LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-30-2007, 08:35 AM   #1
Nerox
Member
 
Registered: Jul 2004
Location: Spain
Posts: 111

Rep: Reputation: 20
Basic usage of iptables


In the Linux 2.4/2.6 packet filtering HOWTO I can read the following

Quote:
There are two very simple built-in targets: DROP and ACCEPT. We've already met them. If a rule matches a packet and its target is one of these two, no further rules are consulted: the packet's fate has been decided.

There are two types of targets other than the built-in ones: extensions and user-defined chains.
Is that true? I think it is not, since when a packet matches a rule with an ACCEPT target, this packet is marked as accepted but his fate is not decided until he reaches the end of the chain (it can be dropped after). Analogously, if a packet matches a rule with a DROP target, it can be accepted later when it go through the chain.

Thanks in advanced
 
Old 04-30-2007, 08:40 AM   #2
Centinul
Member
 
Registered: Jun 2005
Distribution: Gentoo
Posts: 552

Rep: Reputation: 30
I believe the quoted statement is correct. If a packet hits the drop match it doesn't traverse the chain any longer. What you say doesn't make sense from a common sense perspective. Why would you drop a packet and then want to accept it later? That sounds more like a security issue to me.

Just my 2 cents.

Thanks.
 
Old 04-30-2007, 08:59 AM   #3
Nerox
Member
 
Registered: Jul 2004
Location: Spain
Posts: 111

Original Poster
Rep: Reputation: 20
The matter is if a packet matches a rule with an ACCEPT/DROP target, will the packet go through further rules?, or no further rules are consulted.

TIA
 
Old 04-30-2007, 09:11 AM   #4
Centinul
Member
 
Registered: Jun 2005
Distribution: Gentoo
Posts: 552

Rep: Reputation: 30
Quote:
Originally Posted by Nerox
go through further rules?
No

Quote:
Originally Posted by Nerox
no further rules are consulted
This is the same thing as above, therefore the answer is NO.

HTH,

Centinul
 
Old 04-30-2007, 10:52 AM   #5
Nerox
Member
 
Registered: Jul 2004
Location: Spain
Posts: 111

Original Poster
Rep: Reputation: 20
Regardless of the chain policy ??

Thanks again
 
Old 04-30-2007, 02:44 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
of course regardless, that's why it's a chain / list / table, not just a random lump of rules executed randomly. if it's not then a predence of order makes no sense at all. a decent firewall list should *always* end with a drop, i.e. if your packet got to the bottom we obviously didn't accept you earlier...

this is nothing to do with iptables per se, this is how virtually all common access list based systems, most specfically including most firewalls in the world, work.

in your world, how would you fulfil a request such as "accept ssh traffic from ip 1.2.3.4 but block everything else"? without precedence you're presuambly looking at a rule for every single possible port that could exist as you can't fall back to a default right? 65534 rules? super!

Last edited by acid_kewpie; 04-30-2007 at 02:46 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
RH Enterprise - Questions on Basic Usage srisci87 Linux - Newbie 3 02-19-2007 06:43 PM
Basic Wine Usage MALDATA Linux - Software 8 05-02-2006 06:24 PM
Sourcing Linux, and basic installation and usage ... Kalenen Linux - Newbie 3 12-10-2005 06:04 PM
basic usage of xmodmap missinghelix Linux - Software 0 09-07-2004 11:33 PM
Iptables / Memory Usage kill4u666 Linux - Networking 4 02-23-2002 05:42 PM


All times are GMT -5. The time now is 03:43 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration