Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Adding a rule to a iptable custom chain
- Mauricio Tavares
November 13, 2006, 7:36 pm
rate this thread
setup with a custom chain called, say, bob. Now, I would like to add a
rule to that chain, say, something like this:
iptables -A bob -s 188.8.131.52 -p all -j DROP
What I want to do is block any traffic from that host going through the
firewall. I check if the rule is seen
iptables -L bob --line-numbers
and see the rule there, as
num target prot opt source destination
16 DROP all -- 184.108.40.206 anywhere
So, I go to the said host and then ssh to a machine behind the firewall.
I have not problem ssh'ing in. What am I missing here?
(if you need to email me, use this address =)
Re: Adding a rule to a iptable custom chain
- is anything at all calling the 'bob' chain from 'INPUT' chain?
- is something in the processing order (starting from the first rule in
the 'INPUT' chain going up to the line 16 in the 'bob' chain, if it
is even called) ACCEPTing the packet before the point where you attempt
to DROP it?
So, when a packet comes in, it will first be processed by the first rule
in the INPUT chain. Then the next in the INPUT chain (or if the first rule
was a jump to another chain, then at the first rule of the other chain),
and so on. When a chain other than INPUT ends, the processing will resume
with the next rule in the calling chain. When INPUT chain ends, then
the chain policy will be applied. The first _terminal_ rule (ACCEPT, REJECT
or DROP) that the packet matches with this processing order is the one
that will be applied to the packet.
A simple example -- start with completely empty INPUT table;
add rules (in this order) to DROP and to ACCEPT every packet. Result:
all packets will be DROPped. Change the order of the rules (f.ex. delete
and append the DROP rule). Result: all packets will be ACCEPTed.
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)
- » Cloud Ace Technologies is offering Implementation Services on Cloud Computing, Cloud Serv...
- — Newest thread in » Linux Security
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — The site's Newest Thread. Posted in » Secure Shell Forum