Iptables :: priority of rules

Tim ignored_mailbox at yahoo.com.au
Fri Feb 23 12:38:14 UTC 2007

>>> You can have a default drop rule on all input traffic, then add a couple
>>> of specific rules to allow it from your local network, and another to
>>> allow it from a specific address.


>> In fact, isn't what I wrote ?

> No, I believe Tim meant a default drop "policy" then the rules you add are 
> accepts.
> eg:
> iptables -P INPUT DROP
> iptables -A INPUT -s -j ACCEPT
> iptables -A INPUT -s special.ip.allowed -j ACCEPT

Res is right, that's what I meant, and I think I see the problem in your
original rules:

>>>> (1) : iptables -I INPUT -p tcp -s --dport ssh -j ACCEPT

If address is this (above), allow.  So far so good.  It'll do what you

>>>> (2) : iptables -I INPUT -p tcp -s ! x.x.x.x --dport ssh -j DROP

If address is not that (above), don't allow.  The 192.168. address
*also* is not that address, and I think this rule will be processed on
top of the prior one.

Change the to being one where if it *is* the specific address that you
want, to accept it.  Then you'll have two accept rules that don't

Alternatively, you could try putting this rule before the other.

Your later message about having a default drop policy means that the
specific drop rule, above, is redundant, anyway.  It's ages since I
wrote any complex iptables rules, and always tried to avoid negative
logic, especially in combination than other things.  If you have
different interfaces (e.g. internet on ppp0 and LAN on eth0), it gets
easier to treat one differently than the other, but when you have
everything through the same interface you have to do it using the

(This PC runs FC4, my others FC5 & FC6, in case that's important
 to the thread)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

More information about the fedora-list mailing list