On Thu, Mar 21, 2002 at 09:33:21PM +1100, Peter Rundle wrote: > I'm learning iptables by trial and terror and fail to understand iptables > behaviour when matching rules. I thought that once a rule was matched > the chain was exited but it appears that iptables continues down the > chain attempting to match all rules. Is this true and if so what the hell > for? This would appear to me to make iptables about next to useless.
You're confusing matches with targets. Matches say "oh yes, this packet has the property of foo" (e.g. being a TCP packet on port 80). Targets do stuff with the packet (log it, for instance). > # iptables -A INPUT -p TCP --dport 80 -j LOG --log-prefix "HTTP: " > # iptables -A INPUT -p TCP -j LOG --log-prefix "OTHER: " > > But when I list /var/log/messages I get both the HTTP and OTHER > labels!!!???? Yes. The LOG target keeps traversing down the chain for obvious reasons; what if you want to log something, and then drop it? ipchains did it in a very unclean way. I suggest you do something like: iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix "HTTP: " iptables -A INPUT -p tcp ! --dport 80 -j LOG --log-prefix "OTHER: " This will negate matching on port 80 for the second target. Alternatively: iptables -N HTTP iptables -A HTTP -j LOG --log-prefix "HTTP: " iptables -P HTTP ACCEPT iptables -A INPUT -p tcp --dport 80 -j HTTP iptables -A INPUT -p tcp -j LOG --log-prefix "OTHER: " This will create a separate chain for HTTP. > So what's the story? I want to impliment a DENY or DROP policy so that > packets > that I don't have a rule for get dumped but as soon as I change the > INPUT policy > to DENY or DROP nothing can talk to the box, even though I have a matching > input rule. I don't want to have to impliment a chain by putting in > matching rules for > all the ports that I don't want I just want to put in a list of allows > and then a DROP > at the end. That's easy. iptables -N ALLOWED iptables -A ALLOWED -j LOG --log-prefix "OTHER: " iptables -P ALLOWED ACCEPT iptables -A INPUT -p tcp --dport 22 -j ALLOWED iptables -A INPUT -p tcp --dport 1234 -j ALLOWED ... > Anyone have any ideas? Is their a flag or switch on iptables that > changes the > traverse policy to "exit on match". Clues sticks? I can offer you a clue stick, but you can't exit on match - what would the verdict be? d, who notes that most of this is in the Netfilter-HOWTO, or whatever it's called -- Daniel Stone <[EMAIL PROTECTED]> <Gnea> "welcome to OPN. today is a day which shall live in infamy! your services are important to us. please be patient while we attempt to shine a flashlight with dead batteries. thank you." :)
msg21778/pgp00000.pgp
Description: PGP signature
