yes if an accept rule is before a drop rule, it will be executed first.

so your rule
this will make sure that the packets to this ip are accepted WITHOUT chekcing any further rules.

Also to exclude some addresses, you can say some complicated rule or simply do the foll
(assume IP AA is to be excluded from range XYZ)
(this will make sure rules below this are not hit..but other chains are)

Ok, here is my setup w/ addresses...

Computer with firewall and server - 192.168.1.1
Computer doing syn flood - 192.168.1.14 (but gets spoofed during attack)
Computer accessing pages on server - 192.168.1.20 (I want this to access the pages during the attack)

Please use this information to help me answer my question below...

If I execute the iptables rules below do you think I will achieve what I am wanting to do? If not can you help me tweak it. Thanks

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT- [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT

-A RH-Firwewall-1-INPUT -s 192.168.1.20 -j ACCEPT
-A RH-Firwewall-1-INPUT -s 192.168.0.0/255.255.255.0 -j DROP

-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

-A RH-Firewall-1-INPUT -s 0/0 -d 0/0 -p udp -j DROP
-A RH-Firewall-1-INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP
COMMIT




I will execute this after I start iptables:
net/ipv4/tcp_syncookies = 1

EDIT: i just realized you question was already answered... so nevermind my post... i guess i'm not used to the new layout here at LQ yet...


to accept all incoming TCP and UDP packets from 192.168.1.20 it would go something like this:and yes, the iptables commands in a script are executed from top to bottom (just like any other shell script)... also, as far as the chains are concerned the packets will hit the rules at the top first... so for example, here the tcp packet would be accepted regardless:and here it would be filterd regardless:well, if your policy is set to DROP then all you have to do is create an ACCEPT rule for packets with source address 192.168.1.20... then any packet from any other IP will get filtered, as long as you don't have any other rule matching the packet after it passes the ACCEPT rule for 192.168.1.20...

but if what you mean is that you have an ACCEPT rule for, say, TCP/80 packets and you want to filter that entire subnet except for the 192.168.1.20 IP then it would look like this:as you can see, the packets will hit the first rule, and if it's from 192.168.1.20 (and the destination port is tcp/80) it will be accepted... if it's not from 192.168.1.20 then the packet will keep going to the next rule, which states that if the packet is from subnet 192.168.1.0/24 it should be filtered...

Everyone, I really appreciate the help you provided.

I actually just got it working and presented it to my professor a little over an hour ago.

Again, I appreciate the help. Thanks...