Order of rules
Nigel Morse
N.Morse@hyperknowledge.com
Tue, 19 Jun 2001 13:06:21 +0100
> Your right. No option indeed, but what if you have a default policy
> ACCEPT (no good idea I know, but possible) than everything is
> automatically accepted. Rules with DROP further on don't have
> any effect
> on the packets traversing the INPUT chain do they? Or is that
> only when
> you set -A INPUT -s any/0 -d any/0 -j ACCEPT explicitly in the INPUT
> chain?
The chain policy only takes effect on any packets that haven't been dropped
earlier. Think of the policy as a rule that is always at the end of the
chain and matched everything. The DROP rules *can't* appear further on then
the policy eg.
iptables -P INPUT -j ACCEPT
iptables -A INPUT -p tcp -d 1.2.3.4 -j DROP
This would allow all packets except those going to 1.2.3.4 - only the rules
are order dependant, policy is not.
Cheers
Nigel