Baho Utot wrote:
> Mark Hobley wrote:
>
>> Pascal Hambourg <boite-a-spam@plouf.fr.eu.org> wrote:
>>
>>> Weird. Are there other rules in the ruleset ? What happens if you remove
>>> all the ACCEPT rules and leave only the DROP rule ?
>> There are no additional rules in the ruleset. The setup script is as
>> posted.
>>
>> If I just have the drop line, all traffic to the port is dropped.
>>
>> If I invert the script as follows:
>>
>> iptables -A INPUT -p tcp --dport 7500 -jDROP
>>
>> for addr in $ALLOWED
>> do
>> iptables -A INPUT -s $addr -p tcp --dport 7500 -jACCEPT
>> done
>>
>> This produces a filter table as follows:
>>
>> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:7500
>> ACCEPT tcp -- 10.0.0.0/8 anywhere tcp dpt:7500
>> ACCEPT tcp -- 192.168.0.0/16 anywhere tcp dpt:7500
>> ACCEPT tcp -- 51.0.0.0/8 anywhere tcp dpt:7500
>> ACCEPT tcp -- 62.30.0.0/16 anywhere tcp dpt:7500
>> ACCEPT tcp -- 80.0.0.0/13 anywhere tcp dpt:7500
>>
>> However, in this scenario, all network traffic to port 7500 remains
>> blocked, even from the accepted ports, presumable because the first rule
>> produces a match, and the rest of the table is then ignored.
>>
>> iptables -V reveals:
>>
>> iptables v1.3.6
>>
>> cat /proc/version reveals:
>>
>> Linux version 2.6.18-6-486 (Debian 2.6.18.dfsg.1-18etch6)
>>
>> Regards,
>>
>> Mark.
>>
>
> Yes working correctly.
> The first rule drops the packet and the other rules then match nothing.
>

Erm shouldn't the DROP rule be at after the accept rules?