The iptables on my dedicated server has a lot of lines with 11.11.11.11 that were not put in by me. Such as
-from the saved iptables.

I asked our host what they were and there was a vague reference to 'placeholder'. But as far as I can see the 11.11.11.11 is never defined in any way. Am I right in thinking that those lines aren't doing anything and I can delete them?

Or do they have a meaning?

Well, that's odd. Specifically what's odd is that your host seems to be (more-or-less) admitting to have put them there, but isn't really telling what they were out there for. As a placeholder, you'd have to think that they mean that they might run, eg, sed, and replace that 11.11.11.11 with something actually needed (presumably, what you mean by meaningful).

Incidentally, the range 11.0.0.0 - 11.255.255.255 is allocated to the DoD Network Information Center. So if you never have any accesses to them, they won't do any actual harm (and its only three ports, and probably not three ports that you'll ever want accesses to the DoD for), but I'd agree that you don't want 'random' parts of the net being meaninglessly blocked off, as you'll have a problem with it at some later time when you've forgotten all about this.

Appreciate your reply, thanks.

A little context here: I first noticed these a few years ago and asked host (they had changed my iptables). I don't think the support person actually knew why he had been told to do it - said "for added security". Anyway it didn't seem to do any harm so I have faithfully copied every time I updated iptables.

But I went on a housecleaning kick yesterday. We had blocked IPs in .htaccess as well as in iptables, and there was also a Ban Filter in the forum. I decided to consolidate all the bans in one place, in iptables, to make search easier if a block turned out to be a mistake. Then I thought why have this stuff I don't understand in iptables - so now I have taken all the 11.11.11.11 lines out.

May I ask you about something else?
I don't really understand the OUTPUT section. There is a pretty large one. It starts with some reasonable-looking stuff:
But after that are a great many DROP lines - a few of them:
What are these actually doing? I'm guessing that if something on the server tries to send to 173.201.253.108, it will not succeed. (Protection against malware sending home?) Would you agree that I could just delete those hundred or so lines?

Management-wise, and because iptables will block a connection at the lowest level, that's an excellent move.


They're doing nothing. In the filter table OUTPUT chain rules usually have "-d" for prohibiting sending any traffic to a specific destination, not "-s".

Thanks again!