny G. Dubuisson, Jr. (Aug 01)
- Re: Fw: Is the order of the rules entered in iptables important? rob . roberson (Aug 01)