Adding a rule to a iptable custom chain

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
    Let's say I have a redhat box acting like a firewall. It has iptables
setup with a custom chain called, say, bob.  Now, I would like to add a
rule to that chain, say, something like this:

iptables -A bob -s -p all -j DROP

What I want to do is block any traffic from that host going through the
firewall. I check if the rule is seen

iptables -L bob --line-numbers

and see the rule there, as
num  target     prot opt source               destination
16   DROP       all  --         anywhere

So, I go to the said host and then ssh to a machine behind the firewall.
  I have not problem ssh'ing in. What am I missing here?

Mauricio                                raub-kudria-com
(if you need to email me, use this address =)

Re: Adding a rule to a iptable custom chain

Quoted text here. Click to load it

Which filter chain 'calls' bob, INPUT or FORWARD?

-- /

Re: Adding a rule to a iptable custom chain

Quoted text here. Click to load it

- is anything at all calling the 'bob' chain from 'INPUT' chain?
- is something in the processing order (starting from the first rule in
  the 'INPUT' chain going up to the line 16 in the 'bob' chain, if it
  is even called) ACCEPTing the packet before the point where you attempt
  to DROP it?

So, when a packet comes in, it will first be processed by the first rule
in the INPUT chain. Then the next in the INPUT chain (or if the first rule
was a jump to another chain, then at the first rule of the other chain),
and so on. When a chain other than INPUT ends, the processing will resume
with the next rule in the calling chain. When INPUT chain ends, then
the chain policy will be applied. The first _terminal_ rule (ACCEPT, REJECT
or DROP) that the packet matches with this processing order is the one
that will be applied to the packet.

A simple example -- start with completely empty INPUT table;
add rules (in this order) to DROP and to ACCEPT every packet. Result:
all packets will be DROPped. Change the order of the rules (f.ex. delete
and append the DROP rule). Result: all packets will be ACCEPTed.
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Site Timeline