Iptables compares a packet to the list of rules rules sequentially. Starting at the first rule, and working its way to the bottom, until it finds a rule that applies to that packet.
Since you have a default policy of accept, and are using a catch all rule to reject anything that doesn't match a previous rule, your port 80 accept rule, is AFTER the catch all rule.
Quote:
Code:
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere tcp dpt:http
|
Personally, i use a script to generate my iptables rules, i edit the script, and run it, the save the itpables rules to the file loaded by the init script, so they are persistent across reboots. So whenever I add a new rule, I make sure I add above the "catch all".
In your current example, you would need to
Code:
iptables -D INPUT 6
Which will remove the current http accept rule. And then instead of using -A, use -I [rule number] to insert the rule above the catch all.
Code:
iptables -I 5 -p tcp --dport 80 -j ACCEPT
Which will insert the rule into the 5th position, moving anything after it down 1 step.
Alternatively, if you don't specify a number, the rule will be inserted in the first position.