LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-20-2007, 05:15 PM   #1
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Rep: Reputation: 60
IPTABLES Rules Positioning


When you are using IPTABLES and you have a script, I want to know what lines goes first as far as rules:

1 -INPUT
2 -OUTPUT
3 -FORWARD
4 -PREROUTING
5 -POSTROUTING

I want to know if I have my own rules position correctly is the reason I ask!
 
Old 08-20-2007, 07:12 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
You can have your chains grouped in pretty much any order you want. What matters is the order of the rules within each chain itself. For example, this:
Code:
iptables -t nat -A PREROUTING -i eth3 \
-j DNAT --to-destination 192.168.55.36
iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE
iptables -A INPUT -p TCP -s 192.168.10.101 -j DROP
iptables -A FORWARD -p TCP -i eth0 -o eth1 -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
Is the same as this:
Code:
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p TCP -s 192.168.10.101 -j DROP
iptables -t nat -A POSTROUTING -o eth3 -j MASQUERADE
iptables -A FORWARD -p TCP -i eth0 -o eth1 -j DROP
iptables -t nat -A PREROUTING -i eth3 \
-j DNAT --to-destination 192.168.55.36

But this:
Code:
iptables -A FORWARD -p TCP -j ACCEPT
iptables -A FORWARD -p TCP --dport 80 -j DROP
Is NOT the same as this:
Code:
iptables -A FORWARD -p TCP --dport 80 -j DROP
iptables -A FORWARD -p TCP -j ACCEPT
The latter would filter HTTP packets, while the former would allow them, as any TCP packets would get sent to ACCEPT and wouldn't even get to the DROP rule.

Last edited by win32sux; 08-20-2007 at 07:18 PM.
 
Old 08-28-2007, 08:46 AM   #3
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,190

Original Poster
Rep: Reputation: 60
Many thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 09:50 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
iptables rules Hegemon Linux - Networking 0 01-28-2004 02:20 AM
iptables rules chrisfirestar Linux - Security 2 10-29-2003 02:30 AM
iptables rules Darin Linux - Security 1 01-23-2003 04:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration