Iptables ACCEPT and DROP

Antony Stone netfilter@lists.netfilter.org
Fri, 16 Apr 2004 19:08:26 +0100

On Friday 16 April 2004 6:56 pm, Ravi Verma wrote:

> The following command will allows the machine to connect to
> iptables -A OUTPUT -o eth0 -p tcp -d --dport 5050 -j
> Now when I issue
> iptables -A OUTPUT -o eth0 -p tcp -d --dport 5050 -j
> And
> iptables -A OUTPUT -o eth0 -p tcp -d --dport
> 5050 -j REJECT
> Still, it allows connection to on port 5050.
> How does this work? It seems -j DROP is not opposite of -j ACCEPT. How
> can stop this?

"-A" means append - in other words, "add on to the end of my ruleset".

You have not said that you have flushed the OUTPUT chain (with "iptables -F 
OUTPUT") between adding the ACCEPT rule and applying more rules after it, so 
I think you still have the ACCEPT rule in your chain, and that is the first 
one the packets see.

Try "iptables -L OUTPUT -nvx" and see what rules you have, and in what order.



"Black holes are where God divided by zero."

 - Steven Wright

                                                     Please reply to the list;
                                                           please don't CC me.